Sitting on the Lolbins, 5

August 25, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

Killing processes is easy — you can call an API (TerminateProcess), use existing OS binaries (taskkill), or… use one of many signed binaries written specifically for this purpose. The most known is obviously pskill from Sysinternals, but there is more.

ASUSTeK produced a number of these, both for 32- and 64- architecture. It doesn’t have the name of the executable included in the version info all the time, but when it does, it is typically called KillProcess.

Also, not all of them seem to be coming from the same programmer e.g. one of them is a more generic tool that offers a few more options that just killing the process by the process name:

Usage: killproc [-p | -m | -l | -la] [process name]
-p: partial of process name.
-m: match process name.
-l: list processes.
-la: list all processes



Comments are closed.