-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathkillProcess.ps1
230 lines (190 loc) · 7.59 KB
/
killProcess.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
<#
.SYNOPSIS
Kill remote processes
Author: @r00t-3xp10it
Tested Under: Windows 10 (19044) x64 bits
Required Dependencies: Administrator
Optional Dependencies: none
PS cmdlet Dev version: v1.0.8
.DESCRIPTION
Auxiliary Module of meterpeter C2 to kill processes
.NOTES
Invoke this cmdlet with -proc_name 'process_name' param
to kill multiple instances of process_name Or just invoke
-ppid 'process_id' to kill only the sellected process pid.
If you wish to kill multiple instances of powershell except
the current powershell console than invoke -DontKill "$pid"
.Parameter Proc_Name
The process name to kill (default: mspaint)
.Parameter PPID
The process ID to kill (default: false)
.Parameter DontKill
Dont kill this PID id (default: $pid)
.EXAMPLE
PS C:\> .\killProcess.ps1 -proc_name 'calc'
Kill process calc.exe (multiple instances)
.EXAMPLE
PS C:\> .\killProcess.ps1 -ppid '1508'
Kill process by is unique ID identifier
.EXAMPLE
PS C:\> .\killProcess.ps1 -proc_name 'powershell' -dontkill "$pid"
Kill all instances of powershell except the current console PID
.INPUTS
None. You cannot pipe objects into killProcess.ps1
.OUTPUTS
Description : Paint
Process PID : 7530 found running.
sending kill command to PID 1
Process State : mspaint successfuly stopped ..
Process Path : C:\WINDOWS\system32\mspaint.exe
.LINK
https://github.com/r00t-3xp10it/meterpeter
https://github.com/r00t-3xp10it/redpill/tree/main/bin/killProcess.ps1
#>
[CmdletBinding(PositionalBinding=$false)] param(
[string]$Proc_name="mspaint",
[string]$DontKill="$pid",
[string]$PPID="false"
)
$cmdletver = "v1.0.8"
$ErrorActionPreference = "SilentlyContinue"
$host.UI.RawUI.WindowTitle = "@KillProcess $cmdletver"
## Disable Powershell Command Logging for current session.
Set-PSReadlineOption –HistorySaveStyle SaveNothing|Out-Null
## Check the current shell privileges before go any further.
$IsAdmin = (([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
If($IsAdmin)
{
If($PPID -NotMatch 'false')
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Kill process by is ID ( PID ) identifier
.OUTPUTS
Description : Paint
Process PID : 7530 found running.
sending kill command to PID
Process State : mspaint successfuly stopped ..
Process Path : C:\WINDOWS\system32\mspaint.exe
#>
If($PPID -NotMatch '^\d+$')
{
## A valid pid contains only digits.
write-host " Error: not valid PID '$PPID' input." -ForegroundColor Red
return
}
## Check if input process ID its running before go any further.
If([bool](Get-Process -Id "$PPID" -EA SilentlyContinue) -Match 'False')
{
write-host " Error: PID '$PPID' not found running." -ForegroundColor Red
return
}
## Grab process complementary information
$DATAB = (Get-Process -Id "$PPID" -EA SilentlyContinue|Select-Object *)
$DESCR = $DATAB.Description
$PNAME = $DATAB.ProcessName
$PPATH = $DATAB.Path
## OnScreen displays
write-host " Description : " -NoNewline
write-host "$DESCR" -ForegroundColor DarkYellow
write-host " Process PID : $PPID found running."
Start-Sleep -Milliseconds 500
## Kill Process Id (PID)
write-host " sending kill command to PID" -ForegroundColor DarkGray
Start-Process -WindowStyle Hidden Powershell -ArgumentList "Stop-Process -ID `"$PPID`" -Force" -Wait
If([bool](Get-Process -Id "$PPID" -EA SilentlyContinue) -Match 'False')
{
write-host " Process State : " -NoNewline
write-host "$PNAME ($PPID) successfuly stopped .." -ForegroundColor Green
write-host " Process Path : $PPATH"
}
Else
{
write-host " Process State : " -NoNewline
write-host "Fail to stop '$PPID' PID ($PNAME) ?" -ForegroundColor Red
}
}
Else
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Kill process by is Process_Name identifier
.NOTES
This function will kill multiple instances of
process name if found more than one running.
.EXAMPLE
PS C:\> .\killProcess.ps1 -proc_name 'powershell' -DontKill "$pid"
Kill all instances of powershell except the current console PID.
.OUTPUTS
Description : Paint
Process PID : 7530 8089 found running.
sending kill command to PID 1
sending kill command to PID 2
Process State : mspaint successfuly stopped ..
Process Path : C:\WINDOWS\system32\mspaint.exe
#>
## Check if input process_name its running before go any further.
If((Get-Process -Name "$Proc_name" -EA SilentlyContinue|Select-Object *).Responding -iNotMatch 'True')
{
write-host " Error: process '$Proc_name' not found running." -ForegroundColor Red
return
}
If($Proc_name -iMatch '(.exe)$')
{
write-host " Error: deleting extension from process name." -ForegroundColor Red
$Proc_name = $Proc_name -replace '.exe',''
}
If($DontKill -NotMatch '^\d+$')
{
$DontKill = $PID
## A valid pid contains only digits.
write-host " Error: wrong input, default dontkill to $DontKill" -ForegroundColor Red
}
## Grab process complementary information
$DATAB = (Get-Process -Name "$Proc_name" -EA SilentlyContinue|Select-Object *)
$DESCR = $DATAB.Description|Select-Object -Last 1
$PPATH = $DATAB.Path|Select-Object -Last 1
$PLIST = $DATAB.ProcessName
$MYPID = $DATAB.Id
$i = 0
## OnScreen displays
write-host " Description : " -NoNewline
write-host "$DESCR" -ForegroundColor DarkYellow
write-host " Process PID : $MyPID found running."
Start-Sleep -Milliseconds 500
## Kill Process name(s)
ForEach($Token in $PLIST)
{
$i = $i + 1
write-host " sending kill command to PID $i" -ForegroundColor DarkGray
Start-Process -WindowStyle Hidden Powershell -ArgumentList "Get-Process -Name `"$Token`"|Where-Object{`$_.Id -ne `"$DontKill`"}|Stop-Process -Force" -Wait
}
If($MYPID -Match "$DontKill")
{
write-host " Process State : " -NoNewline
write-host "$Proc_name stopped except for PID $DontKill" -ForegroundColor Yellow
write-host " Process Path : $PPATH"
return
}
## Check process_name status again
If((Get-Process -Name "$Proc_name" -EA SilentlyContinue|Select-Object *).Responding -iNotMatch 'True')
{
write-host " Process State : " -NoNewline
write-host "$Proc_name successfuly stopped .." -ForegroundColor Green
write-host " Process Path : $PPATH"
}
Else
{
write-host " Process State : " -NoNewline
write-host "Fail to stop '$Proc_name' process?" -ForegroundColor Red
write-host " Process Path : $PPATH"
}
}
}
Else
{
$iD = [System.Security.Principal.WindowsIdentity]::GetCurrent().Owner.Value
write-host " Owner: $iD";write-host " Error: Administrator privs required to kill processes." -ForegroundColor Red
}