# Total Service Destruction

After acquiring all the abilities listed so far, a malicious though came to our mind:

We are able to toggle PPL from a process, we are also able to terminate it with an elevated handle / token, although at some cases this is not enough to get rid of an EDR’s presence as most EDR’s have watchdog services which make sure that even if the process died, another would rise again to continue giving us a hard time.

With that being said, those said processes are just like any other process, an exe file, which is loaded into memory and deployed as a process.

Deleting an EDR executable is usually not something we would think of, as the process is usually running, so even if you have the correct permissions over the files, the running process which holds a handle to the file will prevent us from deleting the file.

But as we said, we can elevate any handle to any object, we can terminate any protected process.

So, in that case, all that one needs to do in order to prevent a Watchdog service from re-running the terminated process is to delete the files it runs.

And as such the following flow came to mind:

1.For each selected PID, turn off PPL, get a handle, elevate it, terminate the process

2.For each file behind each of the PIDs – get a handle, elevate it, delete the file.

Theoretically, if our code is fast enough to delete the files before the process returns, there would be no more executable to be loaded by the service. And by that we would prevent a service from ever returning to operate.

Yes, this is brutal. This completely destroys an installed application. But an attacker would take any means necessary to get rid of a pesky EDR no?

<figure><img src="/files/B3yvMssRcXFlA2bcu34o" alt=""><figcaption></figcaption></figure>

The code would consist of a main flow and two different functions, the first of which would be to terminate a protected process by PID.

The flow for that would be:

1.Open a PROCESS\_QUERY\_LIMITED\_INFORMATION to the target process

2.Elevate the HANDLE to FULL\_CONTROL

3.Disable PPL

4.Terminate the Process

<figure><img src="/files/Ka8EbeI1zcizVffwjI1k" alt=""><figcaption></figcaption></figure>

The second function would be in charge of deleting the protected files.

Its flow would be:

1.Open a READ\_CONTROL handle to the protected file

2\. Elevate the handle to FULL\_CONTROL

3\. Delete the file using NtSetInformationFile

4\. Close the handle to initiate deletion

<figure><img src="/files/7fRlHAXcyf0Jv4SqcPWm" alt=""><figcaption></figcaption></figure>

Now that we have all the required abilities, all that is left is to put it all together.

Get lists of PIDs and Files to terminate and delete, and iterate over them:

<figure><img src="/files/52AQGBSFranrXrz93oas" alt=""><figcaption></figcaption></figure>

<br>

&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://spikysabra.gitbook.io/kernelcactus/pocs/total-service-destruction.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.