Tuesday, October 30, 2018

Counting Processes and Watching for one to Die

This pseudo code may try to count the # of processes with a given name and if one of them is terminated, then the code will do something.
For example in Malware Hunter's beginner youtube video the MEMZ malware counts processes, and if it sees you terminating one if it's own, then it will BSOD (blue screen of death)

Pseudo c code monitoring if my process is running
top:
   currentcount=0
   lastcount=0

   foreach(process in RunningProcesses)
        if(process == YOURS)
              currentcount++

   if(currentcount >= lastcount)
       lastcount = currentcount
       goto top
   else
       call YouTerminatedOneOfMine()


In this psuedo assembly code, it might look something like this
     xor ebx, ebx  ; set current to 0
     mov [ebp+localvar], ebx   ; save last count as 0 initially

     call ds:GetCurrentProcess  ; open a handle to the process
     call GetProcessImageFileNameA  ; get current proccess name (my process)

     topOfLoop:
       call CreateToolhelp32Snapshot   ; get list of all processes
       call Process32FirstW   ; get the first process
       call ds:OpenProcess   ; open a handle to the process
       call GetProcessImageFileNameA   ;  get the name of the process
       call ds:lstrcmpA  ; compare my process name to the current process
       test eax, eax
       jz foundIt

     foundIt:
        inc ebx ; increment my counter cause I found one

     call Process32NextW ; get the next process in the list
     test eax, eax
     jnz topOfLoop  ; if there are more go to top of loop
   
     cmp ebx, [ebp+localvar]
     jge exit ; if nothing was terminated then exit

     call YouTerminatedOneOfMine ; call the function that handles somebody killing a process

     exit:




------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own

https://www.youtube.com/watch?v=b0WQwCQGjv4

No comments:

Post a Comment