Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/EvilBytecode/EDR-XDR-AV-Killer

Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver
https://github.com/EvilBytecode/EDR-XDR-AV-Killer

Last synced: 8 days ago
JSON representation

Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver

Host: GitHub
URL: https://github.com/EvilBytecode/EDR-XDR-AV-Killer
Owner: EvilBytecode
Created: 2024-06-19T07:50:12.000Z (5 months ago)
Default Branch: main
Last Pushed: 2024-07-07T20:18:31.000Z (4 months ago)
Last Synced: 2024-08-02T15:11:53.360Z (3 months ago)
Language: Go
Size: 105 KB
Stars: 180
Watchers: 3
Forks: 39
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# EDR-XDR-AV-Killer

* Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver
* Spyboy was selling the Terminator software at a price of $3,000 [for more detail](https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-is-a-vulnerable-windows-driver-in-disguise/)
* the sample is sourced from [loldrivers](https://www.loldrivers.io/drivers/49920621-75d5-40fc-98b0-44f8fa486dcc/)

# Usage

* Place the driver `Terminator.sys` in the same path as the executable
* run the program as an administrator
* keep the program running to prevent the service from restarting the anti-malwares

![image](https://github.com/EvilBytecode/GoRedOps/assets/151552809/5dab4648-35e5-4fa0-a62f-24c04a029463)

# Technical details

* The driver contains some protectiion mechanism that only allow trusted Process IDs to send IOCTLs, Without adding your process ID to the trusted list, you will receive an 'Access Denied' message every time. However, this can be easily bypassed by sending an IOCTL with our PID to be added to the trusted list, which will then permit us to control numerous critical IOCTLs

![image](https://github.com/ZeroMemoryEx/Terminator/assets/60795188/e26238c8-fcf8-40ec-9ed8-8e8de9436093)

* Comes with simple antidbg.
* Add This so WD Ignores defender by this quick sample

```go
exec.Command("powershell", "-Command", "Set-MpPreference -ExclusionExtension *.sys -Force").Run()
```
## Credits
- Credits to ZeroMemoryX 👍