Kill-Floor is an AV/EDR killer utilizing Avast’s “Anti Rootkit” driver. The code structure is designed to be adaptable for other BYOVD (Bring Your Own Vulnerable Driver) attack types. However, after a year, the included driver (aswarpot.bin) is heavily signatured by most vendors. For effective use, consider replacing the driver with a less detectable alternative for your operations.
The Kill-Floor tool operates as follows:
- Write the driver to disk (stored as an array within the file for convenience).
- Create a service and load the driver.
- Enter an infinite loop, taking snapshots of running processes.
- Identify and terminate processes associated with known AV/EDR vendors.
- Repeat.
Compile and run as administrator.
Finding and Exploiting Process Killer Drivers with LOL for $3,000 (Alice Climent-Pommeret)
Vulnerable Antivirus Driver Used by Ransomware (OALabs)