Killing A Protected Service

Clan CDH · January 01, 2007, 01:05 AM

I am writing another removal tool using Visual Basic and this virus loads as a service and protects it self. It can not be shutdown via safemode nor can it be via services.msc. So I need to make something that can kill this service. Does anyone know how I would go about writing it to kill a PROTECTED service? And no, setting the process token to SeDebugPriveledges does not help.

Mystical · January 01, 2007, 01:15 PM

I don't think anyone here will help you with a virus..

Yegg · January 01, 2007, 01:51 PM

Quote from: Mystical on January 01, 2007, 01:15 PM
I don't think anyone here will help you with a virus..

Why not? He is trying to remove one. AFAIK... removing viruses is a positive thing.

Mystical · January 01, 2007, 03:56 PM

Quote from: Yegg on January 01, 2007, 01:51 PM
Quote from: Mystical on January 01, 2007, 01:15 PM
I don't think anyone here will help you with a virus..

Why not? He is trying to remove one. AFAIK... removing viruses is a positive thing.

My bad, I mis-read the post, new years night got to me.

MyndFyre · January 01, 2007, 04:06 PM

Have you considered settings its .exe NTFS permissions? Set permissions for "Everyone" to "Deny - Read and Execute". Restart.

The event viewer should indicate that the process failed to start. You should then be able to remove the executable.

Grok · January 01, 2007, 04:43 PM

Quote from: MyndFyre[vL] on January 01, 2007, 04:06 PM
Have you considered settings its .exe NTFS permissions? Set permissions for "Everyone" to "Deny - Read and Execute". Restart.

The event viewer should indicate that the process failed to start. You should then be able to remove the executable.

Additionally, go to the registry key for the service entry and using regedt32, modify the security so the SYSTEM cannot read the key. Or just modify the entry so the entry points to the wrong executable.

Clan CDH · January 10, 2007, 01:23 AM

How would I go about changing the permissions on this?

MyndFyre · January 10, 2007, 02:04 AM

To edit the file permissions, ensure that you can do this through the Windows UI by going into Folder Options (Control Panel), and under the "View" tab, un-check "Use Simple File Sharing (Recommended)". Then, navigate to the file, right-click and choose "Properties." Select the "Security" tab. Select the "Everyone" group - if "Everyone" is not a list option in the top list, click "Add" and type "Everyone" (without the quotes) and click OK. Then, select the "Everyone" entry, and check the box in the column labeled "Deny" for the permission "Read and Execute".

In the Registry Editor, select the key or keys related to the service. Right-click and select "Permissions...". Select "SYSTEM" and choose "Deny" for the "Full Control" permission set.

Clan CDH · January 10, 2007, 03:43 PM

Quote from: MyndFyre[vL] on January 10, 2007, 02:04 AM
To edit the file permissions, ensure that you can do this through the Windows UI by going into Folder Options (Control Panel), and under the "View" tab, un-check "Use Simple File Sharing (Recommended)". Then, navigate to the file, right-click and choose "Properties." Select the "Security" tab. Select the "Everyone" group - if "Everyone" is not a list option in the top list, click "Add" and type "Everyone" (without the quotes) and click OK. Then, select the "Everyone" entry, and check the box in the column labeled "Deny" for the permission "Read and Execute".

In the Registry Editor, select the key or keys related to the service. Right-click and select "Permissions...". Select "SYSTEM" and choose "Deny" for the "Full Control" permission set.

I know this, but how would I go about doing this programatically?

topaz · January 10, 2007, 05:39 PM

Quote from: Clan CDH on January 10, 2007, 03:43 PM
I know this, but how would I go about doing this programatically?

loles, "programatically"

Clan CDH · January 10, 2007, 06:03 PM

Quote from: topaz on January 10, 2007, 05:39 PM
Quote from: Clan CDH on January 10, 2007, 03:43 PM
I know this, but how would I go about doing this programatically?

loles, "programatically"

prick

topaz · January 10, 2007, 09:22 PM

Quote from: Clan CDH on January 10, 2007, 06:03 PM
Quote from: topaz on January 10, 2007, 05:39 PM
Quote from: Clan CDH on January 10, 2007, 03:43 PM
I know this, but how would I go about doing this programatically?

loles, "programatically"

prick

Look, don't get angry at me because you're trying too hard to impress members of this forum. It sure isn't my fault, k?

Mystical · January 10, 2007, 10:05 PM

Quote from: topaz on January 10, 2007, 09:22 PM
Quote from: Clan CDH on January 10, 2007, 06:03 PM
Quote from: topaz on January 10, 2007, 05:39 PM
Quote from: Clan CDH on January 10, 2007, 03:43 PM
I know this, but how would I go about doing this programatically?

loles, "programatically"

prick

Look, don't get angry at me because you're trying too hard to impress members of this forum. It sure isn't my fault, k?

If he was trying to impress members on the forum, I think he woulda figured it out and said somthing like "HAHA I GOT IT NEWBS" but anyways programming topics should remain on topic, not just for the people replying but for people that search and are in need of help with out posting a new topic to keep these forums from spam.

Banana fanna fo fanna · January 14, 2007, 12:27 PM

hm way to be a dick topaz

A2 · February 12, 2007, 08:52 PM

it might not be in a dictionary, but ive seen it on printed text, and even ms uses the term.

'How to programmatically test for canonicalization issues with ASP.NET'
http://support.microsoft.com/kb/887459