hlldz / phant0m Goto Github PK

View Code? Open in Web Editor NEW

1.7K 62.0 299.0 712 KB

Windows Event Log Killer

C 89.27% C++ 10.73%

powershell windows eventlog eventlog-service cpp reflective-dll cobalt-strike

phant0m's People

Contributors

Stargazers

Watchers

Forkers

bgasecurity teakolik johnjohnsp1 team-firebugs vysecurity sust4in topotam minkione spnow cybervaca fb11 kbahaxor opexxx jamcut ausec njseclab ibluerose voidp34r dnhdang94 tobey123 izogain aaeolus 4w4k3 alex-dengx therockstardba shireeshj hackmycontrolsystem wisdark ang3ll h1d3r wilsonleeee quikilr jymcheong test1213145 joinbaijun aln7 theralfbrown y0d4a blueskeye bioless und3rf10w shantanu561993 beerandgin initiate6 methos2016 h0k5 snollyg0st3r tigerteamdevops rainism brownbelt sinmygit bronxc harleyqu1nn adbgit exploitcollection b1gw00d mehrdad-shokri kirus22 jack51706 beyondcy 2010phenix xunny zshell xi4oyu moriarty2016 techlord-rce firefalc0n wzor z3v2cicidi danxaldanxe demonsec666 m00zh33 ykankaya mshafiqsb anon0ps lexluga fingerleakers 1sn0m4d samyoyo marshell88 forgivential tyekrgk ck00004 eltorobiz alpha0king f1uyu4n olafhartong gavz dannymas akiraaisha 18nvaz 111cyber0cculte888 cephurs mickeystone vantablacker shangadi czg792845236 mmg1 abuyv layamba25

phant0m's Issues

Invoke-Phant0m detecting

Hello, first of all congratulations on invoke-phat0m. I would like to know if there would be any way to detect that invoke-phat0m is running.

Thank you very much.

Can I kill events with ID 7001 and 7002? (source winlogon)

title.

Update

Please update your script for newver versions OS.

[NOT AN ISSUE] - Request

Hello,
this is a good idea. Maybe it's a good idea to extend your work with a Windows-Defender-Killer.

best

How can i restart the event log service

Hello,
How can i restart the event log service？

best

Hello,
I would like to try this tool in terms of research, however VirusTotal claims this tool to be malicious (trojan) (especially the invoke phant0m powershell script).
Here is the scan result: https://www.virustotal.com/gui/file/e168c1bae641c1cc8a96a0092ce87a27ff7eecd2bf9c1fa85f23c14a70c6e504

Is it because of it's nature of disabeling the logging task?

Thanx in advance for explanation.

Code Explain

hi
can you explain about this code:
using myNtQueryInformationThread = NTSTATUS(NTAPI*)(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength
);

help

Can you improve the release plz?

A working version for latest windows version...

https://github.com/codecastor/WinEventSuspend

This is basically the same idea as it was implemented in Phant0m, but that one works. Instead of killind the Service's threads, we suspend them. This is because in the latest windows version, the threads are re-created as soon as they are killed.

Can't build

Visual Studio Info:

Microsoft Visual Studio Community 2019
Version 16.10.3
VisualStudio.16.Release/16.10.3+31424.327
Microsoft .NET Framework
Version 4.8.04084

Installed Version: Community

Visual C++ 2019   00435-60000-00000-AA560
Microsoft Visual C++ 2019

ASP.NET and Web Tools 2019   16.10.526.50910
ASP.NET and Web Tools 2019

Azure App Service Tools v3.0.0   16.10.526.50910
Azure App Service Tools v3.0.0

C# Tools   3.10.0-4.21318.11+7ceb633154acb9d716fd3eb2b6df1a0468d8e416
C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Common Azure Tools   1.10
Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.

IntelliCode Extension   1.0
IntelliCode Visual Studio Extension Detailed Info

Microsoft JVM Debugger   1.0
Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines

Microsoft MI-Based Debugger   1.0
Provides support for connecting Visual Studio to MI compatible debuggers

Microsoft Visual C++ Wizards   1.0
Microsoft Visual C++ Wizards

Microsoft Visual Studio VC Package   1.0
Microsoft Visual Studio VC Package

NuGet Package Manager   5.10.0
NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/

ProjectServicesPackage Extension   1.0
ProjectServicesPackage Visual Studio Extension Detailed Info

Visual Basic Tools   3.10.0-4.21318.11+7ceb633154acb9d716fd3eb2b6df1a0468d8e416
Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Visual F# Tools   16.10.0-beta.21262.7+1b23bbeda88ea3cb9be9af777f4c99fa8663df81
Microsoft Visual F# Tools

Visual Studio Code Debug Adapter Host Package   1.0
Interop layer for hosting Visual Studio Code debug adapters in Visual Studio

Visual Studio Tools for CMake   1.0
Visual Studio Tools for CMake

Visual studio errors/warnings when building:

Severity    Code    Description Project File    Line    Suppression State
Error   LNK1120 2 unresolved externals  phant0m-rdll    C:\Users\PinkDev1\Downloads\Phant0m-master\Phant0m-master\phant0m\x64\Debug\phant0m-rdll.exe 1   
Error   LNK2019 unresolved external symbol main referenced in function "int __cdecl invoke_main(void)" (?invoke_main@@YAHXZ)    phant0m-rdll    C:\Users\PinkDev1\Downloads\Phant0m-master\Phant0m-master\phant0m\phant0m-rdll\MSVCRTD.lib(exe_main.obj) 1   
Error   LNK2019 unresolved external symbol _MoveFromCoprocessor referenced in function ReflectiveLoader phant0m-rdll    C:\Users\PinkDev1\Downloads\Phant0m-master\Phant0m-master\phant0m\phant0m-rdll\ReflectiveLoader.obj  1   
Error   LNK2005 DllMain already defined in main.obj phant0m-rdll    C:\Users\PinkDev1\Downloads\Phant0m-master\Phant0m-master\phant0m\phant0m-rdll\ReflectiveLoader.obj  1   
Warning C4312   'type cast': conversion from 'int' to 'BYTE *' of greater size  phant0m-rdll    C:\Users\PinkDev1\Downloads\Phant0m-master\Phant0m-master\phant0m\phant0m-rdll\ReflectiveLoader.c    116 
Warning C4013   '_MoveFromCoprocessor' undefined; assuming extern returning int phant0m-rdll    C:\Users\PinkDev1\Downloads\Phant0m-master\Phant0m-master\phant0m\phant0m-rdll\ReflectiveLoader.c    116

Did I do something wrong?

Porting to C#

Do you have any plans on porting this awesome script to C#, since PowerShell is not opsec safe nowadays.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.