explaingit

redteamfortress/phantomkiller

Analysis updated 2026-06-24

170C++Audience · researcherComplexity · 4/5Setup · hard

TLDR

Security research proof of concept that abuses a signed Lenovo kernel driver (BootRepair.sys) to terminate any Windows process, including EDR and antivirus, via a BYOVD attack.

Mindmap

mindmap
  root((PhantomKiller))
    Inputs
      Target process PID
      Signed Lenovo driver
      Admin rights for BYOVD load
    Outputs
      Terminated process
      EDR or AV killed
    Use Cases
      Red team engagements
      EDR bypass research
      Driver reverse engineering study
    Tech Stack
      C++
      Windows kernel API
      IOCTL
      sc.exe
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study a real BYOVD attack chain against a signed Lenovo driver

USE CASE 2

Test EDR or antivirus resilience against kernel driver based process termination in an authorized lab

USE CASE 3

Reverse engineer BootRepair.sys to learn IOCTL based driver vulnerabilities

What is it built with?

C++WindowsWinAPIIOCTL

How does it compare?

redteamfortress/phantomkilleriamsopotatoe-coder/tinyload2dom/keypad
Stars17010089
LanguageC++C++C++
Setup difficultyhardmoderatehard
Complexity4/54/54/5
Audienceresearcherresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires a Windows host with admin rights to load the kernel driver via sc.exe, and using it outside an owned lab is illegal in most jurisdictions.

In plain English

PhantomKiller is a security research project that demonstrates a category of attack known as BYOVD, which stands for bring your own vulnerable driver. The README describes a real, signed Windows kernel driver from Lenovo, called BootRepair.sys, that ships with the Lenovo PC Manager application. The driver was compiled in 2018 and was signed by Lenovo through Symantec's code signing chain, so Windows trusts it. The weakness is that the driver exposes a device interface that any user on the system can open, with no access checks. It accepts one command (IOCTL 0x222014) which takes a process ID as a 4-byte number and then calls the kernel function ZwTerminateProcess on that process. Because the kill happens from inside a trusted kernel driver, it can end processes that are otherwise protected, including antivirus and endpoint detection and response agents that run as protected processes. The project ships a small C++ program that talks to the loaded driver and kills a target process by PID. The README spells out two attack scenarios: one where the driver is already present because Lenovo PC Manager is installed, and another where an attacker who has admin rights uses sc.exe to load the signed driver themselves, then uses it to disable security tools before running further post-exploitation steps. Installation is documented as two sc.exe commands followed by running PhantomKiller.exe with a PID. The README is explicit that the project is for educational and authorized security research, and asks users not to run it against systems they do not own or have permission to test. It also points to a Medium writeup by the author, j3h4ck, that explains how the driver was reverse engineered. There is no defensive component: this is a working proof of concept, not a detection or mitigation tool, and using it on a system you do not control is illegal in most jurisdictions.

Copy-paste prompts

Prompt 1
Walk me through how PhantomKiller sends IOCTL 0x222014 to BootRepair.sys and which Win32 APIs the user mode client uses
Prompt 2
Show me a defensive detection rule for Sysmon or EDR that flags loading of BootRepair.sys via sc.exe create
Prompt 3
Explain how PsLookupProcessByProcessId and ZwTerminateProcess are chained inside the vulnerable driver
Prompt 4
Compare PhantomKiller to other published BYOVD tools and list what makes BootRepair.sys unusually exposed
Prompt 5
Write a lab plan to safely reproduce this in an isolated Windows VM without internet access

Frequently asked questions

What is phantomkiller?

Security research proof of concept that abuses a signed Lenovo kernel driver (BootRepair.sys) to terminate any Windows process, including EDR and antivirus, via a BYOVD attack.

What language is phantomkiller written in?

Mainly C++. The stack also includes C++, Windows, WinAPI.

How hard is phantomkiller to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is phantomkiller for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.