Windows offensive research toolkit for secure file destruction with kernel-level filesystem filter interception.
User-mode file destruction engine. Performs CSPRNG-backed overwrite passes on target files before deletion. Includes automated UAC bypass for privilege escalation.
- C++20, Win32 API
- BCryptGenRandom for cryptographic overwrites
- Multiple elevation methods (FodHelper, ComputerDefaults, SdcltIsolatedCommand)
Kernel-mode minifilter driver (FltMgr). Locates and intercepts pre/post operation callback registrations of target filter drivers by scanning FLT_INSTANCE memory for CALLBACK_NODE structures.
- WDM minifilter, WDK 10.0
- Runtime EDR/AV filter detection and callback replacement
- Atomic pointer exchange for hook installation/removal
- Driver loading via BYOVD using a forked KDP-compatible loader (gdrv.sys)
NtPurge — requires vcbuild:
cd NtPurge && vcbuild
NtFilterRelay — requires Visual Studio with WDK:
msbuild NtFilterRelay\NtFilterRelay.sln /p:Configuration=Release /p:Platform=x64
For authorized security research and testing only.