Another POC PsKill

View previous topic View next topic Go down

Another POC PsKill

Post by arran on 11/5/2010, 14:52

PsKill http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx

Terminates other processors but I can't get it to work I click on it brings up a user agreement accept or decline I press accept and now I can't open it at all.

SSj or Nick or some one can you guys work out how to use this??
avatar
arran
Member
Member

Posts : 41
Join date : 2010-05-09

View user profile

Back to top Go down

Re: Another POC PsKill

Post by ssj100 on 11/5/2010, 15:48

You just need to execute it via the command prompt. Working fine here and it does terminate processes. Will check it with Malware Defender soon.

EDIT: Malware Defender (and presumably all other classical HIPS) successfully controls the behaviour of this POC (and prevents process termination) in default configuration. This POC must use a different mechanism to terminate processes than the one described here:
http://ssj100.fullsubject.com/other-f6/malware-defender-270-eqsyssecure-41-process-privilege-control-flaw-t55.htm

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Another POC PsKill

Post by nick s on 14/5/2010, 00:52

Nothing fancy. It uses TerminateProcess. Quoting from 12 ways to terminate a process:

"TerminateProcess or NtTerminateProcess

Everyone knows about TerminateProcess. You simply open a handle to the target process and call TerminateProcess. In case TerminateProcess is hooked, you can call the equivalent Native API function NtTerminateProcess.
"

Usage:

c:\sysinternals>pskill 1276

PsKill v1.13 - Terminates processes on local or remote systems
Copyright (C) 1999-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

Unable to kill process 1276:
Access is denied.


Malware Defender blocks it:

5/13/2010 14:27:52 Create new process Permitted
Process: c:\windows\system32\cmd.exe
Target: c:\sysinternals\pskill.exe
Cmd line: pskill 1276
Rule: [App]*

5/13/2010 14:27:54 Duplicate handle to another process Permitted
Process: c:\windows\system32\conhost.exe
Target: c:\sysinternals\pskill.exe
Handle: (Event) 0x0000007C
Rule: [App]*

5/13/2010 14:27:58 Terminate another process Denied
Process: c:\sysinternals\pskill.exe
Target: c:\program files\idm computer solutions\ultraedit\uedit32.exe
Rule: [App]*

nick s
Valued Member
Valued Member

Posts : 14
Join date : 2010-04-18

View user profile

Back to top Go down

Re: Another POC PsKill

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum