av-edr-kill

AV EDR Killer Project

by
with no comment
AVBYOVDcppEDRPPLwindows

Github https://github.com/oxfemale/av-edr-kill

What the project is

av-edr-kill is a BYOVD (Bring Your Own Vulnerable Driver) proof-of-concept whose goal is to terminate security-product processes (AV/EDR), including Protected Process Light (PPL) targets, by abusing a legitimately signed third-party kernel driver. The repo explicitly positions this as “weaponizing” a signed driver to obtain kernel-assisted process termination. 

In practice, it’s an “EDR killer” style tool: once the vulnerable driver is present/loaded, the user-mode component can request the driver to kill chosen processes—sidestepping many user-mode protections because the kill operation is ultimately performed in kernel context.

What it does (high-level flow)

At a conceptual level, the PoC demonstrates this chain:

  1. A signed (but vulnerable) kernel driver is loaded on the system (the repo ships the driver binary in the tree). 
  2. The driver exposes a device interface reachable from user mode. 
  3. The user-mode tool sends a crafted IOCTL request to the driver identifying a target process.
  4. The vulnerable driver uses a kernel routine to terminate that process, enabling the tool to kill AV/EDR processes that might otherwise resist termination from user mode. 

The repo references another implementation as its inspiration/origin (a Rust “AV-EDR-Killer” project), but this repo’s implementation is in C++ and packaged as a Visual Studio solution. 

Which vulnerability it uses

The project’s core dependency is a known vulnerability in the wsftprm.sys driver used by Topaz Antifraud, tracked as CVE-2023-52271.

Impact of CVE-2023-52271 (as described by public advisories):

  • The vulnerable driver allows a low-privileged attacker to kill arbitrary processes, including PPL, by sending a malicious IOCTL to the driver. 
  • This is essentially a “kernel-assisted process kill primitive,” which is immediately attractive for impairing defenses(terminating AV/EDR components). 

The repo claims the driver is signed and (per the author’s note) not blocked by Microsoft’s vulnerable driver blocklist at the time of writing, which is a common reason BYOVD remains practical in the wild. 

Why this works against AV/EDR

Many modern EDR components are hardened (services, protected processes, tamper protection, self-defense). But kernel drivers sit below those user-mode guardrails. If an attacker can load or abuse a kernel driver with the right primitive (here: process termination), they can often:

  • kill the EDR’s user-mode processes,
  • disrupt telemetry/response loops,
  • and create a window to run follow-on payloads.

This exact pattern (EDR killers + BYOVD) is widely documented by defenders as an “Impair Defenses” technique category. 

Comments are closed.