Conversation

Since using legit drivers to kill processes seems to be a thing 🤷‍♀️ Here's my crappy script to identify potential process killer drivers on LOLDrivers

github.com

GitHub - xalicex/LOLDrivers_finder

Contribute to xalicex/LOLDrivers_finder development by creating an account on GitHub.

207

namazso

@namazso

This misses almost all the drivers on that site that can do that. Any driver that can access MSR write, physical memory, arbitrary ZwOpenSection as KernelMode, or arbitrary handle duplication can achieve PPL process killing. Which is nearly all of them.

11:33 AM · Jun 11, 2023

675

Views

Retweet

Likes

Bookmark

Alice Climent-Pommeret

@AliceCliment

Jun 11

Yes almost all vulnerable driver on this can do it. However, the purpose of this script was not to find all of them but some specific ones. It's exactly what I'm saying on the git README 🙂

namazso

@namazso

Jun 11

I did read it and still don't understand *what* specific ones you're referring to (other than the fact they import two functions), or what is the use case. Is it for filtering ones that are less effort to write PoCs for?

Show replies