Skip to content

messecv3/edr-killer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
_b.cmd
_b.cmd
 
 
revert.c
revert.c
 
 
warsaw.c
warsaw.c
 
 
wsftprm.sys
wsftprm.sys
 
 

Repository files navigation

crypter.cloudTelegram

Warsaw

Warsaw is a lightweight tool that neutralizes endpoint security products on Windows machines. It disables EDR and antivirus services, then continuously terminates their processes — even if they try to restart themselves.

One executable. Run as admin. That's it.

What it does

  1. Loads a kernel driver — embedded inside the executable, extracted and loaded automatically at runtime
  2. Disables security services — stops and disables 80+ Windows services across every major vendor
  3. Kills protected processes — uses the kernel driver to terminate processes that can't be killed from usermode
  4. Keeps them dead — polls continuously and re-kills anything that respawns

Covers 200+ process signatures including CrowdStrike, SentinelOne, Defender, Sophos, ESET, Kaspersky, Bitdefender, Palo Alto, Trellix, Elastic, Rapid7, Avast, AVG, Norton, Sysmon, Tanium, Huntress, Cylance, HarfangLab, and many more. Run warsaw.exe --list to see the full list.

Quick start

warsaw.exe              :: kills everything it recognizes
warsaw.exe --dry        :: scan only — shows what it would kill without touching anything
warsaw.exe --list       :: print all 200+ signatures

All options

Flag Description
--target <name> Only hunt processes matching a specific name
--fast Poll every 100ms instead of the default 800ms
--delay <ms> Set a custom poll interval
--no-disable Skip service disabling, only kill processes
--dry Scan only — no termination, no driver loaded
--list Print all known signatures and exit

Reverting

revert.exe undoes everything — re-enables all disabled services and cleans up the driver. Run as admin.

revert.exe

Building from source

Requirements: Visual Studio 2017/2019/2022 with the MSVC C/C++ toolset installed.

  1. Place your signed driver as wsftprm.sys in this directory
  2. Run _b.cmd
_b.cmd

The build script converts wsftprm.sys into a C byte array (driver_blob.h) automatically, then compiles both warsaw.exe and revert.exe. You never need to commit or manage driver_blob.h — it's regenerated every build.

If wsftprm.sys is missing, the build fails with a clear error.

About the driver

The .sys file is not included in this repo. You need a valid signed kernel driver (SHA-1 or SHA-256 certificate). Systems running Smart App Control or strict HVCI may block driver loading.

For authorized security testing only.

About

EDR/AV killer — disables security services and terminates protected processes via kernel driver

crypter.cloud

Topics

windows kernel-driver security-research edr endpoint-security process-termination av-killer

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages