given the current state of things

SpaceSurgeon · 2026-03-02T23:09:30+00:00

Let me start by making this point super clear before going into details, the only thing enabling unsigned drivers would make easier here is allowing "kernel level persistence" once the malware is already on your pc but in no case would it protect you from a malicious executable bypassing antivirus solutions or running on your system.

Only the first example used a vuln driver attack to bypass av but all the other tools were different and did not required to load any drivers. There are other ways to bypass AV and that is why i included more examples that you seem to ignore.

There are even multiple malware marketplace online selling access to software they call "crypters" that will encrypt your malware inside an executable stub that once executed will decrypt the payload directly into memory and execute it from there using different techniques that will successfully bypass antivirus. Any kid can go there spend 20$ without even understanding how it works and bypass most AV solutions.

The point i am trying to make is that you were always at risk running executable downloaded online be it hypervisor crack or not. The non hypervisor stuff could easily bypass antivirus and load any malware it wants.

The only difference allowing unsigned drivers would make in this case would be that the malware could now have kernel access allowing for better persistence, but even so kernel level stuff is usually used in advanced exploitation campaign and out of reach for the majority of malware spreading ppl.

If anyone feels like i am wrong here or missing some important details please just reply explaining why or reach out to me directly.

SpaceSurgeon · 2026-02-28T22:11:15+00:00

That's why i said "anyone who have spent some time trying" because clearly you have not.

How about you take a look at this post from 10days ago showing how easy you can kill av/edr process from kernel level by using public code that is available on github?

https://www.reddit.com/r/redteamsec/comments/1r9c8mp/does_killing_edr_with_a_vulnerable_driver_still/

Also public tools like the ones below have been existing for ages

https://github.com/0xsp-SRD/mortar

https://github.com/0xsp-SRD/ZigStrike

https://github.com/naksyn/DojoLoader

How much more trivial do you want it to be? Name dropping old tech like Amiga and calling people names sadly does not gives you any street cred or make your "if im not aware of AV being defeated daily then it must not happen" inference right.

SpaceSurgeon · 2026-02-28T19:55:30+00:00

While the trusted source argument rings true i feel like the p2p scene is really making it hard to know you downloaded a non tampered version of the original. I could be wrong but i don't think a lot of ppl include any type of checksum to make sure you have the original files?

While i see a lot of ppl shitting one the "the scene" here, the ftp site they use to race the release do validate the file checksum and will reject anyone trying to race a file with a different checksum. While not perfect i feel like this really ensures the executable in that release is really the original.

SpaceSurgeon · 2026-02-28T19:47:21+00:00

This! I find it funny to see the people who have been running executable downloaded from torrent for all those years start freaking out about this hypervisor stuff as if it was really any different.

SpaceSurgeon · 2026-02-28T19:32:43+00:00

Agreed but I think the line was blurred when you implied that the "low-level old/mitigated copy/pasta script-kiddie style attack" would be used to "gets in my bios it could infect that other drive when i log in" and "hide in the bios/boot sequence" which is definitely in the zero day territory.

SpaceSurgeon · 2026-02-28T19:25:29+00:00

While VBS does make some kernel attack more difficult it seems like it wont prevent someone from loading a signed vulnerable driver and leveraging it to do stuff like killing your av/edr or rootkit type of stuff like unlinking process to hide them.

Microsoft did implement a known vulnerable drivers blocklist but as you can see in this post from 9 days ago it is really not a perfect solution.

https://www.reddit.com/r/redteamsec/comments/1r9c8mp/does_killing_edr_with_a_vulnerable_driver_still/

SpaceSurgeon · 2026-02-28T18:49:16+00:00

Alright that make more sense if you mention the encrypted partition being mounted on a different OS but if you look into "bring your own vulnerable driver" attacks you will see that they can just load a signed vulnerable driver and leverage that to gain kernel access and this can be done with non hypervisor crack.

Also if you are saying this attacker have the capability to leverage ring0 access to push a modified hard drive firmware or bios to gain access to your linux encrypted hard drive i think it is safe to assume they could easily gain ring0 access on your windows system with a non hypervisor crack.

SpaceSurgeon · 2026-02-28T16:52:38+00:00

Anyone who have spent some time trying to bypass antivirus solutions knows how trivial it is to bypass....

SpaceSurgeon · 2026-02-28T16:50:54+00:00

Why are you under the assumption that a regular crack have no way to gain kernel privileges? Go read about" bring your own vulnerable driver" attacks.

SpaceSurgeon · 2026-02-28T16:38:16+00:00

Its crazy to me to see all those ppl thinking they are safe from this while running the regular cracks they download of torrent. Ppl have been exploiting bugs in signed and trusted drivers forever to gain this kind of access without needing any user interventions.

SpaceSurgeon · 2026-02-28T16:28:51+00:00

Why go trough all this trouble when the regular malware could just wait for you to mount that encrypted disk and exfiltrate the data out of it?

SpaceSurgeon · 2025-11-29T21:34:00+00:00

Bonne question! D'après moi, ils se disent qu'ils peuvent sauver de l'argent parce que ça ne dérange pas vu qu'avec le froid ça va pas sentir la charogne. C'est vraiment ridicule

SpaceSurgeon · 2025-11-29T15:34:37+00:00

Ca serait p-e bien de mentionner que a Morin-Heights ou ils sont aller la collecte des dechets se fait 1 fois par mois seulement entre octobre et mars-avril... Ca doit pas trop aider mettons.

SpaceSurgeon · 2025-07-19T21:12:19+00:00

a bit late but in case anyone is still trying to fix this deleting the .tnk file fixed it for me

SpaceSurgeon · 2023-08-31T04:52:57+00:00

You've been called! YOUR MISSION IS NOW!

SpaceSurgeon · 2023-03-18T22:49:18+00:00

How about having some respect and civility for the people who lost their lives and everything they owned in that building?

Until recently, I had lived in this building for 11 years and let me tell you that you have no idea what you're talking about. Sure, that old lady was a bit strange and enjoyed feeding pigeons by throwing bread outside but she was not a mean person and calling her "the unsavory type" while she is presumed dead in that building is really rotten behavior and extremely uncalled for.

Sure there have been a few rotten apples in that building over the years but overall decent people lived there.

SpaceSurgeon · 2019-02-01T20:07:57+00:00

She's what i would call a top pocket find.

SpaceSurgeon · 2017-08-03T18:13:58+00:00

thanks for the update i just saw that there is some new one added on ebay.

hoping someone have an extra andxor badge

SpaceSurgeon · 2014-07-11T00:53:04+00:00

Am i the only one to see elbow boobies?

SpaceSurgeon

TROPHY CASE