Total Service Destruction

Your service brings a process back to life? nvm...

After acquiring all the abilities listed so far, a malicious though came to our mind:

We are able to toggle PPL from a process, we are also able to terminate it with an elevated handle / token, although at some cases this is not enough to get rid of an EDR’s presence as most EDR’s have watchdog services which make sure that even if the process died, another would rise again to continue giving us a hard time.

With that being said, those said processes are just like any other process, an exe file, which is loaded into memory and deployed as a process.

Deleting an EDR executable is usually not something we would think of, as the process is usually running, so even if you have the correct permissions over the files, the running process which holds a handle to the file will prevent us from deleting the file.

But as we said, we can elevate any handle to any object, we can terminate any protected process.

So, in that case, all that one needs to do in order to prevent a Watchdog service from re-running the terminated process is to delete the files it runs.

And as such the following flow came to mind:

1.For each selected PID, turn off PPL, get a handle, elevate it, terminate the process

2.For each file behind each of the PIDs – get a handle, elevate it, delete the file.

Theoretically, if our code is fast enough to delete the files before the process returns, there would be no more executable to be loaded by the service. And by that we would prevent a service from ever returning to operate.

Yes, this is brutal. This completely destroys an installed application. But an attacker would take any means necessary to get rid of a pesky EDR no?

The code would consist of a main flow and two different functions, the first of which would be to terminate a protected process by PID.

The flow for that would be:

1.Open a PROCESS_QUERY_LIMITED_INFORMATION to the target process

2.Elevate the HANDLE to FULL_CONTROL

3.Disable PPL

4.Terminate the Process

The second function would be in charge of deleting the protected files.

Its flow would be:

1.Open a READ_CONTROL handle to the protected file

2. Elevate the handle to FULL_CONTROL

3. Delete the file using NtSetInformationFile

4. Close the handle to initiate deletion

Now that we have all the required abilities, all that is left is to put it all together.

Get lists of PIDs and Files to terminate and delete, and iterate over them:

PreviousETW Provider TogglingNextThread Hijacking using _KTRAP_FRAME

Last updated