-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathInvoke-ProcessLock
More file actions
70 lines (53 loc) · 2.01 KB
/
Invoke-ProcessLock
File metadata and controls
70 lines (53 loc) · 2.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Function Invoke-ProcessLock {
<#
.SYNOPSIS
Invoke-ProcessLock
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
.DESCRIPTION
A script that can be used to prevent the starting of any new processes
.EXAMPLE
PS C:\> Invoke-ProcessLock -Delay 10
.LINK
https://github.com/obscuresec/CCDC/blob/master/Invoke-ProcessLock
http://obscuresec.com/
.NOTE
This will be updated to prevent killing of legit processes due to name collisions.
This script was created for CTF competitions like CCDC, don't use in production.
#>
[CmdletBinding()] Param(
[Parameter()] [int32] $Delay = '5'
)
#Get allowed processes
$LockedPS = Get-Process
#Create function to compare against allowed processes
Function CompareFunction {
#Get updated process list
$UpdatePS = Get-Process
#Compare the listes
$CompareObject = (Compare-Object $LockedPS $UpdatePS)
#Look for new processes
foreach ($Object in $CompareObject) {
if ($Object.SideIndicator -eq '=>') {
[string] $Process = $Object.InputObject
#Parse out the new process names
$ProcessName = (($Process.split('(')[1]).split(')')[0])
Write-Verbose "The new process is $ProcessName"
#Find the PID of new process names
$ProcessID = (($UpdatePS | Where-Object { $_.ProcessName -eq "$ProcessName" }).Id)
#Kill new processes
foreach ($Process in $ProcessID) {
Write-Verbose "Stopping $Process"
Stop-Process $Process
}
}
}
#Sleep for the specified number of seconds
Start-Sleep -seconds $Delay
}
#Loop forever so only ctrl-c will stop the function
for (;;) {
CompareFunction
}
}
Invoke-ProcessLock -Verbose