Skip to content

Killing your preferred antimalware by abusing native symbolic links and NT paths.

Notifications You must be signed in to change notification settings

PhiZ-9/unDefender

 
 

Repository files navigation

unDefender

Killing your preferred antimalware by abusing native symbolic links and NT paths

unDefender is the C++ implementation of a technique originally described by @jonasLyk in this Twitter thread.
At its core, this technique revolves around changing the \Device\BootDevice symbolic link in the Windows Object Manager so that when Defender's WdFilter driver is unloaded and loaded again by its Tamper Protection feature, another file is mapped in memory in place of the original WdFilter.sys, rendering it effectively useless!

Requirements

  • Compile unDefender.exe in Release x64 configuration;
  • Place unDefender.exe and the provided legit.sys in the same folder;
  • Run an elevated cmd.exe/powershell.exe and navigate to said folder;
  • .\unDefender.exe
  • Profit :)

Tested on

  • Windows 10 20H2
  • Windows 10 21H1
  • Windows 11

About

Killing your preferred antimalware by abusing native symbolic links and NT paths.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 100.0%