STFUEDR

Silence EDRs by removing kernel callbacks

A lot of modern AV/EDR technologies monitor process/thread creation events by registering PspSetXXXXNotifyRoutine callback. This code checks for popular EDR/AV driver names and removes them from PspSetXXXXNotifyRoutine callback array. To do so the code checks for a byte pattern that occurs before jmp PspSetXXXXNotifyRoutine instructions. The byte pattern differs among windows versions, so this code aims to cover all of them.

Everything is already greatly explained

here: https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10 and

here: https://www.youtube.com/watch?v=85H4RvPGIX4

The original exploit code: https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/

Name		Name	Last commit message	Last commit date
Latest commit History 26 Commits
StfuEdr		StfuEdr
bin		bin
media		media
README.md		README.md
StfuEdr.sln		StfuEdr.sln
servicemgr.txt		servicemgr.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

StfuEdr

StfuEdr

bin

bin

media

media

README.md

README.md

StfuEdr.sln

StfuEdr.sln

servicemgr.txt

servicemgr.txt

Repository files navigation

STFUEDR

About

Releases

Packages

Languages

lawiet47/STFUEDR

Folders and files

Latest commit

History

Repository files navigation

STFUEDR

About

Resources

Stars

Watchers

Forks

Languages