• Welcome to Valhalla Legends Archive.
 

Killing A Protected Service

Started by Clan CDH, January 01, 2007, 01:05 AM

Previous topic - Next topic

Clan CDH

I am writing another removal tool using Visual Basic and this virus loads as a service and protects it self. It can not be shutdown via safemode nor can it be via services.msc. So I need to make something that can kill this service. Does anyone know how I would go about writing it to kill a PROTECTED service? And no, setting the process token to SeDebugPriveledges does not help.

Mystical

 I don't think anyone here will help you with a virus..

Yegg

Quote from: Mystical on January 01, 2007, 01:15 PM
I don't think anyone here will help you with a virus..

Why not? He is trying to remove one. AFAIK... removing viruses is a positive thing.

Mystical

Quote from: Yegg on January 01, 2007, 01:51 PM
Quote from: Mystical on January 01, 2007, 01:15 PM
I don't think anyone here will help you with a virus..

Why not? He is trying to remove one. AFAIK... removing viruses is a positive thing.

My bad, I mis-read the post, new years night got to me.

MyndFyre

Have you considered settings its .exe NTFS permissions?  Set permissions for "Everyone" to "Deny - Read and Execute".  Restart.

The event viewer should indicate that the process failed to start.  You should then be able to remove the executable.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Grok

Quote from: MyndFyre[vL] on January 01, 2007, 04:06 PM
Have you considered settings its .exe NTFS permissions?  Set permissions for "Everyone" to "Deny - Read and Execute".  Restart.

The event viewer should indicate that the process failed to start.  You should then be able to remove the executable.

Additionally, go to the registry key for the service entry and using regedt32, modify the security so the SYSTEM cannot read the key.  Or just modify the entry so the entry points to the wrong executable.

Clan CDH

How would I go about changing the permissions on this?

MyndFyre

To edit the file permissions, ensure that you can do this through the Windows UI by going into Folder Options (Control Panel), and under the "View" tab, un-check "Use Simple File Sharing (Recommended)".  Then, navigate to the file, right-click and choose "Properties."  Select the "Security" tab.  Select the "Everyone" group - if "Everyone" is not a list option in the top list, click "Add" and type "Everyone" (without the quotes) and click OK.  Then, select the "Everyone" entry, and check the box in the column labeled "Deny" for the permission "Read and Execute". 

In the Registry Editor, select the key or keys related to the service.  Right-click and select "Permissions...".  Select "SYSTEM" and choose "Deny" for the "Full Control" permission set.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Clan CDH

Quote from: MyndFyre[vL] on January 10, 2007, 02:04 AM
To edit the file permissions, ensure that you can do this through the Windows UI by going into Folder Options (Control Panel), and under the "View" tab, un-check "Use Simple File Sharing (Recommended)".  Then, navigate to the file, right-click and choose "Properties."  Select the "Security" tab.  Select the "Everyone" group - if "Everyone" is not a list option in the top list, click "Add" and type "Everyone" (without the quotes) and click OK.  Then, select the "Everyone" entry, and check the box in the column labeled "Deny" for the permission "Read and Execute". 

In the Registry Editor, select the key or keys related to the service.  Right-click and select "Permissions...".  Select "SYSTEM" and choose "Deny" for the "Full Control" permission set.

I know this, but how would I go about doing this programatically?

topaz

Quote from: Clan CDH on January 10, 2007, 03:43 PM
I know this, but how would I go about doing this programatically?

loles, "programatically"
RLY...?

Clan CDH


topaz

Quote from: Clan CDH on January 10, 2007, 06:03 PM
Quote from: topaz on January 10, 2007, 05:39 PM
Quote from: Clan CDH on January 10, 2007, 03:43 PM
I know this, but how would I go about doing this programatically?

loles, "programatically"

prick

Look, don't get angry at me because you're trying too hard to impress members of this forum. It sure isn't my fault, k?
RLY...?

Mystical

Quote from: topaz on January 10, 2007, 09:22 PM
Quote from: Clan CDH on January 10, 2007, 06:03 PM
Quote from: topaz on January 10, 2007, 05:39 PM
Quote from: Clan CDH on January 10, 2007, 03:43 PM
I know this, but how would I go about doing this programatically?

loles, "programatically"

prick

Look, don't get angry at me because you're trying too hard to impress members of this forum. It sure isn't my fault, k?

If he was trying to impress members on the forum, I think he woulda figured it out and said somthing like "HAHA I GOT IT NEWBS" but anyways programming topics should remain on topic, not just for the people replying but for people that search and are in need of help with out posting a new topic to keep these forums from spam.

Banana fanna fo fanna


A2

it might not be in a dictionary, but ive seen it on printed text, and even ms uses the term.

'How to programmatically test for canonicalization issues with ASP.NET'
http://support.microsoft.com/kb/887459