This is a tool that exploits the software vulnerability of WerFaultSecure to suspend the processes of EDRs and antimalware without needing to use the BYOVD (Bring Your Own Vulnerable Driver) attack method.
EDR-Freeze operates in user mode, so you don't need to install any additional drivers. It can run on the latest version of Windows.
The experiment was conducted with the latest version of Windows at the time of the project creation: Windows 11 24H2
EDR-Freeze.exe [TargetPID] [SleepTime]
Example: EDR-Freeze.exe 1234 10000
Freeze the target for 10000 milliseconds
EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State
Tool to run process with PPL without driver
Youtube: https://www.youtube.com/watch?v=vFcbE94qD70
Instead of running EDR-Freeze with a long sleep duration, you should incorporate it into a script with the following steps:
- Temporarily halt all Antimalware/EDR processes for a short period (1-3 seconds).
- Execute tasks immediately after a successful suspension.
Since the GUI may become unresponsive in some cases, you should choose the shortest sleep time possible. Just make sure that the script executions are completed before the Antimalware/EDR resumes.
Alternatively, it's best to insert the code you want to execute directly into the source code of EDR-Freeze:
Essential tools that every security researcher and hacker should have in their toolkit:
Essential Tools For Security Researcher and Hacker
Some books you should read to sharpen your cybersecurity skills, especially in offensive security:
Books on Programming and Cybersecurity recommended by Zero Salarium Researchers