Can I use this function to block WINDOWS API's?

Pages: 123
Yes, killing CSRSS.exe is stupid!
Actually I wanted to kill virus processes 'like' that!
I dont want to do any harm!
I want to kill 'access denied' processes...
I personally don't care if you are up to mischief or not, one of the forum members here put it best when they said that if you are asking me for help then you don't know enough to pose a threat.

'Access Denied' is not a process, it is a message from the system when your permissions are not sufficient to perform a certain task. If you have a Symantec Threat Report link to the specific virus you are targeting then we should start there instead of running around with half-arsed information.

Also you're going about this completely wrong; to answer your question directly the easiest way to "close" a process with an injected thread is simply to try writing in your injected thread WITHOUT first allocating memory for it. The system sees this illegal operation as a critical fault and closes the target process for you, no fuss, no muss, no permissions check. But so what if you kill it? What happens then? All services have a list of actions to perform in the event of a failure and any decent malware will just start itself back up again after a little while with a different image name.

The standard way to kill malware is to nuke the restore points, mark the executable for deletion and restart the PC. The Symantec Threat Report I mentioned earlier will be useful to custom tailor the solution a bit more but it will be some variation of that process.
I agree Computergeek01, but actually target a malware means to unhook and delete registry and everything about the file rather than close the process.

As I mainly create persistent malware which pops back up after being terminated therefore persistence is the key which defeats your purpose.
Registry entries mean exactly squat when the executable has been deleted, you should also kill the startup method now that I think about it but that's about all you have to do. If you look closer, closing the process isn't actually part of my solution.

I know you're young but you need to remember to be a little more verbose in your posts otherwise it looks like you're copy and pasting buzz words. Are you unhooking drivers or functions? Are you deleting the ENTIRE registry? You didn't even mention unregistering the DLL's associated with the infection. Then there is that issue where you can hide a registry key simply by making its name too long, how do you propose a user deals with that?

Computergeek01 is spot on here, keep in mind that programming AV's include creating custom heuristic algorithms and performing sophisticated removal procedures, additionally if the Malware does not use DLL injections but Kernel Injections how would you go on about detecting it or even detecting it.

@Everyone who answered:
Yay! I found out what went wrong with my code!
I used GetModuleHandle(...) instead of LoadLibrary(...)...
Thankyou all for your valuable help...
Yeah, I saw your thread on Rohitab. With some reasearch about you Einstien.
BTW, How did you find my account?
What is your account name?
One more thing, as you guessed Im Aravind!

Easy look through Rohitab programming section to find a similar question and bamn I could identify you.
I don't have account on Rohitab.

Yes I always knew it infact almost entire C++ forum probably guessed.
Okay... Thankyou very much!
Topic archived. No new replies allowed.
Pages: 123