Kill Process From Cmd (shell injection, AV evasion)

Here are some known ways and some more unique ways to kill another process from a windows cmd command\s. This could be used in shell injection and for AV evasion (you might want to use a less familiar command for AV evasion) but I do not advise to do that. Will will suppose the process image name is xxx.exe:

  1. taskkill /F /T /FI “ImageName eq xxx.exe”
    1. The nice /T flag allows killing all child processes (for example conhost.exe is a child process of cmd.exe when running bat files), other methods below make it harder to kill child processes but it can be done by a query on the ParentPID.
  2. wmic Path win32_process Where “Caption Like ‘xxx.exe’ Call Terminate
  3. powershell -c “Stop-Process -processname xxx.exe”
  4. Write a js or vbs or hta file using echos and execute it using cscript or such. Kill the process in js or vbs or hta using activex (when ran locally they are trusted and are not blocked usually). Example code to kill process using javascript (similar code in vbscript): var wmi = GetObject(“winmgmts:”);
    var procs = wmi.execquery(“select * from Win32_process where Name=’xxx.exe'”);
    var enumProcs = new Enumerator(procs);
    for(; !enumProcs.atEnd(); enumProcs.moveNext()){
    var p = enumProcs.item();
    p.Terminate();
    }

    1. Note that this method writes to file a plaintext file which might be detectable by AV so this method is not so good. BUT you can obfuscate the code and make it harder to analyze like many exploit kits do with their code so that would make it better for AV evasion.
  5. Write binary file and execute it and the binary file can be a compiled C code which kills the process.
    1. Writing binary file from cmd can be done using: powershell, debug.exe which allows to write small binary files (up to 64kb if i am not wrong), certutil.exe which can decode and encode any binary file as hex strings.
      1. The problem with writing binary files using cmd is that the ‘\0’ character can’t be written in cmd and thus all methods of writing binary in cmd must be related to encoding and decoding.
      2. See this thread for a discussion: http://www.dostips.com/forum/viewtopic.php?t=5324
    2. This method is probably better than previous method from AV evasion point of view because the file written is binary and not cleartext or obfuscated cleartext so binary obfuscators and crypters can be used to make it harders for AV to analyze it. Probably binary file obfuscation is harder to analyze than javascript\vbscript obfuscation.
  6. IDEA: Use rundll32 to call a win32 function which will kill the process. NOTE: I did not find a compatible function which allows to kill a process but if shutting down the computer is also considered killing the process then: rundll32 user32.dll,ExitWindowsEx
    1. Only specific functions can be called using rundll32, see: https://support.microsoft.com/en-us/kb/164787 http://superuser.com/questions/1074587/under-what-circumstances-can-i-use-rundll32-to-invoke-a-function-in-a-dll/1074588#1074588
  7. Use rundll32 parameter confusion to execute javascript\vbscript in cmd and then run for example the script written above to kill the process. rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;alert(‘Replace this alert with the desired code’);
    1. Explanation about how this works is here: https://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/
  8. Try delete\lock\remove from groups\lower permissions to the user which the target process is being run under and this might cause that process to crash. The idea of damaging the target process resources might be used in other ways too which I did not think about yet.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s