GitHub - EvilBytecode/EDR-XDR-AV-Killer: Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver
Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver - EvilBytecode/EDR-XDR-AV-Killer
github.com
Usage
- Place the driver Terminator.sys in the same path as the executable
- run the program as an administrator
- keep the program running to prevent the service from restarting the anti-malwares
Technical details
The driver contains some protectiion mechanism that only allow trusted Process IDs to send IOCTLs, Without adding your process ID to the trusted list, you will receive an 'Access Denied' message every time. However, this can be easily bypassed by sending an IOCTL with our PID to be added to the trusted list, which will then permit us to control numerous critical IOCTLs
- Comes with simple antidbg.
- Add This so WD Ignores defender by this quick sample
exec.Command("powershell", "-Command", "Set-MpPreference -ExclusionExtension *.sys -Force").Run()