Would a program be able to detect which process is attempting to terminate it? Im thinking in terms of a virus which is able to detect which AV process attempts to terminate it. Must be somekind of API call to detect this?
Cheers
Full Version: Detect Which Process Is Trying To Terminate A Prog
Processguard can do it.
no api call detects this, but hooking a few api's will do it!
Here's an app I made which does a similar thing to process guard...give it a try.
Here's an app I made which does a similar thing to process guard...give it a try.
Thank you both for your posts. Downloading Process Guard now. Interesting program you have written tibbar, going to have a good play around with that.
Im thinking if a virus was capable of detecting which antivirus process was trying to terminate it then it would be able to launch an attack on the AV process. For example if the virus detected that "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\KAV.exe" was attempting to terminate it then the virus could try and attack that directory by trying to remove files and also scanning the registry and removing any keys which belong to the product. This would obviously then be generic for any security software attempting to remove the virus. Therefore, hardcoding security products into a virus would no longer be required as the virus can find what to attack by itself.
Im thinking if a virus was capable of detecting which antivirus process was trying to terminate it then it would be able to launch an attack on the AV process. For example if the virus detected that "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\KAV.exe" was attempting to terminate it then the virus could try and attack that directory by trying to remove files and also scanning the registry and removing any keys which belong to the product. This would obviously then be generic for any security software attempting to remove the virus. Therefore, hardcoding security products into a virus would no longer be required as the virus can find what to attack by itself.
QUOTE(kbnet @ Feb 17 2005, 09:09 AM)
Thank you both for your posts. Downloading Process Guard now. Interesting program you have written tibbar, going to have a good play around with that.
Im thinking if a virus was capable of detecting which antivirus process was trying to terminate it then it would be able to launch an attack on the AV process. For example if the virus detected that "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\KAV.exe" was attempting to terminate it then the virus could try and attack that directory by trying to remove files and also scanning the registry and removing any keys which belong to the product. This would obviously then be generic for any security software attempting to remove the virus. Therefore, hardcoding security products into a virus would no longer be required as the virus can find what to attack by itself.
Im thinking if a virus was capable of detecting which antivirus process was trying to terminate it then it would be able to launch an attack on the AV process. For example if the virus detected that "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\KAV.exe" was attempting to terminate it then the virus could try and attack that directory by trying to remove files and also scanning the registry and removing any keys which belong to the product. This would obviously then be generic for any security software attempting to remove the virus. Therefore, hardcoding security products into a virus would no longer be required as the virus can find what to attack by itself.
might be fun if windows kills an service because it didn't reply 'correctly' to an service.. and then you see your prog remove all those files in the win dir and in the reg.. hope this won't happen.. but it just suddenly came in my mind..
Serhat
i could see taskmgr.exe getting deleted a lot in this fictional scenario!
really, if someone went to such effort they would just hide their process from the AV by hooking the kernel.
AV killing is one of the lamest things a trojan / virus can do. i have no fear of those virii, since they immediately tell me they exist by doing stupid things...it's the malware that i do not know i have that scares me.
really, if someone went to such effort they would just hide their process from the AV by hooking the kernel.
AV killing is one of the lamest things a trojan / virus can do. i have no fear of those virii, since they immediately tell me they exist by doing stupid things...it's the malware that i do not know i have that scares me.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
