You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+4-3
Original file line number
Diff line number
Diff line change
@@ -6,21 +6,22 @@ Have these local admin credentials but the EDR is standing in the way? Unhooking
6
6
#### What can it do?
7
7
```
8
8
Usage: backstab.exe <-n name || -p PID> [options]
9
-
-n, Choose process by name, including the .exe suffix
9
+
-n, Choose process by name, including the .exe suffix
10
10
-p, Choose process by PID
11
11
-l, List handles of protected process
12
12
-k, Kill the protected process by closing its handles
13
13
-x, Close a specific handle
14
14
-d, Specify path to where ProcExp will be extracted
15
15
-s, Specify service name registry key
16
16
-u, Unload ProcExp driver
17
+
-a, adds SeDebugPrivilege
17
18
-h, Print this menu
18
19
19
20
Examples:
20
21
backstab.exe -n cyserver.exe -k [kill cyserver]
21
22
backstab.exe -n cyserver.exe -x E4C [Close handle E4C of cyserver]
22
23
backstab.exe -n cyserver.exe -l [list all handles of cyserver]
23
-
tbackstab.exe -p 4326 -k -d c:\\driver.sys [kill protected process with PID 4326, extract ProcExp driver to C:\ drive]
24
+
backstab.exe -p 4326 -k -d c:\\driver.sys [kill protected process with PID 4326, extract ProcExp driver to C:\ drive]
24
25
```
25
26
26
27
@@ -40,7 +41,7 @@ Here is a quick rundown of what happens
40
41
#### What you should also know
41
42
1. The behavior of the tool mimics that of ProcExp. ProcExp drops the driver to the disk, create registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, calls NtLoadDriver, and then delete the registry key
42
43
2. You can specify the location to which the driver is dropped and the service name
43
-
3. When done, the app will unload the driver if you specify the option to unload the driver. The driver is unloaded by first re-creating the registry keys and then calling NtUnloadDriver
44
+
3. When done, the app will unload the driver. The driver is unloaded by first re-creating the registry keys and then calling NtUnloadDriver
44
45
4. The loaded driver is signed by MS
45
46
5. The process does not attempt to directly kill protected processes handles, it instructs ProcExp driver to kill them. You won't be accused of attempting to tamper with any processes
0 commit comments