Hi everyone!

I just read about the Sober.C worm and it said that it runs 2-3 independent processes which try to protect each other form being killed by restarting any protected process right after it has been killed.
That kinda got me thinking if there is a tool out there which does just that, basically preventing an executable to be killed and then removed.
I only found DiamondCS Process Guard so far ( Link ). Is there any other tool out there which you use or know of.
Beg my pardon if this has been discussed before, but I wasn't able to find any usable results.

TIA

firedaemon did this too (in a way), also, services can be set in windows to be autorestart on "crash", however this should not be considered a very effective way of providing protection.


A rootkit can protect a process by making it unable to be killed without having the rootkit's root process permission

a cmdline tool would be nice. isn`t there something that makes a service unkillable i know that in the taskmanager are some processes that can`t be killes i guess it was system services. the only problem is how to mak serv-u e.g. a system service

@kevin007
Well rootkit would be one way to go since the admin just doesn't see the executable, but lets say we don't want to use one.

@Storm
Well making a service unkillable would be nice, but it would be enough for me if it is restarted before someone can remove the service or the executable.

Any suggestions anyone?

id'e go with the rootkit suggestion... hxdef for example... very flexible. http://rootkit.host.sk/

i like to rename certain processes to "smss.exe" this will keep the application from being killed by Task Man...

i also think that a rootkit might be in order (if possible)- remember, stealth can be more affective than strength (there's my philisophical contribution for the day )

well..
in the underline......
what should we use for do that?
answer please

you may use 2 files #1 and #2
#1 is a common trojan
#2 is a master that checks if every thing goes right !

firedaemon.exe its nice and one of the best utilities

@coder
The 'smss.exe' tip really is useful. I use that a lot because many people only use TaskMan and not kill.exe or something comparable.

@Littlehacker
Your suggestion is basically what I am searching for, just that process #1 also checks if #2 is running and if not creates it. Do you know of any tools besides Process Guard which accomplish just that?

@mamep
FireDeamon is worst piece of sh*t i have ever seen in my life. Even M$ can actually come up with better programs

@all
Well my question unfortunately still hasn't been answered. Does anyone know of tools like Process Guard? TIA!

@Jeeve5
I didn't get what you mean. Please describe it more < I'm not a Native Speaker in English >

Yes it's a good idea that the other process checks too !
But I didn't get this

All one would need to do then, is simply freeze both processes before killing them. Simple using SuspendThread.

Also, you can simply do a CreateRemoteThread starting at address zero, in both processes, and they will GPF and die. I have a tool that uses this technique to kill a process.

-niko

Yeah it's true , try with hxdef , for me the best rootkit I've ever seen

I think a good solution is

1. A service for your .exe file with the extra flag FailureActions, so the service is restarting after it was crashed.

2. A Rootkit hiding your process and the Service so it should be hard to find out the Service name.

But I think there must be an Option e.g. ErrorControl or sth. in the folder Security of a service like SamSs that secure this service. It is impossible to stop this service. If it stoped the Computer reboots.
I tried to find out how it works, but I was not successful so far.
If somebody find the option, it would be a protected process.

Greetz
Gaya

the most effective way to to use hook the relevent api to disallow killing your process, and also hook createremotethread to prevent it from injecting crap into your app...

this is quite easy to do if you have a nice hooking library - i made one using IAT +EAT hooks with a driver for process creation notification (i.e. to initiate hook injection).

but basically this approach is what a rootkit does.

i believe process guard uses a similar method.

NuclearRat seems to be a nice tool for ur purposes

what a nasty method to have a shell