[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-77799":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":30,"readmeContent":31,"aiSummary":32,"trendingCount":15,"starSnapshotCount":15,"syncStatus":33,"lastSyncTime":34,"discoverSource":35},77799,"PhantomKiller","redteamfortress\u002FPhantomKiller","redteamfortress","Another BYOVD process killer. works on all EDR's. fully signed.","https:\u002F\u002Fmedium.com\u002F@jehadbudagga\u002Fphantom-killer-reverse-engineering-and-weaponizing-a-lenovo-driver-to-terminate-edr-processes-9191cd06374f",null,"C++",267,54,1,0,4,15,143,14,5.22,false,"main",true,[25,26,27,28,29],"byovd","edr","edr-bypass","edr-evasion","redteaming","2026-06-12 02:03:44","# PhantomKiller\n\nweaponizing a signed lenovo kernel driver to terminate any process — including EDR\u002FAV protected processes.\n\n## overview\n\nPhantomKiller abuses `BootRepair.sys`, a legitimate lenovo driver shipped with Lenovo PC Manager. the driver exposes a device object (`\\\\.\\BootRepair`) with no DACL restrictions and a single IOCTL (`0x222014`) that takes a 4-byte PID and calls `ZwTerminateProcess`, no access checks, no caller validation, no protection.\n\n**full writeup:** [Phantom Killer — Reverse Engineering and Weaponizing a Lenovo Driver to Terminate EDR Processes](https:\u002F\u002Fmedium.com\u002F@jehadbudagga\u002Fphantom-killer-reverse-engineering-and-weaponizing-a-lenovo-driver-to-terminate-edr-processes-9191cd06374f)\n\n## driver details\n\n| field | value |\n|-------|-------|\n| file name | `BootRepair.sys` |\n| sha256 | `5ab36c116767eaae53a466fbc2dae7cfd608ed77721f65e83312037fbd57c946` |\n| signer | LENOVO (Symantec Class 3 SHA256 Code Signing CA) |\n| compiled | 2018-01-03 |\n| arch | x64 |\n| VT detections | 0\u002F71 at time of discovery |\n\n## vulnerability summary\n\n- device object created without secure DACL — any user can open a handle\n- `IRP_MJ_CREATE` (MajorFunction[0]) has no access checks\n- `IRP_MJ_DEVICE_CONTROL` (MajorFunction[14]) accepts IOCTL `0x222014`\n- input: 4-byte `DWORD` (target PID)\n- internally calls `PsLookupProcessByProcessId` → `ObOpenObjectByPointer` → `ZwTerminateProcess`\n- kills any process including PPL-protected AV\u002FEDR processes\n\n## attack scenarios\n\n**driver already loaded:** any low-privileged user can open the device and terminate any process on the system.\n\n**BYOVD:** an attacker loads the signed driver via `sc.exe` or similar, then uses it to kill EDR processes before deploying post-exploitation tools.\n\n## usage\n\n```\nsc.exe create PhantomKiller binPath=\"C:\\Path\\to\\BootRepair.sys\" type=kernel\nsc.exe start PhantomKiller\n```\n\n```\nPhantomKiller.exe \u003Cpid>\n```\n\n\n\n## disclaimer\n\nthis project is for **educational and authorized security research purposes only**. do not use this against systems you do not own or have explicit permission to test. the author is not responsible for any misuse.\n\n## author\n\n**j3h4ck** — [@j3h4ck](https:\u002F\u002Ftwitter.com\u002Fj3h4ck) | [linkedin](https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjehadabudagga\u002F) | [medium](https:\u002F\u002Fmedium.com\u002F@jehadbudagga)\n","PhantomKiller 是一个利用合法签名的联想内核驱动来终止任意进程（包括受EDR\u002FAV保护的进程）的工具。它通过滥用联想PC管理器附带的`BootRepair.sys`驱动程序，该驱动程序暴露了一个没有DACL限制的设备对象，并提供了一个不进行访问检查和调用者验证的IOCTL接口，从而能够接受4字节的PID并调用`ZwTerminateProcess`来终止指定进程。此项目特别适用于红队测试中绕过端点检测与响应(EDR)软件的场景，允许在获得低权限用户访问后加载驱动或自带已签名驱动以终止安全软件进程，为后续攻击铺平道路。请注意，该项目仅供教育及授权的安全研究用途。",2,"2026-06-11 03:56:02","CREATED_QUERY"]