名称 简介 添加时间
关联规则 关联知识 关联工具 关联文档 关联抓包
参考
详情
作者:ecawen 发表于[2024-07-17]

本文共 [16] 位读者顶过

  • Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver
  • Spyboy was selling the Terminator software at a price of $3,000 for more detail
  • the sample is sourced from loldrivers

Usage

  • Place the driver Terminator.sys in the same path as the executable
  • run the program as an administrator

  • keep the program running to prevent the service from restarting the anti-malwares

[出自:jiwo.org]

Technical details

  • The driver contains some protectiion mechanism that only allow trusted Process IDs to send IOCTLs, Without adding your process ID to the trusted list, you will receive an 'Access Denied' message every time. However, this can be easily bypassed by sending an IOCTL with our PID to be added to the trusted list, which will then permit us to control numerous critical IOCTLs

  • Comes with simple antidbg.

  • Add This so WD Ignores defender by this quick sample

exec.Command("powershell", "-Command", "Set-MpPreference -ExclusionExtension *.sys -Force").Run()



---------------------------------------------------------------------------------------------------------------
左上角导航栏那么明显的“下载”按链接你看不见,那就点这儿 下载 吧!

评论

暂无
发表评论
 返回顶部 
热度(16)
 关注微信