An open-source tool called RealBlindingEDR enables attackers to blind, permanently disable, or terminate antivirus (AV) and endpoint detection and response (EDR) software by clearing critical kernel callbacks on Windows systems.
Released on GitHub in late 2023, the utility leverages signed drivers for arbitrary memory read and write operations, bypassing protections like PatchGuard to target six major kernel callback types. This development raises alarms for cybersecurity professionals, as the tool has been adopted by ransomware groups such as Crypto24 in recent attacks.
The tool’s creator emphasizes research purposes only, disclaiming any malicious use, while providing detailed implementation insights in a Chinese-language analysis article.
By exploiting vulnerable drivers like echo_driver.sys or dbutil_2_3.sys, RealBlindingEDR gains kernel-level access without triggering immediate detection.
Users download the executable from releases, pair it with a compatible driver, and execute commands like “RealBlindingEDR.exe c:echo_driver.sys 1” for blinding mode or variants for shutdowns.
Screenshots attached to the repository demonstrate real-time removal of callbacks, allowing file deletions and process terminations that AV tools typically block.
RealBlindingEDR systematically erases callbacks registered via functions such as CmRegisterCallback(Ex), ObRegisterCallbacks, PsSetCreateProcessNotifyRoutine(Ex), PsSetCreateThreadNotifyRoutine(Ex), PsSetLoadImageNotifyRoutine(Ex), and MiniFilter drivers.
These mechanisms allow AV/EDR solutions to monitor process creation, thread activity, image loading, registry changes, file operations, and object handles. For instance, removing ObRegisterCallbacks eliminates handle protection, enabling ordinary admin users to kill EDR processes that would otherwise resist termination.
The process involves locating global kernel structures like PsProcessType or FltGlobals through exported functions in ntoskrnl.exe and fltmgr.sys.
It then traverses linked lists of callback entries, nullifying function pointers or rerouting list heads to evade PatchGuard-induced blue screens. Adaptation for Windows 7 to 11 and various servers ensures broad compatibility, with ongoing issues tracked via GitHub.
Tested against products including 360 Security Guard, Tencent Computer Manager, Kaspersky Endpoint Security, Windows Defender, and AsiaInfo EDR, the tool achieves three key outcomes without halting the target’s main process, preserving communication with central management to avoid alerts.
Blinding mode prevents monitoring of sensitive behaviors like malware drops or privilege escalations. Permanent disablement follows by deleting protected files or registry entries post-callback removal, surviving reboots. Killing is straightforward once object protections vanish.
Demos show, for example, terminating AV processes via Task Manager and erasing self-protected files, as depicted in repository images of command outputs and before-and-after states.
While intended for ethical research, RealBlindingEDR’s simplicity, requiring only a signed driver and admin rights, poses risks for red teaming and real-world threats.
Ransomware operators like Crypto24 have integrated it into multi-stage attacks, impairing defenses before encryption. Organizations should monitor for vulnerable driver loads and kernel anomalies using advanced EDR with behavioral analytics.
Microsoft and AV vendors urge driver signature enforcement and tools like Driver Signature Enforcement Overrider mitigations. Future updates may target ETW providers and WFP callbacks, escalating kernel-level evasion tactics.
Security teams are advised to review endpoint logs for unusual sys file accesses and prioritize least-privilege driver usage.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
