-
Notifications
You must be signed in to change notification settings - Fork 0
/
kill_lolbin_proccess.py
57 lines (54 loc) · 1.34 KB
/
kill_lolbin_proccess.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import os
import psutil
import time
# Set the names of the processes to whitelist
whitelist = [
"notepad.exe",
"calc.exe",
]
# Set the names of the LOLBin files
lolbins = [
"regsvr32.exe",
"certutil.exe",
"bitsadmin.exe",
"certreq.exe",
"cscript.exe",
"csc.exe",
"dnscmd.exe",
"fpcutil.exe",
"installutil.exe",
"mshta.exe",
"msiexec.exe",
"msxsl.exe",
"net.exe",
"net1.exe",
"nslookup.exe",
"powershell.exe",
"rasautou.exe",
"reg.exe",
"regedit.exe",
"schtasks.exe",
"sc.exe",
"taskkill.exe",
"tasklist.exe",
"vssadmin.exe",
"wmic.exe",
]
while True:
# Get a list of all running processes
processes = psutil.process_iter()
for process in processes:
try:
# Check if the process is not on the whitelist
if process.name() not in whitelist:
# Get the list of open files for the process
open_files = process.open_files()
for file in open_files:
# Check if the process is accessing a LOLBin file
if file.path in lolbins:
# Kill the process
process.kill()
except Exception:
pass
# Sleep for a short period of time before checking for more processes
time.sleep(10)