Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71473
List of ideas for fun and interesting ways to kill/crash a process (WreckingCrew)
WreckingCrew
Concept | Status | Name |
---|---|---|
Inject a thread that calls ExitProcess | DONE | ExitRemoteProcess_LTWR |
Inject a thread that calls sprint_s with a bogus pointer for the format string | DONE | CrashRemoteProcess_KAOS |
Inject a stub function that calls CreateProcessW with a constant string for lpCommandLine | Concept phase | CrashRemoteProcess_EMPR |
Inject a stub or DLL that divides by zero |
Concept phase |
CrashRemoteProcess_DKNS |
Inject a stub or DLLDynamic Link Library that dereferences a NULL pointer | Concept phase |
CrashRemoteProcess_ZMUS |
Inject a stub or DLLDynamic Link Library that double frees a buffer | Concept phase |
CrashRemoteProcess_XDTH |
Inject a stub or DLLDynamic Link Library that walks through the Process looking for writable pages and fills them with garbage | Concept phase |
CrashRemoteProcess_KFKA |
Inject a stub or DLLDynamic Link Library that walks through the handle table of a process and does bad things to the handles – like close them out from under the process if this is even possible | Concept phase |
CrashRemoteProcess_SEPH |
Suspend all of the threads in a process and leave them like that, then inject one thread that pegs the CPU for each core on the box. Do this to enough processes and fun will ensue? | Concept phase | CrashRemoteProcess_ULTM |
Fun things to do with these:
- Kill pesky processes in unit tests that don't want to die normally
- Knockover PSPs
- Troll people
- CA
POC Tools:
WreckingCrewPlayground: Starts notepad and calls ExitRemoteProcess, then starts it again and calls CrashRemoteProcess_KAOS
WarheadsToForeheads: Enumerates every possible PIDProcess ID on the system and attempts to call ExitRemoteProcess, then CrashRemoteProcess_KAOS if that fails. If run as a normal user, will only kill basic user processes, but may repeatedly kill processes that restart if they get a higher PIDProcess ID than the currently enumerated pid. Crashes the system if run as SYSTEM.
AdNauseum: If run as a non-SYSTEM user, infinitely kills explorer.exe, which is mildly annoying. If run as SYSTEM, infinitely kills dwm.exe, which destabilizes the UIUser Interface to the point that moving the mouse and/or clicking on things at just the wrong time crashes Winlogon. Lots of fun
KillItWithFire: (Concept) Simple tool (Injectable DLLDynamic Link Library or EXE) that targets a specific pre-configured process name or takes a PIDProcess ID or name via the commandline and knocks it over using as many techniques as it takes. RedShirt on crack.