{"id":48364521,"url":"https://github.com/i3r1h0n/sigurd","last_synced_at":"2026-04-05T14:02:06.046Z","repository":{"id":335283443,"uuid":"1137121339","full_name":"I3r1h0n/Sigurd","owner":"I3r1h0n","description":"A BYOVD technique abuse tool","archived":false,"fork":false,"pushed_at":"2026-04-04T19:12:02.000Z","size":1221,"stargazers_count":13,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-04T21:50:03.045Z","etag":null,"topics":["avkill","byovd","cve-2023-52271","cve-2024-51324","cve-2025-1055","cve-2025-61155","cve-2025-7771","cve-2026-0828","edr-bypass","killer","rust","stprocessmonitor","throttlestop","windows"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/I3r1h0n.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-19T00:02:13.000Z","updated_at":"2026-04-04T19:21:39.000Z","dependencies_parsed_at":"2026-01-30T02:01:48.633Z","dependency_job_id":null,"html_url":"https://github.com/I3r1h0n/Sigurd","commit_stats":null,"previous_names":["i3r1h0n/sigurd"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/I3r1h0n/Sigurd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/I3r1h0n%2FSigurd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/I3r1h0n%2FSigurd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/I3r1h0n%2FSigurd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/I3r1h0n%2FSigurd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/I3r1h0n","download_url":"https://codeload.github.com/I3r1h0n/Sigurd/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/I3r1h0n%2FSigurd/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31437927,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T13:13:19.330Z","status":"ssl_error","status_checked_at":"2026-04-05T13:13:17.778Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["avkill","byovd","cve-2023-52271","cve-2024-51324","cve-2025-1055","cve-2025-61155","cve-2025-7771","cve-2026-0828","edr-bypass","killer","rust","stprocessmonitor","throttlestop","windows"],"created_at":"2026-04-05T14:02:05.093Z","updated_at":"2026-04-05T14:02:06.041Z","avatar_url":"https://github.com/I3r1h0n.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv\u003e\n\u003cimg height=\"250\" align=\"left\" style=\"float: left; margin: 0 20px 0 0px;\" alt=\"Sigurd logo\" src=\"assets/sigurd-2.jpg\"\u003e\n\n\u003ch1\u003eSigurd\u003c/h1\u003e\n\n\u003cp\u003eSigurd \u003ci\u003e(Old Norse: Sigurðr)\u003c/i\u003e was a legendary Norse hero who killed the dragon Fafnir and possessed the cursed treasure. \u003cp\u003e\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg alt=\"Rust\" src=\"https://img.shields.io/badge/rust-f04041?style=for-the-badge\u0026labelColor=c0282d\u0026logo=rust\"\u003e\n\u003cimg alt=\"Version\" src=\"https://img.shields.io/badge/version-v0.1.3-green?style=for-the-badge\"\u003e\n\u003cimg alt=\"Lic\" src=\"https://img.shields.io/github/license/I3r1h0n/Sigurd?label=license\u0026style=for-the-badge\"\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\n\u003cdiv style=\"clear: both;\"\u003e\u003c/div\u003e\n\n## Overview\n`Sigurd` is a BYOVD (aka Bring Your Own Vulnerable Driver) exploitation tool, made to kill processes. This tool allow you to prepare custom config(toml or json), or config it on run using TUI, making it easy to use. It also allow you to exploit multiply drivers, without carrying them around (you choose what to include at compile time). \n\n\u003e [!WARNING]\n\u003e This tool was created for authorized security research and testing only. The authors and distributors accept no liability for misuse. Before using it, make sure you have lawful authorization and know what are you doing. Happy pwning!\n\n### Table of content\n\n- [Details](#details)\n- [Building guide](#build)\n- [Working demo](#demo)\n- [Drivers](#drivers)\n    - [Implemented drivers](#implemented-drivers)\n    - [Details on Throttle Stop](#throttle-stop-details)\n    - [References](#references)\n- [Contribution guide](#contribution)\n- [Creds](#creds)\n\n## Details\nBYOVD technique implies installing a vulnerable and signed driver on system, in order to exploit it's known vulnerability to gain privileges, read system secrets or (in our case) - kill processes. You can read more about it at [Microsoft Security Experts Blog](https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/strategies-to-monitor-and-prevent-vulnerable-driver-attacks/4103985).\n\nTo find some details and links to articles about used drivers, see [Drivers](#drivers) section.\n\n## Getting Sigurd\nYou can download stable release binary from [Github Release](https://github.com/I3r1h0n/Sigurd/releases) page. It includes only default drivers and no trace output (see the list of driver in release text).\n\n## Build\n\nAll you need is lastest rust tool chain on you Windows machine (_or on any other machine, in case you know what are you doing_). You can find the standalone installers [here](https://forge.rust-lang.org/infra/other-installation-methods.html#standalone-installers). \n\nAfter installing rust toolchain, just clone the repository and enter project directory:\n```shell\ngit clone https://github.com/I3r1h0n/Sigurd\ncd Sigurd/sigurd\n```\n\nNow it all depends on what drivers you want to use. You can include only desired ones, by changing the set of cargo features. Below is an example build command, with basic set of drivers and no trace messages:\n```shell\ncargo build --release --no-default-features --features \"throttlestop bdapiutil64 k7rkscan wsftprm\"\n```\n\nAfter build is finished, you can find binary in `/sigurd/target/release` folder.\n\n## Demo\n\nUsage is pretty simple. Below is the help output. \n```shell\n\u003e .\\sigurd.exe --help\nBYOVD technique\n\nUsage: sigurd.exe [OPTIONS]\n\nOptions:\n  -c, --config \u003cCONFIG\u003e                Path to .toml config file\n      --config-string \u003cCONFIG_STRING\u003e  TOML configuration as a quoted string\n  -s, --silent                         Run app without interface\n  -h, --help                           Print help\n  -V, --version                        Print version\n```\n\nDefault config may look like this:\n```toml\ndriver_name = \"ThrottleStop\"\ninstallation_path = 'C:\\ProgramData'\nvictim_processes = [\n    \"notepad.exe\",\n]\ncontinuous = false\nuninstall = true\n```\n\nYou can:\n1. Save it next to executable as `Config.toml`, \n2. Save it somewhere else, and provide it's path via `--config`\n3. Convert it to valid JSON and pass it as `--config-string`\n4. Or start without any config and configure Sigurd on run \n\nSilent mode allows you to run without starting a Terminal User Interface. Just provide a valid config, and sigurd will use it as is.\n\nHere is the demo showing it use the ThrottleStop.sys to kill notepad.exe and MsMpEng.exe:\n\u003cdiv align=\"center\"\u003e\u003cimg src=\"assets/demo.png\"\u003e\u003c/div\u003e\u003cbr\u003e\n\n## Drivers\n\n### Implemented drivers\n\nTable of the currently implemented drivers.\n\n|Driver|Version|CVE|Details|Status|\n|------|-------|--------|-------|------|\n|PoisonX|0.0.1|-|[Discoverer](https://medium.com/@jehadbudagga/reverse-engineering-a-0day-used-against-crowdstrike-edr-a5ea1fbe3fd4)|Not on LoL|\n|STProcessMonitor|11.11.4|[CVE-2026-0828](https://www.cve.org/CVERecord?id=CVE-2026-0828)|[Public post](https://kb.cert.org/vuls/id/818729)|Not on LoL|\n|GameDriverX64|7.23.4.7|[CVE-2025-61155](https://nvd.nist.gov/vuln/detail/CVE-2025-61155)|[Blog](https://vespalec.com/blog/tower-of-flaws/)|Non on LoL|\n|eb.sys|0.0.1 |- |[Github](https://github.com/j3h4ck/UnknownKiller)| Not on LoL |\n|CcProtect.sys|1.3.2.1|-|[Github](https://github.com/BlackSnufkin/BYOVD/tree/main/CcProtect-Killer)|Not on LoL\n|K7 driver|15.1.0.6|[CVE-2025-1055](https://nvd.nist.gov/vuln/detail/CVE-2025-1055)|[LolDrivers](https://www.loldrivers.io/drivers/9f88300d-e607-4e50-8626-fd799439e049/)|On LoL|\n|ThrottleStop|3.0.0.0|[CVE-2025-7771](https://nvd.nist.gov/vuln/detail/CVE-2025-7771)|[SecureList](https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/)|Not on LoL|\n|BdApiUtil64|5.0.3.18797|[CVE-2024-51324](https://nvd.nist.gov/vuln/detail/CVE-2024-51324)|[LolDrivers](https://github.com/magicsword-io/LOLDrivers/issues/204)|On LoL|\n|WSFTPrm|2.0.0.0|[CVE-2023-52271](https://nvd.nist.gov/vuln/detail/CVE-2023-52271)|[research](https://northwave-cybersecurity.com/vulnerability-notice-topaz-antifraud)|Not on LoL?|\n|wamsdk|1.1.100|-|[Checkpoint](https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/)|Blocked|\n|KsAPI64|1.0.591.131|-|-|Blocked|\n\n\u003cbr\u003e\n\nYou can find all driver files in `sigurd/drivers` folder.\n\nSee the original [PoisonKiller](https://github.com/j3h4ck/PoisonKiller) repo by j3h4ck.\n\nI also didn't include the `ksapi64` and `wamsdk` driver to default features list, because it's been blocked by windows vulnerable driver block list.\n\n### ThrottleStop details\nThrottleStop is a special case, since it's not so 'naive' BYOVD EDR Killer driver. It allow an arbitrary physical memory read/write, and because of that - exploiting it as a EDR killer is a little more complicated then just sending a correct struct in IOCTL request. See the [details](/details/ThrottleStop.md)\n\n### References\n\nCreation of Sigurd is higly inspired by [this](https://github.com/BlackSnufkin/BYOVD) project by [BlackSnufkin](https://github.com/BlackSnufkin). Also big thanks to Kaspersky for thair analyze on ThrottleStop.\n\n## Contribution\n\nIf you have an idea on how to improve this project, want to report a bug, or willing to implement another driver exploit - feel free to open an issue or pull request. \n\nAll you need to add a new driver to sigurd is implement a `KillerDriver` trait. See it in the `/sigurd/src/drivers/mod.rs` and check the `/sigurd/src/drivers/k7rkscan/mod.rs` as an example.\n\n## Creds\n\nprod by _I3r1h0n_.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fi3r1h0n%2Fsigurd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fi3r1h0n%2Fsigurd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fi3r1h0n%2Fsigurd/lists"}