lawiet47/STFUEDR lawiet47/STFUEDR

  • Stars
    star
    218
  • Rank 181,805 (Top 4 %)
  • Language
    C++
  • Created about 4 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
lawiet47/STFUEDR
github

lawiet47

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Silence EDRs by removing kernel callbacks

STFUEDR

Silence EDRs by removing kernel callbacks

A lot of modern AV/EDR technologies monitor process/thread creation events by registering PspSetXXXXNotifyRoutine callback. This code checks for popular EDR/AV driver names and removes them from PspSetXXXXNotifyRoutine callback array. To do so the code checks for a byte pattern that occurs before jmp PspSetXXXXNotifyRoutine instructions. The byte pattern differs among windows versions, so this code aims to cover all of them.

Everything is already greatly explained

here: https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10 and

here: https://www.youtube.com/watch?v=85H4RvPGIX4

The original exploit code: https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/

More Repositories

1

autoresponder

Carbon Black Response IR tool
Python
53
star
2

pylogite

Metamorphic Code Generator & Loader
Python
12
star
3

writeups

7
star
4

P.E-E.L.F

pe and elf manipulation and hacking
C
4
star
5

mobileiron-api

A python API for Mobile Iron Cloud
Python
4
star
6

PIShellcode

Position-Independent Shellcode Loader
PowerShell
3
star