Upload files to "/"
This commit is contained in:
@@ -0,0 +1,92 @@
|
||||
# DefenderKiller
|
||||
|
||||

|
||||
|
||||
**Kernel process termination using Microsoft's own signed driver.**
|
||||
|
||||
KSLDriver.sys (2011) — a Microsoft Malware Protection driver signed by Microsoft Code Signing PCA — contains a `ZwTerminateProcess` primitive accessible via IOCTL from ring 0. DefenderKiller weaponizes this driver to terminate any process on the system, including PPL-protected and EDR-protected processes.
|
||||
|
||||
## ⚠️ Disclaimer
|
||||
|
||||
This tool is provided for **authorized security testing and educational purposes only**. Use only on systems you own or have explicit written permission to test. The author is not responsible for any misuse.
|
||||
|
||||
## 📝 Blog Post
|
||||
|
||||
Full reverse engineering writeup and technical breakdown:
|
||||
|
||||
**[Born to Defend, Weaponized to Kill: Weaponizing Microsoft's Own Driver to Kill EDRs](https://medium.com/@jehadbudagga/born-to-defend-weaponized-to-kill-weaponizing-microsofts-own-driver-to-kill-edrs-af4b85c1a43c)**
|
||||
|
||||
## Why This Is Different
|
||||
|
||||
Every BYOVD tool out there relies on third-party drivers. DefenderKiller uses **Microsoft's own signed Defender driver** against itself.
|
||||
|
||||
- **0/70 detection** on VirusTotal
|
||||
- **Microsoft Code Signing PCA** signed — trusted at the highest level
|
||||
- **Not on the Vulnerable Driver Blocklist** — Microsoft excludes their own drivers by design
|
||||
- **Bypasses PPL** — `ZwTerminateProcess` from kernel mode ignores Protected Process Light
|
||||
- **Bypasses ObRegisterCallbacks** — `ZwOpenProcess` from ring 0 skips EDR handle protection
|
||||
- **Survives April 2026 driver trust policy** — WHCP attestation-signed drivers are still trusted
|
||||
|
||||
## How It Works
|
||||
|
||||
1. Load the Microsoft-signed KSLDriver.sys with a custom service
|
||||
2. Bypass the `AllowedProcessName` check by writing our own path to the registry
|
||||
3. Send IOCTL `0x222044` sub-command 8 with the target PID
|
||||
4. Close the handle — `IRP_MJ_CLEANUP` fires `ZwTerminateProcess` from kernel mode
|
||||
5. Target process terminated. No callback intercepts it. No protection blocks it.
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
DefenderKiller.exe load C:\path\to\KSLDriver_2011.sys
|
||||
DefenderKiller.exe kill <PID or process name>
|
||||
DefenderKiller.exe unload
|
||||
```
|
||||
|
||||
### Example
|
||||
|
||||
```
|
||||
C:\> DefenderKiller.exe load C:\KSLDriver_2011.sys
|
||||
[+] Loaded
|
||||
|
||||
C:\> DefenderKiller.exe kill CSFalconService.exe
|
||||
[+] Killed 4628
|
||||
|
||||
C:\> DefenderKiller.exe unload
|
||||
[+] Unloaded
|
||||
```
|
||||
|
||||
## Driver Details
|
||||
|
||||
| Property | Value |
|
||||
|----------|-------|
|
||||
| **File** | KSLDriver.sys |
|
||||
| **Description** | Microsoft Malware Protection - KSLDriver |
|
||||
| **Product** | Microsoft Malware Protection |
|
||||
| **Version** | 1.1.0013.0 |
|
||||
| **Size** | 34.83 KB (35,664 bytes) |
|
||||
| **Architecture** | x64 (64-bit native) |
|
||||
| **Date Signed** | September 16, 2011 |
|
||||
| **Signer** | Microsoft Corporation |
|
||||
| **Certificate** | Microsoft Code Signing PCA → Microsoft Root Authority |
|
||||
| **Detection** | **0/70** on VirusTotal |
|
||||
| **SHA-256** | `d5764d24e78914ab2a9db6b24e323342d0b37998f43add1a9e49b00992b0d645` |
|
||||
| **MD5** | `0ebb390b7aeec45ec061d9870a34fd42` |
|
||||
| **SHA-1** | `7772c1215e31836cc8d830cb65f224ec929cfb69` |
|
||||
| **Imphash** | `8bf2a95defbf5214f859fd3f24f64e5f` |
|
||||
| **Authentihash** | `0a19385f73a265d8086a8b1304873110ce33a37ce08d442b9fb9390c82fa50e7` |
|
||||
| **VirusTotal** | [Full Analysis](https://www.virustotal.com/gui/file/d5764d24e78914ab2a9db6b24e323342d0b37998f43add1a9e49b00992b0d645) |
|
||||
|
||||
|
||||
## Note
|
||||
|
||||
This is a simple POC that demonstrates the kill primitive. Some EDRs will respawn their processes through a watchdog service or a secondary kernel component. To handle that, you can weaponize this further by running the kill in a loop targeting all known EDR process names.
|
||||
|
||||
## Author
|
||||
|
||||
**Jehad Abudagga**
|
||||
|
||||
[](https://x.com/j3h4ck)
|
||||
[](https://www.linkedin.com/in/jehad-abudagga)
|
||||
[](https://medium.com/@jehadbudagga)
|
||||
[](https://github.com/redteamfortress)
|
||||
Reference in New Issue
Block a user