Conversation

Alice Climent-Pommeret

@AliceCliment

·

Jun 8

Since using legit drivers to kill processes seems to be a thing 🤷‍♀️ Here's my crappy script to identify potential process killer drivers on LOLDrivers

github.com

GitHub - xalicex/LOLDrivers_finder

Contribute to xalicex/LOLDrivers_finder development by creating an account on GitHub.

11

61

207

namazso

@namazso

·

Jun 11

This misses almost all the drivers on that site that can do that. Any driver that can access MSR write, physical memory, arbitrary ZwOpenSection as KernelMode, or arbitrary handle duplication can achieve PPL process killing. Which is nearly all of them.

1

1

5

Alice Climent-Pommeret

@AliceCliment

·

Jun 11

Yes almost all vulnerable driver on this can do it. However, the purpose of this script was not to find all of them but some specific ones. It's exactly what I'm saying on the git README 🙂

1

2

namazso

@namazso

I did read it and still don't understand *what* specific ones you're referring to (other than the fact they import two functions), or what is the use case. Is it for filtering ones that are less effort to write PoCs for?

12:00 PM · Jun 11, 2023

·

243

Views

2

Likes

Alice Climent-Pommeret

@AliceCliment

·

Jun 11

Indeed

1

1

Alice Climent-Pommeret

@AliceCliment

·

Jun 11

I'm currently writing a blog post about the recent trend about process killer driver and how easy it is today to find and exploit some. This tool is one of the step that will be explained on the article