Sitting on the Lolbins, 5

August 25, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

Killing processes is easy — you can call an API (TerminateProcess), use existing OS binaries (taskkill), or… use one of many signed binaries written specifically for this purpose. The most known is obviously pskill from Sysinternals, but there is more.

ASUSTeK produced a number of these, both for 32- and 64- architecture. It doesn’t have the name of the executable included in the version info all the time, but when it does, it is typically called KillProcess.

Also, not all of them seem to be coming from the same programmer e.g. one of them is a more generic tool that offers a few more options that just killing the process by the process name:

Usage: killproc [-p | -m | -l | -la] [process name]
-p: partial of process name.
-m: match process name.
-l: list processes.
-la: list all processes

Samples:

12D709A7FDDF97E8210F4CDFAF8FE94E79E50306713C1EB4BB62EB8ED6DA2020
1A4C16981AFA4E8EC7C772D9F031AC6C6DB78E776FC817ABDF060416B376EFBB

Share this :)

Comments are closed.