Bring Your Own Vulnerable Driver PoCs developed to learn about the process.
- BdApiUtil (BdApiUtil.sys)
- K7RKScan (K7RKScan.sys)
- KsApi64 (ksapi64.sys)
- TfSysMon (SysMon.sys)
- TrueSight (truesight.sys)
- Viragt64 (viragt64.sys)
- wsftprm (wsftprm.sys)
- Blackout (gmer.sys) {revoked cert}
- NSecKrnl (NSecKrnl.sys)
- RentDrv2 (rentdrv2.sys)
- mhyProt (mhyprot2.sys) {revoked cert}
- Create IAT Parser to check for ZwTerminateProcess in kernel drivers
-
- Move ZwTerminateProcessHunter to a standalone repository and add as submodule
- Create function to handle to IOCTL_CODE blast based on process name
- Develop Writeups for all EDRKillers
sc.exe create SysMon type= kernel start= demand binPath= 'D:\BYOVD\TfSysMon\SysMon.sys' DisplayName= 'SysMonTF'
sc.exe start SysMon
sc.exe stop SysMon
sc.exe delete SysMon
https://www.osronline.com/article.cfm%5Earticle=157.htm
Boilerplate Visual Studio Template to prepare fresh EDRKillers