Skip to content

waawaa/breakcyserver

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
LoadDriver
LoadDriver
 
 
breakcyserver
breakcyserver
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
breakcyserver.sln
breakcyserver.sln
 
 

Repository files navigation

breakcyserver


Full post in: https://waawaa.github.io/


1. Kill EDR services by killing all the opened handles of the EDR process.
2. Bypass PPL by abussing some Process Explorer drivers functionalities.
3. Bypass ObRegisterCallbacks implementation by abussing Process Explorer driver functionalities.


PS: Added Implementation to load the driver manually without ProcessExplorer.
LoadDriver.exe /LOAD
LoadDriver.exe /UNLOAD

Evasion Alert:

EDRs and XDRs might notice an unsigned EXE loading a driver and adding a registry key, therefore the following trick was found.
Obivously opening procexp will alert the victim and would look weird, so by using the /t flag, procexp will be opened
minimized and the driver will be loaded by the procexp64.exe signed binary.

.\procexp64.exe -accepteula /t

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

45 stars

Watchers

2 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages