Another POC PsKill
3 posters
Page 1 of 1
Another POC PsKill
PsKill http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx
Terminates other processors but I can't get it to work I click on it brings up a user agreement accept or decline I press accept and now I can't open it at all.
SSj or Nick or some one can you guys work out how to use this??
Terminates other processors but I can't get it to work I click on it brings up a user agreement accept or decline I press accept and now I can't open it at all.
SSj or Nick or some one can you guys work out how to use this??
arran- Member
- Posts : 41
Join date : 2010-05-09
Re: Another POC PsKill
You just need to execute it via the command prompt. Working fine here and it does terminate processes. Will check it with Malware Defender soon.
EDIT: Malware Defender (and presumably all other classical HIPS) successfully controls the behaviour of this POC (and prevents process termination) in default configuration. This POC must use a different mechanism to terminate processes than the one described here:
https://ssj100.forumotion.com/other-f6/malware-defender-270-eqsyssecure-41-process-privilege-control-flaw-t55.htm
EDIT: Malware Defender (and presumably all other classical HIPS) successfully controls the behaviour of this POC (and prevents process termination) in default configuration. This POC must use a different mechanism to terminate processes than the one described here:
https://ssj100.forumotion.com/other-f6/malware-defender-270-eqsyssecure-41-process-privilege-control-flaw-t55.htm
Re: Another POC PsKill
Nothing fancy. It uses TerminateProcess. Quoting from 12 ways to terminate a process:
"TerminateProcess or NtTerminateProcess
Everyone knows about TerminateProcess. You simply open a handle to the target process and call TerminateProcess. In case TerminateProcess is hooked, you can call the equivalent Native API function NtTerminateProcess."
Usage:
c:\sysinternals>pskill 1276
PsKill v1.13 - Terminates processes on local or remote systems
Copyright (C) 1999-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
Unable to kill process 1276:
Access is denied.
Malware Defender blocks it:
5/13/2010 14:27:52 Create new process Permitted
Process: c:\windows\system32\cmd.exe
Target: c:\sysinternals\pskill.exe
Cmd line: pskill 1276
Rule: [App]*
5/13/2010 14:27:54 Duplicate handle to another process Permitted
Process: c:\windows\system32\conhost.exe
Target: c:\sysinternals\pskill.exe
Handle: (Event) 0x0000007C
Rule: [App]*
5/13/2010 14:27:58 Terminate another process Denied
Process: c:\sysinternals\pskill.exe
Target: c:\program files\idm computer solutions\ultraedit\uedit32.exe
Rule: [App]*
"TerminateProcess or NtTerminateProcess
Everyone knows about TerminateProcess. You simply open a handle to the target process and call TerminateProcess. In case TerminateProcess is hooked, you can call the equivalent Native API function NtTerminateProcess."
Usage:
c:\sysinternals>pskill 1276
PsKill v1.13 - Terminates processes on local or remote systems
Copyright (C) 1999-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
Unable to kill process 1276:
Access is denied.
Malware Defender blocks it:
5/13/2010 14:27:52 Create new process Permitted
Process: c:\windows\system32\cmd.exe
Target: c:\sysinternals\pskill.exe
Cmd line: pskill 1276
Rule: [App]*
5/13/2010 14:27:54 Duplicate handle to another process Permitted
Process: c:\windows\system32\conhost.exe
Target: c:\sysinternals\pskill.exe
Handle: (Event) 0x0000007C
Rule: [App]*
5/13/2010 14:27:58 Terminate another process Denied
Process: c:\sysinternals\pskill.exe
Target: c:\program files\idm computer solutions\ultraedit\uedit32.exe
Rule: [App]*
nick s- Valued Member
- Posts : 14
Join date : 2010-04-18
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|