This pseudo code may try to count the # of processes with a given name and if one of them is terminated, then the code will do something.
For example in Malware Hunter's beginner youtube video the MEMZ malware counts processes, and if it sees you terminating one if it's own, then it will BSOD (blue screen of death)
Pseudo c code monitoring if my process is running
top:
currentcount=0
lastcount=0
foreach(process in RunningProcesses)
if(process == YOURS)
currentcount++
if(currentcount >= lastcount)
lastcount = currentcount
goto top
else
call YouTerminatedOneOfMine()
In this psuedo assembly code, it might look something like this
xor ebx, ebx ; set current to 0
mov [ebp+localvar], ebx ; save last count as 0 initially
call ds:GetCurrentProcess ; open a handle to the process
call GetProcessImageFileNameA ; get current proccess name (my process)
topOfLoop:
call CreateToolhelp32Snapshot ; get list of all processes
call Process32FirstW ; get the first process
call ds:OpenProcess ; open a handle to the process
call GetProcessImageFileNameA ; get the name of the process
call ds:lstrcmpA ; compare my process name to the current process
test eax, eax
jz foundIt
foundIt:
inc ebx ; increment my counter cause I found one
call Process32NextW ; get the next process in the list
test eax, eax
jnz topOfLoop ; if there are more go to top of loop
cmp ebx, [ebp+localvar]
jge exit ; if nothing was terminated then exit
call YouTerminatedOneOfMine ; call the function that handles somebody killing a process
exit:
------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own
https://www.youtube.com/watch?v=b0WQwCQGjv4
No comments:
Post a Comment