Hi everyone!
I just read about the Sober.C worm and it said that it runs 2-3 independent processes which try to protect each other form being killed by restarting any protected process right after it has been killed.
That kinda got me thinking if there is a tool out there which does just that, basically preventing an executable to be killed and then removed.
I only found DiamondCS Process Guard so far ( Link ). Is there any other tool out there which you use or know of.
Beg my pardon if this has been discussed before, but I wasn't able to find any usable results.
TIA
Full Version: Protecting Processes
firedaemon did this too (in a way), also, services can be set in windows to be autorestart on "crash", however this should not be considered a very effective way of providing protection.
A rootkit can protect a process by making it unable to be killed without having the rootkit's root process permission
A rootkit can protect a process by making it unable to be killed without having the rootkit's root process permission
a cmdline tool would be nice. isn`t there something that makes a service unkillable i know that in the taskmanager are some processes that can`t be killes i guess it was system services. the only problem is how to mak serv-u e.g. a system service
@kevin007
Well rootkit would be one way to go since the admin just doesn't see the executable, but lets say we don't want to use one.
@Storm
Well making a service unkillable would be nice, but it would be enough for me if it is restarted before someone can remove the service or the executable.
Any suggestions anyone?
Well rootkit would be one way to go since the admin just doesn't see the executable, but lets say we don't want to use one.
@Storm
Well making a service unkillable would be nice, but it would be enough for me if it is restarted before someone can remove the service or the executable.
Any suggestions anyone?
id'e go with the rootkit suggestion... hxdef for example... very flexible. http://rootkit.host.sk/
| QUOTE (GhostCow @ Jan 14 2004, 09:48 PM) |
| id'e go with the rootkit suggestion... hxdef for example... very flexible. http://rootkit.host.sk/ |
but traceable..
| QUOTE (chrispen @ Jan 15 2004, 12:14 PM) | ||
but traceable.. |
how????
could give me log about the traced..
i like to rename certain processes to "smss.exe" this will keep the application from being killed by Task Man...
i also think that a rootkit might be in order (if possible)- remember, stealth can be more affective than strength (there's my philisophical contribution for the day
)
i also think that a rootkit might be in order (if possible)- remember, stealth can be more affective than strength (there's my philisophical contribution for the day
)
well..
in the underline......
what should we use for do that?
answer please
in the underline......
what should we use for do that?
answer please
you may use 2 files #1 and #2
#1 is a common trojan
#2 is a master that checks if every thing goes right !
#1 is a common trojan
#2 is a master that checks if every thing goes right !
| QUOTE |
| thing goes right |
it means that #1 is existing and runing!
you may have a backup of #1 in an Undectective mode.
well #2 checks if file #1 is exists. if not created from backup!
and check if #1 is Runing.
How?
if you run #1 then the last ProcessID is probibly is #1's.
But haow how have an Undectedable backup of #1.
just copy it in a reverse mode. I mean the first byte of #1 is the last Byte of Backup. By this Trick No AntiVirus is able to Detect Backup.
Do not forget that #2 is not Listening at all !
firedaemon.exe its nice and one of the best utilities 
@coder
The 'smss.exe' tip really is useful. I use that a lot because many people only use TaskMan and not kill.exe or something comparable.
@Littlehacker
Your suggestion is basically what I am searching for, just that process #1 also checks if #2 is running and if not creates it. Do you know of any tools besides Process Guard which accomplish just that?
@mamep
FireDeamon is worst piece of sh*t i have ever seen in my life. Even M$ can actually come up with better programs
@all
Well my question unfortunately still hasn't been answered. Does anyone know of tools like Process Guard? TIA!
The 'smss.exe' tip really is useful. I use that a lot because many people only use TaskMan and not kill.exe or something comparable.
@Littlehacker
Your suggestion is basically what I am searching for, just that process #1 also checks if #2 is running and if not creates it. Do you know of any tools besides Process Guard which accomplish just that?
@mamep
FireDeamon is worst piece of sh*t i have ever seen in my life. Even M$ can actually come up with better programs
@all
Well my question unfortunately still hasn't been answered. Does anyone know of tools like Process Guard? TIA!
@Jeeve5
I didn't get what you mean. Please describe it more < I'm not a Native Speaker in English
>
I didn't get what you mean. Please describe it more < I'm not a Native Speaker in English
>
| QUOTE (LittleHacker @ Jan 16 2004, 05:54 PM) |
| @Jeeve5 I didn't get what you mean. Please describe it more < I'm not a Native Speaker in English > |
it's very easy:
Process #1 always check if process #2 is running and if not restarts or recreates it from backup.
and
process #2 always check if process #1 is running and if not restarts or recreates it from backup.
I hope that is clear enough.....
Yes it's a good idea that the other process checks too !
But I didn't get this
But I didn't get this
| QUOTE |
| Do you know of any tools besides Process Guard which accomplish just that? |
| QUOTE (LittleHacker @ Jan 16 2004, 08:05 PM) | ||
| Yes it's a good idea that the other process checks too ! But I didn't get this
|
Wrell, there is this program called Process Guard (see my first post) and I am searching for alternatives.
All one would need to do then, is simply freeze both processes before killing them. Simple using SuspendThread.
Also, you can simply do a CreateRemoteThread starting at address zero, in both processes, and they will GPF and die. I have a tool that uses this technique to kill a process.
-niko
Also, you can simply do a CreateRemoteThread starting at address zero, in both processes, and they will GPF and die. I have a tool that uses this technique to kill a process.
-niko
| QUOTE (niko @ Jan 27 2004, 10:38 PM) |
| All one would need to do then, is simply freeze both processes before killing them. Simple using SuspendThread. Also, you can simply do a CreateRemoteThread starting at address zero, in both processes, and they will GPF and die. I have a tool that uses this technique to kill a process. -niko |
That is quite true, but I never said that this method suggested by me was foolproof
No seriously, most Admins try to kill the executable that they think or know is causing trouble and won't notice which other executable restarts the first one
| QUOTE | ||
Jeeve5 Posted on Jan 27 2004, 10:40 PM
That is quite true, but I never said that this method suggested by me was foolproof No seriously, most Admins try to kill the executable that they think or know is causing trouble and won't notice which other executable restarts the first one |
in addition findng those 2 process that check eachothers is not easy !
for example if we have only 10 services running then we have 10x9=90 alternatives!
| QUOTE (kevin007 @ Jan 14 2004, 02:31 PM) |
| firedaemon did this too (in a way), also, services can be set in windows to be autorestart on "crash", however this should not be considered a very effective way of providing protection. A rootkit can protect a process by making it unable to be killed without having the rootkit's root process permission |
r00t kits can hide the process itself so they cant be seen thus making them unkillable even with cmd line tools like pskill
Yeah it's true , try with hxdef , for me the best rootkit I've ever seen
I think a good solution is
1. A service for your .exe file with the extra flag FailureActions, so the service is restarting after it was crashed.
2. A Rootkit hiding your process and the Service so it should be hard to find out the Service name.
But I think there must be an Option e.g. ErrorControl or sth. in the folder Security of a service like SamSs that secure this service. It is impossible to stop this service. If it stoped the Computer reboots.
I tried to find out how it works, but I was not successful so far.
If somebody find the option, it would be a protected process.
Greetz
Gaya
1. A service for your .exe file with the extra flag FailureActions, so the service is restarting after it was crashed.
2. A Rootkit hiding your process and the Service so it should be hard to find out the Service name.
But I think there must be an Option e.g. ErrorControl or sth. in the folder Security of a service like SamSs that secure this service. It is impossible to stop this service. If it stoped the Computer reboots.
I tried to find out how it works, but I was not successful so far.
If somebody find the option, it would be a protected process.
Greetz
Gaya
the most effective way to to use hook the relevent api to disallow killing your process, and also hook createremotethread to prevent it from injecting crap into your app...
this is quite easy to do if you have a nice hooking library - i made one using IAT +EAT hooks with a driver for process creation notification (i.e. to initiate hook injection).
but basically this approach is what a rootkit does.
i believe process guard uses a similar method.
this is quite easy to do if you have a nice hooking library - i made one using IAT +EAT hooks with a driver for process creation notification (i.e. to initiate hook injection).
but basically this approach is what a rootkit does.
i believe process guard uses a similar method.
NuclearRat seems to be a nice tool for ur purposes
what a nasty method to have a shell 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
