Skip to content

JodisKripe/BYOVD

Repository files navigation

BYOVD

Bring Your Own Vulnerable Driver PoCs developed to learn about the process.

EDR Killer Drivers Added

  • BdApiUtil (BdApiUtil.sys)
  • K7RKScan (K7RKScan.sys)
  • KsApi64 (ksapi64.sys)
  • TfSysMon (SysMon.sys)
  • TrueSight (truesight.sys)
  • Viragt64 (viragt64.sys)
  • wsftprm (wsftprm.sys)
  • Blackout (gmer.sys) {revoked cert}
  • NSecKrnl (NSecKrnl.sys)
  • RentDrv2 (rentdrv2.sys)
  • mhyProt (mhyprot2.sys) {revoked cert}

To Do

  • Create IAT Parser to check for ZwTerminateProcess in kernel drivers
    • Move ZwTerminateProcessHunter to a standalone repository and add as submodule
  • Create function to handle to IOCTL_CODE blast based on process name
  • Develop Writeups for all EDRKillers

Testing Kernel Drivers

Create and start Service

sc.exe create SysMon type= kernel start= demand binPath= 'D:\BYOVD\TfSysMon\SysMon.sys' DisplayName= 'SysMonTF'

sc.exe start SysMon

Stop and Remove the Service

sc.exe stop SysMon

sc.exe delete SysMon

Or just use OSRLoader :)

https://www.osronline.com/article.cfm%5Earticle=157.htm

EDRKiller.zip

Boilerplate Visual Studio Template to prepare fresh EDRKillers

About

Bring Your Own Vulnerable Driver PoCs developed to learn about the process.

Resources

Stars

13 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages