Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for pentesters. Written in Rust.

Related tags

Security tools rust pentest
Overview

Ronflex

Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for pentesters. Written in Rust.

WARNING

Ronflex tries to suspend all known AV/EDRs and other security product processes. There is a high chance that the system will be unstable after Ronflex did its thing ! Use at your own risks.

Known limitations

At the moment, Ronflex is not able to suspend processes protected by Anti-Malware Protected Process (AM-PPL), which is now quite common. WIP..

Todo

  • Loop over known processes to suspend them
  • Support for a specific process target
  • Move the NtSuspendProcess and NtClose API calls to syscalls
  • Move the remaining API calls to syscalls
  • Dynamically load the list of known processes from a file at compile time
  • Embbed a method to bypass AM-PPL. PPLmedic maybe ?

Quick start

No time ? Let's make it short then.

Binary

In case of an emergency, you will find a ready to deploy x64 binary for Windows in the repo Release section. However, consider taking the time to compile it yourself.

Cross-compile from Linux

Install and configure Rust:

Build the binary:

  • git clone https://github.com/Nariod/ronflex.git
  • cd ronflex
  • cargo build --release --target x86_64-pc-windows-gnu

Compile on Windows

Install and configure Rust:

Build the binary:

  • git clone https://github.com/Nariod/ronflex.git
  • cd ronflex
  • cargo build --release

Usage

Run the binary with the highest privileges you can and without argument to freeze all known security products:

  • ronflex.exe

Alternatively, you can freeze a specific target process by passing the exact process name:

  • ronflex.exe notepad.exe

Notepad put to sleep

Usage and details

WIP

Credits

Legal disclaimer

Usage of anything presented in this repo to attack targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.

You might also like...
Rusty Mimikatz - All credits to: github.com/ThottySploity/mimiRust (Original author deleted account so I uploaded for community use)
Rusty Mimikatz - All credits to: github.com/ThottySploity/mimiRust (Original author deleted account so I uploaded for community use)

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. ███▄ ▄███▓ ██▓ ███▄ ▄███▓ ██▓ ██▀███ █ ██ ██

null 179 Jan 5, 2023
Upgrade all the things
Upgrade all the things

Introduction Note This is a fork of topgrade by r-darwish to keep it maintained. Keeping your system up to date usually involves invoking multiple pac

null 858 Apr 25, 2023
Binary coverage tool without binary modification for Windows
Binary coverage tool without binary modification for Windows

Summary Mesos is a tool to gather binary code coverage on all user-land Windows targets without need for source or recompilation. It also provides an

null 381 Dec 22, 2022
Rslide - A web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app console or the browser. Currently only supports Windows.

rslide rslide is a web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app conso

Jason Dongheng Lee 3 Jan 1, 2022
Memory hacking library for windows.

Memory hacking library for windows.

sy1ntexx 40 Jan 3, 2023
A small oscilloscope UI for the Owon HDS series portable oscilloscopes (Windows 10+, x86_64 only)
A small oscilloscope UI for the Owon HDS series portable oscilloscopes (Windows 10+, x86_64 only)

owowon - A small oscilloscope UI for the Owon HDS series portable oscilloscopes Screenshot of the program, reading a 10 MHz sinewave generated by the

Dennis Duda 7 Jan 22, 2023
Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data sources
Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data sources

Kepler — Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data so

Exein.io 101 Nov 12, 2022
Linux LPE using polkit-1 written in Rust.

CVE-2021-4024-Rust Linux LPE using polkit-1 written in Rust. Build instructions Install rust if you haven't already git clone https://github.com/deoxy

Kevin Pham 1 Feb 3, 2022
Safe Rust interface to the Vulkan API.

Magma: A strictly typed Vulkan API interface. Magma is a strictly typed Rust interface for the vulkan API. This means that whenever possible, the well

null 1 Oct 11, 2022
Releases(v0.1)
Owner
:wq!
null
GitHub
Detect EDR's exceptions by inspecting processes' loaded modules

Description This tool looks for either the processes that have a certain binary loaded or the processes that don't. This is useful in the following sc

Kurosh Dabbagh Escalante 89 May 7, 2023
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022
A simple menu to keep all your most used one-liners and scripts in one place

Dama Desktop Agnostic Menu Aggregate This program aims to be a hackable, easy to use menu that can be paired to lightweight window managers in order t

null 47 Jul 23, 2022
Rapidly Search and Hunt through Windows Event Logs

Rapidly Search and Hunt through Windows Event Logs Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows

F-Secure Countercept 1.8k Dec 28, 2022
A tiny program that locates and extracts public save files from Windows to your local directory!

Save Game Extractor | Download Save Game Extractor is a tool that automatically locates and copies save files for Windows games in public directories.

popcar2 6 Dec 23, 2021
Checks whether the process is running as root/sudo/admin permission in Windows and Unix systems

Is_sudo Checks if program is running as sudo in unix systems, or using admin permission in windows. Usage use is_sudo::check; use is_sudo::RunningAs;

Spark 2 Aug 12, 2022
Single stub direct and indirect syscalling with runtime SSN resolving for windows.

RUST_SYSCALLS Single stub direct and indirect syscalling with runtime SSN resolving for windows. Features: One single line for all your syscalls Funct

Yxel 81 Dec 4, 2022
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. MimiRust is a program based on the wdigest attack vector

Thotty 0 Nov 29, 2022
Dangerously fast dns/network/port scanner, all-in-one

Skanuvaty Dangerously fast dns/network/port scanner, all-in-one. Start with a domain, and we'll find everything about it. Features: Finds subdomains f

CCCC 701 Dec 31, 2022