OP 13 October, 2023 - 06:26 PM
(This post was last modified: 13 October, 2023 - 06:28 PM by tho24141. Edited 2 times in total.)
I've found an exploit in one of the core drivers of windows system, which could be possibly used for BYOVD the Driver is signed and the certificate is valid.
To evade Static analysis XOR string Encryption + Inline hooking is used.
To evade Dynamic analysis indirect Syscalls with unhooking is used.
Supports ETW, AMSI Patching with terminating known security solutions with full evasion.
EDR + Runtime Results - https://imgur.com/rCyqeK1
Scantime Results - https://imgur.com/heoHkZ5
Kaspersky Termination - https://www.youtube....h?v=JV895MRp9L4
Sophos Premium Termination - https://www.youtube....h?v=nzzWLtBdiYY
Windows Defender Termination(UAC bypass) - https://www.youtube....h?v=XQ1E4SvhWIA
Languages supported - Rust, .NET & C++.
Hit me a pm to discuss the price for program or driver and how many Security Solutions are to be terminated.
You can run any shellcode via fiber or normally after the program has disabled all Anti-malware Services.
This IOCTL hijack is still not available in public and It's better to sell someone instead of sharing it with AV companies.
Discord - illuz10N#8210
TOX ID - EC5E76362A864AD6288F34D7393AD66CFCD1DE278C864D0E9581BA6584077E1F8051366B898E
To evade Static analysis XOR string Encryption + Inline hooking is used.
To evade Dynamic analysis indirect Syscalls with unhooking is used.
Supports ETW, AMSI Patching with terminating known security solutions with full evasion.
EDR + Runtime Results - https://imgur.com/rCyqeK1
Scantime Results - https://imgur.com/heoHkZ5
Kaspersky Termination - https://www.youtube....h?v=JV895MRp9L4
Sophos Premium Termination - https://www.youtube....h?v=nzzWLtBdiYY
Windows Defender Termination(UAC bypass) - https://www.youtube....h?v=XQ1E4SvhWIA
Languages supported - Rust, .NET & C++.
Hit me a pm to discuss the price for program or driver and how many Security Solutions are to be terminated.
You can run any shellcode via fiber or normally after the program has disabled all Anti-malware Services.
This IOCTL hijack is still not available in public and It's better to sell someone instead of sharing it with AV companies.
Discord - illuz10N#8210
TOX ID - EC5E76362A864AD6288F34D7393AD66CFCD1DE278C864D0E9581BA6584077E1F8051366B898E