core-jmp

PPLControlShells — Protected Process / PPL Control shells Tool

February 9, 2026

by oxfemale AV BYOVD cpp EDR kernel Privilege Protection windows

PPLControlShells (the ppexec console tool) is a native Windows PP/PPL experimentation and control utility (x64)designed to help researchers understand, test, and demonstrate how Protected Process (PP) and Protected Process Light (PPL) behave on modern Windows (10/11 + compatible Server builds).

Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter

February 3, 2026

by oxfemale BYOVD Bypassing EDR kernel Protection windows

the technique of exploiting the Bind Filter driver (bindflt.sys) to redirect folders containing the executable files of EDRs to a location that I completely control.

AV EDR Killer Project

February 2, 2026

by oxfemale AV BYOVD cpp EDR PPL windows

av-edr-kill is a BYOVD (Bring Your Own Vulnerable Driver) proof-of-concept whose goal is to terminate security-product processes (AV/EDR), including Protected Process Light (PPL) targets, by abusing a legitimately signed third-party kernel driver.

core-jmp

Posts in category: BYOVD

PPLControlShells — Protected Process / PPL Control shells Tool

Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter

AV EDR Killer Project

Recent Posts

Recent Comments

Archives

Categories