starred/Quasar
1
0
Fork 0
mirror of https://github.com/quasar/Quasar.git synced 2026-04-25 15:25:59 +03:00
Code Issues 137 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #81] Persistence : Preventing users from terminating xRat process. #33

New issue
Closed
opened 2026-02-27 15:48:23 +03:00 by kerem · 27 comments
kerem commented 2026-02-27 15:48:23 +03:00
Owner
Copy link

Originally created by @vigneshkarthisan on GitHub (May 5, 2015).
Original GitHub issue: https://github.com/quasar/Quasar/issues/81

Just came across some website with this snippet of code. Actually it was in C++. I made use of this with PInvoke.

Calling ProtectProcess() makes the process critical. A critical process cannot be terminated. When a user with admin rights terminates it, it either shows an alert "Access Denied" or else the system crashes causing a BSOD(Blue Screen of Death).

Not sure whether this code will work with systems running Windows 8 or later, I'm on vacation. So I couldn't get a chance to test it.

Just call RevertProtection() to revert back to normal.

public static class Persistence
{
    [DllImport("ntdll.dll", SetLastError = true)]
    private static extern void RtlSetProcessIsCritical(UInt32 v1, UInt32 v2, UInt32 v3);

    public static void ProtectProcess()
    {
        System.Diagnostics.Process.EnterDebugMode();
        RtlSetProcessIsCritical(1, 0, 0);
    }

    public static void RevertProtection()
    {
        RtlSetProcessIsCritical(0, 0, 0);
    }
}

Can be invoked from any part of code. Mr. @MaxXor or anyone else interested, Please try this code out bcoz I don't have a PC nearby with VS2013 installed.

Originally created by @vigneshkarthisan on GitHub (May 5, 2015). Original GitHub issue: https://github.com/quasar/Quasar/issues/81 Just came across some website with this snippet of code. Actually it was in C++. I made use of this with PInvoke. Calling `ProtectProcess()` makes the process critical. A critical process cannot be terminated. When a user with admin rights terminates it, it either shows an alert "Access Denied" or else the system crashes causing a BSOD(Blue Screen of Death). Not sure whether this code will work with systems running Windows 8 or later, I'm on vacation. So I couldn't get a chance to test it. Just call `RevertProtection()` to revert back to normal. ``` csharp public static class Persistence { [DllImport("ntdll.dll", SetLastError = true)] private static extern void RtlSetProcessIsCritical(UInt32 v1, UInt32 v2, UInt32 v3); public static void ProtectProcess() { System.Diagnostics.Process.EnterDebugMode(); RtlSetProcessIsCritical(1, 0, 0); } public static void RevertProtection() { RtlSetProcessIsCritical(0, 0, 0); } } ``` Can be invoked from any part of code. Mr. @MaxXor or anyone else interested, Please try this code out bcoz I don't have a PC nearby with VS2013 installed.
kerem 2026-02-27 15:48:23 +03:00
  • closed this issue
  • added the
    wont-add
         label
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@yankejustin commented on GitHub (May 5, 2015):

How does this react to the client crashing? Perhaps we should add this after fixing some of the issues that may still crash the client. :)

<!-- gh-comment-id:99128002 --> @yankejustin commented on GitHub (May 5, 2015): How does this react to the client crashing? Perhaps we should add this after fixing some of the issues that may still crash the client. :)
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@vigneshkarthisan commented on GitHub (May 5, 2015):

Yep. What about creating a new branch and try this out ?

<!-- gh-comment-id:99128613 --> @vigneshkarthisan commented on GitHub (May 5, 2015): Yep. What about creating a new branch and try this out ?
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@yankejustin commented on GitHub (May 5, 2015):

I am up for it. I need to get on my main computer which I can't do until later tonight. After a meeting at work, I certainly would be up to booting up a VM and seeing how stable the client is.
As I just wanted to mention again (mainly for others that may try it): Because the client still likely has issues that cause the client to crash, this could also make these unfortunate client crashes turn into something disastrous.

<!-- gh-comment-id:99133396 --> @yankejustin commented on GitHub (May 5, 2015): I am up for it. I need to get on my main computer which I can't do until later tonight. After a meeting at work, I certainly would be up to booting up a VM and seeing how stable the client is. <u>As I just wanted to mention again (mainly for others that may try it):</u> <b>Because the client still likely has issues that cause the client to crash, this could also make these unfortunate client crashes turn into something disastrous.</b>
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@vigneshkarthisan commented on GitHub (May 5, 2015):

Which time zone do you live in?

<!-- gh-comment-id:99134126 --> @vigneshkarthisan commented on GitHub (May 5, 2015): Which time zone do you live in?
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@yankejustin commented on GitHub (May 5, 2015):

I live in the U.S. (EDT)

<!-- gh-comment-id:99134820 --> @yankejustin commented on GitHub (May 5, 2015): I live in the U.S. (EDT)
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@MaxXor commented on GitHub (May 6, 2015):

We need to be sure the client is really stable before we add this.

<!-- gh-comment-id:99437471 --> @MaxXor commented on GitHub (May 6, 2015): We need to be sure the client is really stable before we add this.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@vigneshkarthisan commented on GitHub (May 6, 2015):

Just make sure that this issue is not closed until we implement the feature in a separate branch.

<!-- gh-comment-id:99438409 --> @vigneshkarthisan commented on GitHub (May 6, 2015): Just make sure that this issue is not closed until we implement the feature in a separate branch.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@yankejustin commented on GitHub (May 6, 2015):

How does this react to lower permissions? Can a client with "Normal" privileges do this?

<!-- gh-comment-id:99441422 --> @yankejustin commented on GitHub (May 6, 2015): How does this react to lower permissions? Can a client with "Normal" privileges do this?
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@vigneshkarthisan commented on GitHub (May 6, 2015):

I think it won't. But we can develop app logic to activate Persistence after the first attempt by the user to terminate the process. We can gain Admin rights one time(using the trick already implemented) and install xRAT client as a windows service so as to make sure that every time the PC boots, xRAT will be started with Admin privileges.

<!-- gh-comment-id:99446966 --> @vigneshkarthisan commented on GitHub (May 6, 2015): I think it won't. But we can develop app logic to activate Persistence after the first attempt by the user to terminate the process. We can gain Admin rights one time(using the trick already implemented) and install xRAT client as a windows service so as to make sure that every time the PC boots, xRAT will be started with Admin privileges.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@yankejustin commented on GitHub (May 19, 2015):

@MaxXor I messed with this a bit on a virtual machine and it gets ugly really fast. You're one mistake from blowing your arm off... I don't think we should add this...

<!-- gh-comment-id:103280791 --> @yankejustin commented on GitHub (May 19, 2015): @MaxXor I messed with this a bit on a virtual machine and it gets ugly really fast. You're one mistake from blowing your arm off... I don't think we should add this...
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (May 26, 2015):

Shall we start working on solutions for persistence?

<!-- gh-comment-id:105486567 --> @ghost commented on GitHub (May 26, 2015): Shall we start working on solutions for persistence?
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@MaxXor commented on GitHub (May 26, 2015):

No, not with this kind of persistence. Maybe we should add a startup persistence which checks every 20min if the startup registry key has been removed and add it then again.

<!-- gh-comment-id:105494430 --> @MaxXor commented on GitHub (May 26, 2015): No, not with this kind of persistence. Maybe we should add a startup persistence which checks every 20min if the startup registry key has been removed and add it then again.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@rabbitsmith commented on GitHub (May 26, 2015):

what if client.exe is terminated

<!-- gh-comment-id:105494932 --> @rabbitsmith commented on GitHub (May 26, 2015): what if client.exe is terminated
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@ghost commented on GitHub (May 26, 2015):

@MaxXor, right. Making a process critical will be really bad for this. I've looked into solutions for process persistence as far as making a process restart itself, etc... and it doesn't look like there will a be a good solution for this. Start-up persistence, on the other hand, would be viable. It wouldn't prevent users from being able to 'suspend process -> delete registry value -> terminate process' but it would be a start.

<!-- gh-comment-id:105495457 --> @ghost commented on GitHub (May 26, 2015): @MaxXor, right. Making a process critical will be really bad for this. I've looked into solutions for process persistence as far as making a process restart itself, etc... and it doesn't look like there will a be a good solution for this. Start-up persistence, on the other hand, would be viable. It wouldn't prevent users from being able to 'suspend process -> delete registry value -> terminate process' but it would be a start.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@MaxXor commented on GitHub (May 26, 2015):

@rabbitsmith Then we can't do anything as the process stopped. :c But this form of Process protection is not so good, like @yankejustin https://github.com/MaxXor/xRAT/issues/81#issuecomment-103280791 said.

@d3agle Yes, it's a start that doesn't hurt. :)

<!-- gh-comment-id:105495915 --> @MaxXor commented on GitHub (May 26, 2015): @rabbitsmith Then we can't do anything as the process stopped. :c But this form of Process protection is not so good, like @yankejustin https://github.com/MaxXor/xRAT/issues/81#issuecomment-103280791 said. @d3agle Yes, it's a start that doesn't hurt. :)
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@rabbitsmith commented on GitHub (May 26, 2015):

what about @vigneshkarthisan 's idea of a windows service

<!-- gh-comment-id:105501617 --> @rabbitsmith commented on GitHub (May 26, 2015): what about @vigneshkarthisan 's idea of a windows service
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@MaxXor commented on GitHub (May 26, 2015):

@rabbitsmith That's possible indeed. I like this idea.

<!-- gh-comment-id:105502308 --> @MaxXor commented on GitHub (May 26, 2015): @rabbitsmith That's possible indeed. I like this idea.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@rabbitsmith commented on GitHub (May 26, 2015):

one drawback though. starting from win 8, task manager shows process started as a service and clicking end task would kill the service

<!-- gh-comment-id:105503954 --> @rabbitsmith commented on GitHub (May 26, 2015): one drawback though. starting from win 8, task manager shows process started as a service and clicking end task would kill the service
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@MaxXor commented on GitHub (May 26, 2015):

It's okay I think. But with a Windows service xRAT starts up whenever the computer is booted, not when just when the user signs in.

<!-- gh-comment-id:105504413 --> @MaxXor commented on GitHub (May 26, 2015): It's okay I think. But with a Windows service xRAT starts up whenever the computer is booted, not when just when the user signs in.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@rabbitsmith commented on GitHub (May 26, 2015):

well when you are free try renaming client.exe to something like winlogon, svchost , csrss.exe and check whether it is immune to end process

<!-- gh-comment-id:105508811 --> @rabbitsmith commented on GitHub (May 26, 2015): well when you are free try renaming client.exe to something like winlogon, svchost , csrss.exe and check whether it is immune to end process
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@rabbitsmith commented on GitHub (May 26, 2015):

http://www.rohitab.com/discuss/topic/36910-process-protect/

<!-- gh-comment-id:105509356 --> @rabbitsmith commented on GitHub (May 26, 2015): http://www.rohitab.com/discuss/topic/36910-process-protect/
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@yankejustin commented on GitHub (May 26, 2015):

How about basic DLL hijacking?
The sound of a Windows Service is quite alluring. It would be a bit of a pain modifying how we update, disconnect, or uninstall the client. I think that, other than those potential pains, it should be rather easy.

<!-- gh-comment-id:105644552 --> @yankejustin commented on GitHub (May 26, 2015): <strike>How about basic DLL hijacking?</strike> The sound of a Windows Service is quite alluring. It would be a bit of a pain modifying how we update, disconnect, or uninstall the client. I think that, other than those potential pains, it should be rather easy.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@abdullah2993 commented on GitHub (Jul 18, 2015):

we could subscribe to UnhandledException event and then use RevertProtection() so that it doesn't effect thesystem in case of an application crash?

<!-- gh-comment-id:122592655 --> @abdullah2993 commented on GitHub (Jul 18, 2015): we could subscribe to UnhandledException event and then use RevertProtection() so that it doesn't effect thesystem in case of an application crash?
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@yankejustin commented on GitHub (Jul 19, 2015):

@Abdullah2993 I could forcibly close the Client easily by calling Process.Kill(). Internally, it is very likely that the program will consequently throw an error as a result of the termination. The above method could not effectively differentiate between accidental unhandled Exceptions in the Client and ones intended to close the program, because they really have the end result of closing the program.

<!-- gh-comment-id:122614173 --> @yankejustin commented on GitHub (Jul 19, 2015): @Abdullah2993 I could forcibly close the Client easily by calling <code>Process.Kill()</code>. Internally, it is <i>very</i> likely that the program will consequently throw an error as a result of the termination. The above method could not effectively differentiate between accidental unhandled Exceptions in the Client and ones intended to close the program, because they really have the end result of closing the program.
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@abdullah2993 commented on GitHub (Jul 19, 2015):

@yankejustin we could call RevertProtection() every time we want to close the program or the program is being closed due to an unhandled exception?

<!-- gh-comment-id:122615961 --> @abdullah2993 commented on GitHub (Jul 19, 2015): @yankejustin we could call RevertProtection() every time we want to close the program or the program is being closed due to an unhandled exception?
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@yankejustin commented on GitHub (Jul 19, 2015):

@Abdullah2993 But what would we need to do so? Another program to monitor the Client? How else could we do it?

<!-- gh-comment-id:122620029 --> @yankejustin commented on GitHub (Jul 19, 2015): @Abdullah2993 But what would we need to do so? Another program to monitor the Client? How else could we do it?
kerem commented 2026-02-27 15:48:24 +03:00
Author
Owner
Copy link

@MaxXor commented on GitHub (Jul 19, 2015):

We're not going to implement this kind of persistence, but we'll add running the client as windows service.

<!-- gh-comment-id:122637544 --> @MaxXor commented on GitHub (Jul 19, 2015): We're not going to implement this kind of persistence, but we'll add running the client as windows service.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dev
v1.4.1
v1.4.0
v1.3.0.0
v1.2.0.0
v1.1.0.0
v1.0.0.0
RELEASE4.1
RELEASE4
RELEASE3
RELEASE2
RELEASE1
Labels
Clear labels   
bug

   
bug

   
cant-reproduce

   
discussion

   
duplicate

   
easy

   
enhancement

   
help wanted

   
improvement

   
invalid

   
need more info

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wont-add
No labels
bug
bug
cant-reproduce
discussion
duplicate
easy
enhancement
help wanted
improvement
invalid
need more info
pull-request
question
wont-add
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Quasar#33
No description provided.