Cobalt Strike Beacon Object File for killing anti-malware protected processes.
Built by Tijme. Made possible by Northwave Cyber Security 
This is a Cobalt Strike (CS) Beacon Object File (BOF) and executable which exploits ADRMDRVSYS.sys, a driver used by Topaz Antifraud. It will kill any anti-malware protected process of choice. The exploit calls an IOCTL for which the user buffer ends up in a call to ZwTerminateProcess. The exploit is inspired upon work from @ZeroMemoryEx, namely their Blackout project.
Read the full blog post here.
Clone this repository first. Then review the code, compile from source and use it in Cobalt Strike.
Compiling
make
Usage
Load the BlackoutReloaded.cna script using the Cobalt Strike Script Manager. Then use the command below to execute the exploit.
$ blackout_reloaded [pid to kill]
Alternatively (and for testing purposes), you can directly run the compiled executable.
$ .\BlackoutReloaded.exe
- Load the vulnerable driver from memory instead of from disk.
Issues or new features can be reported via the issue tracker. Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.
Copyright (c) 2023 Tijme Gommers & Northwave Cyber Security. All rights reserved. View LICENSE.md for the full license.