DefenderKiller
Kernel process termination using Microsoft's own signed driver.
KSLDriver.sys (2011) — a Microsoft Malware Protection driver signed by Microsoft Code Signing PCA — contains a ZwTerminateProcess primitive accessible via IOCTL from ring 0. DefenderKiller weaponizes this driver to terminate any process on the system, including PPL-protected and EDR-protected processes.
⚠️ Disclaimer
This tool is provided for authorized security testing and educational purposes only. Use only on systems you own or have explicit written permission to test. The author is not responsible for any misuse.
📝 Blog Post
Full reverse engineering writeup and technical breakdown:
Born to Defend, Weaponized to Kill: Weaponizing Microsoft's Own Driver to Kill EDRs
Why This Is Different
Every BYOVD tool out there relies on third-party drivers. DefenderKiller uses Microsoft's own signed Defender driver against itself.
- 0/70 detection on VirusTotal
- Microsoft Code Signing PCA signed — trusted at the highest level
- Not on the Vulnerable Driver Blocklist — Microsoft excludes their own drivers by design
- Bypasses PPL —
ZwTerminateProcessfrom kernel mode ignores Protected Process Light - Bypasses ObRegisterCallbacks —
ZwOpenProcessfrom ring 0 skips EDR handle protection - Survives April 2026 driver trust policy — WHCP attestation-signed drivers are still trusted
How It Works
- Load the Microsoft-signed KSLDriver.sys with a custom service
- Bypass the
AllowedProcessNamecheck by writing our own path to the registry - Send IOCTL
0x222044sub-command 8 with the target PID - Close the handle —
IRP_MJ_CLEANUPfiresZwTerminateProcessfrom kernel mode - Target process terminated. No callback intercepts it. No protection blocks it.
Usage
DefenderKiller.exe load C:\path\to\KSLDriver_2011.sys
DefenderKiller.exe kill <PID or process name>
DefenderKiller.exe unload
Example
C:\> DefenderKiller.exe load C:\KSLDriver_2011.sys
[+] Loaded
C:\> DefenderKiller.exe kill CSFalconService.exe
[+] Killed 4628
C:\> DefenderKiller.exe unload
[+] Unloaded
Driver Details
| Property | Value |
|---|---|
| File | KSLDriver.sys |
| Description | Microsoft Malware Protection - KSLDriver |
| Product | Microsoft Malware Protection |
| Version | 1.1.0013.0 |
| Size | 34.83 KB (35,664 bytes) |
| Architecture | x64 (64-bit native) |
| Date Signed | September 16, 2011 |
| Signer | Microsoft Corporation |
| Certificate | Microsoft Code Signing PCA → Microsoft Root Authority |
| Detection | 0/70 on VirusTotal |
| SHA-256 | d5764d24e78914ab2a9db6b24e323342d0b37998f43add1a9e49b00992b0d645 |
| MD5 | 0ebb390b7aeec45ec061d9870a34fd42 |
| SHA-1 | 7772c1215e31836cc8d830cb65f224ec929cfb69 |
| Imphash | 8bf2a95defbf5214f859fd3f24f64e5f |
| Authentihash | 0a19385f73a265d8086a8b1304873110ce33a37ce08d442b9fb9390c82fa50e7 |
| VirusTotal | Full Analysis |
Note
This is a simple POC that demonstrates the kill primitive. Some EDRs will respawn their processes through a watchdog service or a secondary kernel component. To handle that, you can weaponize this further by running the kill in a loop targeting all known EDR process names.
Author
Jehad Abudagga
https://www.linkedin.com/in/jehad-abudagga
