redteamfortress/phantomkiller

PhantomKiller is a security research project that demonstrates a category of attack known as BYOVD, which stands for bring your own vulnerable driver. The README describes a real, signed Windows kernel driver from Lenovo, called BootRepair.sys, that ships with the Lenovo PC Manager application. The driver was compiled in 2018 and was signed by Lenovo through Symantec's code signing chain, so Windows trusts it. The weakness is that the driver exposes a device interface that any user on the system can open, with no access checks. It accepts one command (IOCTL 0x222014) which takes a process ID as a 4-byte number and then calls the kernel function ZwTerminateProcess on that process. Because the kill happens from inside a trusted kernel driver, it can end processes that are otherwise protected, including antivirus and endpoint detection and response agents that run as protected processes. The project ships a small C++ program that talks to the loaded driver and kills a target process by PID. The README spells out two attack scenarios: one where the driver is already present because Lenovo PC Manager is installed, and another where an attacker who has admin rights uses sc.exe to load the signed driver themselves, then uses it to disable security tools before running further post-exploitation steps. Installation is documented as two sc.exe commands followed by running PhantomKiller.exe with a PID. The README is explicit that the project is for educational and authorized security research, and asks users not to run it against systems they do not own or have permission to test. It also points to a Medium writeup by the author, j3h4ck, that explains how the driver was reverse engineered. There is no defensive component: this is a working proof of concept, not a detection or mitigation tool, and using it on a system you do not control is illegal in most jurisdictions.