Removing the driver via smss.exe

Someone asked me how to remove the AV/EDR driver because we were able to overwrite and delete the service, but the driver was impossible.

So, I tried some things and removed the driver by rebooting the host.

Open:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
And in the ExistingPageFiles parameter, enter the path to the AV/EDR driver (the beginning of the path is \??\C:\ or another disk label). Then reboot the machine and reap the benefits if smss.exe can gain uninstall permissions. For this reason, the effectiveness of this technique depends heavily on the architecture of the solution we're trying to remove.

Works on both Windows 10 and 11.

Note: For this to have the effect of a clean CLR, you’d need to manually map the DLL from disk into memory. You cannot use LoadLibraryA/W, because antivirus solutions will detect the DLL load event and may hook it immediately. If you want this behavior, you can look up existing manual mappers on GitHub and integrate one into your codebase. I’m not including one here, as AV vendors generally don’t appreciate that

Evade behavioral analysis by executing malicious code within trusted Microsoft call stacks
Uses hardware breakpoints + VEH to hijack legitimate functions and spoof module origins

│ 1. Target Function Call
│ ↓
│ 2. CPU Debug Register Triggers (DR0-DR3) │
│ ↓
│ 3. EXCEPTION_SINGLE_STEP Raised │
│ ↓
│ 4. VEH Handler Intercepts Exception │
│ ↓
│ 5. Execution Redirected to Hook Function │
│ ↓
│ 6. CallOriginal() Temporarily Disables Breakpoint
│ ↓
│ 7. Original Function Executes │
│ ↓
│ 8. Breakpoint Re-enabled

My favorite Group 😁