is a vulnerable driver from Rogue Anti-Malware Driver 3.3. It can be abuse to kill a PPL process

is a C# AV/EDR Killer that exploit the truesight.sys driver. To exploit, first load and start the driver:

is a CPP AV/EDR Killer that exploit the truesight.sys driver. To exploit, you need to have the truesight.sys driver located at the same location as the executable.

terminate all EDR/XDR/AVs processes by abusing the driver. To exploit, place the driver Terminator.sys in the same path as the executable

A callout driver implements one or more . Callouts extend the capabilities of the by processing TCP/IP-based network data in ways that are beyond the scope of the simple filtering functionality. By exploiting such driver we can block outbound traffic from EDR processes.

leverages a legitimate WFP callout driver, , to effectively silence EDR systems. This project focuses on network-based evasion techniques.

is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

is a tool designed to load a vulnerable driver by abusing lesser-known NTFS techniques. These method bypass the registration of a Driver Service on the system by hijacking an existing service, and also spoof the image path presented in the Driver Load event. To further masquerade the presence of a vulnerable driver, the attack also abuses an Emulated Filesystem Read-Only bypass to swap the content of a driver file on a mounted ISO before loading it.

• Theory
• Practice
• Killing AV/EDDR
• Windows Filtering Platform (WPF) Callout Driver
• Kernel Object Tampering
• Hijacking Valid Drivers
• Resources