GUI-Remote Tasklist/Killer

[kpu]

There might be a better way to do this, but his works pretty good. Some improvements maybe input boxs asking for the username and password to connect with.

By the way, is there a place I can upload this here? Or do I need to do it from my own server?

expandcollapse popup

#include <GuiConstants.au3>
#include <File.au3>
Dim $aRecords, $pFile, $comboList, $task
;------------------------------------------------------------------------------------
;Remote Process Lister
;------------------------------------------------------------------------------------
_errorCtl()
$pc = InputBox("Task List", "Please type in the PC name or IP", "zfd-cp-30871")
If @error = 1 Then
    Exit
EndIf
$uid = "Administrator"
$pw = "password"
$pFile = @TempDir & "\Processes.txt"
$kFile = @TempDir & "\killed.txt"
$qFile = @TempDir & "\query.txt"
;------------------------------------------------------------------------------------
_GetProcessList()
_ComboBoxData()
;------------------------------------------------------------------------------------
;                                   CODE
;------------------------------------------------------------------------------------
GUICreate("Process Tool", 339, 136, 430, 346)
$ComboBox1 = GUICtrlCreateCombo("Click the Drop down to select process", 8, 8, 313, 21)
GUICtrlSetLimit(-1, 14)
GUICtrlSetData($ComboBox1, $comboList)
$btnKillProcess = GUICtrlCreateButton("Kill Process", 152, 80, 81, 17)
$Label1 = GUICtrlCreateLabel("Remove Spaces from above line so it only includes process", 8, 32, 280, 13)
$Label2 = GUICtrlCreateLabel("Example: Line should only contain this: notepad.exe", 8, 48, 244, 13)
$btnCancel = GUICtrlCreateButton("Cancel", 240, 80, 81, 17)
GUISetState()
While 1
    $msg = GUIGetMsg()
    Select
        Case $msg = $btnKillProcess
            $task = GUICtrlRead($ComboBox1)
        ;MsgBox(32,"",$task)
            _KillProcess()
        Case $msg = $btnCancel
            _CleanUpMess()
            ExitLoop
        Case $msg = $GUI_EVENT_CLOSE
            _CleanUpMess()
            ExitLoop
        Case Else
        ;;;
    EndSelect
WEnd
Exit
Func _errorCtl();This is used for error control.
    If UBound(ProcessList(@ScriptName)) > 2 Then
        $run2 = MsgBox(164, "Warning", "Application is already running!")
        Exit
    Else
    EndIf
EndFunc  ;==>_errorCtl
Func _CleanUpMess()
    FileDelete($pFile)
    FileDelete($qFile)
    FileDelete($kFile)
EndFunc  ;==>_CleanUpMess
Func _ComboBoxData()
    If Not _FileReadToArray($pFile, $aRecords) Then
        MsgBox(4096, "Error", "Unable to Read File! Error:" & @error)
        Exit
    EndIf
    For $x = 1 To $aRecords[0]
        $comboList = $comboList & $aRecords[$x] & "|"
    Next
    $comboList = StringTrimRight($comboList, 1)
EndFunc  ;==>_ComboBoxData
Func _GetProcessList()
    ProgressOn("Compiling Task List", "Please wait...", "0 percent", "", "", 16)
    RunWait(@ComSpec & " /c " & "tasklist /S " & $pc & " /U " & $uid & " /P " & $pw & " > " & $pFile, "", @SW_HIDE)
    For $i = 5 To 100 Step 10
        Sleep(10)
        ProgressSet($i, $i & " percent")
    Next
    If FileGetSize($pFile) = "0" Then
        $pw = "";Secondary Password incase first password doesn't work.
        RunWait(@ComSpec & " /c " & "tasklist /S " & $pc & " /U " & $uid & " /P " & $pw & " > " & $pFile, "", @SW_HIDE)
        If FileGetSize("Processes.txt") = "0" Then
        ;------------------------------------------------------------------------------------
            $var = Ping($pc, 250)
            If $var Then; also possible:  If @error = 0 Then ...
                MsgBox(0, "Status", "PC is Online but I'm unable to connect. Roundtrip was:" & $var)
                FileDelete($pFile)
            Else
                MsgBox(32, "Warning!", "Unable to compile a list of Tasks. Please make sure you typed the PC name correcty")
                FileDelete("Processes.txt")
            EndIf
        ;------------------------------------------------------------------------------------
            Exit
            ProgressOff()
        EndIf
    EndIf
;------------------------------------------------------------------------------------
    ProgressSet(100, "Done", "Complete")
    Sleep(500)
    ProgressOff()
;runwait( "notepad.exe " & $pFile)
;WinWaitClose($pFile)
;FileDelete($pFile)
EndFunc  ;==>_GetProcessList
Func _KillProcess()
    ProgressOn("Compiling Task List", "Please wait...", "0 percent", "", "", 16)
    RunWait(@ComSpec & " /c " & "taskkill /S " & $pc & " /U " & $uid & " /P " & $pw & " /F /IM " & $task & " /T > " & $kFile, "", @SW_HIDE)
    If FileGetSize($kFile) = "0" Then
        $pw = "";Secondary Password incase first password doesn't work.
        RunWait(@ComSpec & " /c " & "taskkill /S " & $pc & " /U " & $uid & " /P " & $pw & " /F /IM " & $task & " /T > " & $kFile, "", @SW_HIDE)
        For $i = 5 To 100 Step 10
            Sleep(10)
            ProgressSet($i, $i & " percent")
        Next
        If FileGetSize($kFile) = "0" Then
            $var = Ping($pc, 250)
            If $var Then; also possible:  If @error = 0 Then ...
                RunWait(@ComSpec & " /c " & 'tasklist /S ' & $pc & ' /U ' & $uid & ' /P ' & $pw & ' /FI "imagename eq ' & $task & '" > ' & $qFile, "", @SW_HIDE)
                If FileGetSize($qFile) = "0" Then
                    MsgBox(16, "Warning!", "No tasks running with the specified criteria.")
                    FileDelete($qFile)
                EndIf
                FileDelete($kFile)
            Else
                MsgBox(16, "Warning!", "Unable to connect to the PC. Make sure the name is typed correcty")
                FileDelete($kFile)
            EndIf
            ProgressOff()
        EndIf
    EndIf
    If FileGetSize($kFile) = "0" Then
        Exit
    Else
        $file = FileOpen($kFile, 0)
        If $file = -1 Then
            MsgBox(0, "Error", "Unable to open file.")
            Exit
        EndIf
        $line = FileReadLine($file, 1)
        MsgBox(0, "", $line)
        FileClose($file)
        FileDelete($kFile)
        ProgressSet(100, "Done", "Complete")
        Sleep(500)
        ProgressOff()
    EndIf
EndFunc  ;==>_KillProcess

[Greenseed]

i'm not sure about the taskill command! but pskill.exe it the most powerfull tool to kill process! it can kill locked process like lsass.exe i know there is not reason to kill lsass.exe but some rootkit or service won't let you kill it if you past the command to the WMI. pskill it the only i know who kill the process at the SYSTEM level!

it free tool. Search for the pstoolkit! there are many nice tool! from unix port to windows!

i hope this help you updating your script!

[kpu]

i'm not sure about the taskill command! but pskill.exe it the most powerfull tool to kill process!

Yea, I've used it many times but my company blocks that process using McAffee. I just had to have them allow psexec.exe so I can remotely install Cerner. That took long enough.

Thanks for your input though!

[Greenseed]

i know hacker use pstoolkit to make they job done! but it even a powerfull tool for the admin who want to kick that hacker off! and if the admin is too paranoi to let people use pskill my god! the probleme with that method is he is not working to block hacker to enter is domain is trying to block tool hacker use!

hacker use best tool available! all powerfull! like PStoolkit, dameware, netcat packet sniffer and many more!

but the real probleme is why a hacker can use tool on my domain even if is calc.exe

is you use this tools before hacker do you will cut is leg off!

im a admin network and i've see many thing at new client! my god!

i've tracked some botnet and they are for most of it, realy easy to rehack and destroy! if you use this nice tools, im explaning my self!

i got this new job someday!

when i see the domain for the first time! i have connected my computer to is network with firewall-1 activated and loggin, packet sniffer and my very best freind Dameware(very use by hacker to admin is hacked domain). my firewall-1 see many attemp connection not really frendly! with dameware i was able to see all hidden service or process by rootkit because my computer was not infected! and with dameware, pstoolkit and kixtart(can be replace by autoit) i was able to remove all bot from all computer of the domain in a little of time.

after that i've made a HoneyPot(i have not d'insinfect one computer) and installed a packet sniffer ont it and let his bot make is connection with is irc server. and now i have captured is password and username! im documenting my self on the bot in question! to know about is command!

now im connected my self to is irc network with pasword and username! i've captured.

when i got ont is irc channel for maintaning the bot i found 6000 of them my god! it can be very dangerous! to play with that! then i send command for changing all bot password! and is botnet was mine!

of course i destroyed it! but the hacker is not the probleme! the admin of the network was!

im stoping this history there because it make me angry to not know how to tel the story correctely in english!

and this is not where we talk about this!

and try some exe editor like the one in scite reshacker maybe you can hide pskill from mcafee or simply change the right on that file to make it readable only by you NOT by the SYSTEM account.

but if you need advise to protect your windows domain it will be my pleasure to help!

like the most powerfull tool to gain access on a system is made by microsoft!

it as called AT.exe (Task Sheduler) the probleme is know since NT 3.51

we call it Escalation of security

try this in dos "AT timenow /INTERACTIVE regedit.exe

when the reg come up check in security you are now in the SYSTEM account! you are the most powerfull user on the system! and now you can decrypt pass on the go! this is a big probleme! in all my domain i lock the command AT with GP and erase with my logonscript! i think this is good paranoi.

ok im out bye bye!

[Mosquitos]

hacker use best tool available! all powerfull! like PStoolkit, dameware, netcat packet sniffer and many more!

Now i know why my bitdefender and antispywaretools make an alert if i wanna use dameware