Hey all, I'm trying to make a program to delete a certain kind of viruses that I know their footsteps (like ComboFix for example), the problem I'm facing is I cant delete them while they're running and cant shut them up so I would like to learn how to make my program run before all the other start-up programs and stop all the programs from running untill I'm done with the cleaning actions. Any articles / snippets / keywords will be appreciated.
I dont want people to be limited to disks and stuff, just want the program to operate correctly. ComboFix does just it, it restarts the PC and holding all the programs and services and only once the virus is gone, it let everything run again.
There are several ways to do it, depending on how resilient the virus you are trying to kill is. First of all let me tell you that you have chosen the wrong language for this. There isn't allways a way to do it in C#, you might have to use unmanaged code instead. 1. If you strictly wanted to run your program before explorer.exe all you have to do is is change the shell to your program and remove explorer out of the loop: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Just beware that I have not tested the effects of running a .NET managed application as windows shell. 2. Running before explorer.exe isn't necessarily before the virus. If the virus has loaded it's self as a device driver you will need another device driver to remove it. Unless your code runs in ring 0 you will not be able to touch anything running in ring 0. Needless to say you can only make drivers in C. 3. If the virus you are trying to remove is smart enough it may even run in safe mode. Killing something like this could easily be done using an NT Native application that runs before win api is started. Lets say this is a bit to extreme. Reinstalling the OS would be much easyier. 4. Say you are trying to delete something easy. Try to kill the program using it first. The win api function TerminateProcess() should do the trick. You can easily call unmanaged win api functions from C#. In the case of some viruses it will not work, but injecting code into it via CreateRemoteThread() and calling ExitProcess() should cause the program to kill it's self. Of course the latter approach is unmanaged C only. 5. You may try to delete the file on windows shutdown using MoveFileEx(). MOVEFILE_DELAY_UNTIL_REBOOT should do the trick. Read more on msdn about it.