unDefender is the C++ implementation of a technique originally described by @jonasLyk in this Twitter thread.
At its core, this technique revolves around changing the \Device\BootDevice symbolic link in the Windows Object Manager so that when Defender's WdFilter driver is unloaded and loaded again by its Tamper Protection feature, another file is mapped in memory in place of the original WdFilter.sys, rendering it effectively useless!
Requirements
- Compile unDefender.exe in Release x64 configuration;
- Place unDefender.exe and the provided legit.sys in the same folder;
- Run an elevated cmd.exe/powershell.exe and navigate to said folder;
.\unDefender.exe- Profit :)
Tested on
- Windows 10 20H2
- Windows 10 21H1
- Windows 11