Home

Awesome

unDefender

Killing your preferred antimalware by abusing native symbolic links and NT paths

unDefender is the C++ implementation of a technique originally described by @jonasLyk in this Twitter thread.
At its core, this technique revolves around changing the \Device\BootDevice symbolic link in the Windows Object Manager so that when Defender's WdFilter driver is unloaded and loaded again by its Tamper Protection feature, another file is mapped in memory in place of the original WdFilter.sys, rendering it effectively useless!

Requirements

Tested on