Skip to content
This repository has been archived by the owner on Jul 11, 2024. It is now read-only.
/ OrcusRemover Public archive

OrcusRemover searches for files with Assembly names that contain "Orcus", but mainly should detect the hidden files

License

Notifications You must be signed in to change notification settings

NovoCore/OrcusRemover

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Disclaimer: This project has been archived and should not be used. Instead, use our Universal Remover.

Orcus Remover

About

I developed Orcus Remover out of frustration with antivirus solutions that overload you with unnecessary features yet fail to effectively eliminate Orcus. The truly insidious aspect lies in how crypters can evade detection by your antivirus, disable it, and subsequently allow Orcus to operate unimpeded.

How Does Orcus Remover Disable Orcus's Critical Process Privileges?

The Orcus Remover identifies Orcus malware on your system and then strips it of its critical process status by setting this attribute to false. After demoting Orcus from its critical status, the tool proceeds to safely terminate it. Below is the code snippet that facilitates this crucial step:

const int STATUS_SUCCESS = 0;
const int ProcessBreakOnTermination = 0x1D;

[DllImport("ntdll.dll", SetLastError = true)]
static extern int NtSetInformationProcess(IntPtr processHandle, int processInformationClass, ref int processInformation, int processInformationLength);

static void SetProcessCriticalStatus(int pid, bool setStatus, Action<string, Color> logAction)
{
    try
    {
        Process process = Process.GetProcessById(pid);
        if (process == null)
        {
            logAction("Couldn't find the process.", Color.Red);
            return;
        }

        int isCritical = setStatus ? 1 : 0;
        int result = NtSetInformationProcess(process.Handle, ProcessBreakOnTermination, ref isCritical, sizeof(int));
        if (result == STATUS_SUCCESS)
        {
            logAction($"Process {(setStatus ? "is now vulnerable" : "is back to normal")} successfully.", Color.Green);
        }
        else
        {
            logAction($"Couldn't change the process. Error: {result}", Color.Red);
        }
    }
    catch (Exception ex)
    {
        logAction($"Something went wrong: {ex.Message}", Color.Red);
    }
}

Since you don't have the same logging setup as me, I've tweaked the code to use Console.WriteLine instead. Check it out:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

const int STATUS_SUCCESS = 0;
const int ProcessBreakOnTermination = 0x1D;

[DllImport("ntdll.dll", SetLastError = true)]
static extern int NtSetInformationProcess(IntPtr processHandle, int processInformationClass, ref int processInformation, int processInformationLength);

static void SetProcessCriticalStatus(int pid, bool setStatus)
{
    try
    {
        Process process = Process.GetProcessById(pid);
        if (process == null)
        {
            Console.WriteLine("Couldn't find the process.");
            return;
        }

        int isCritical = setStatus ? 1 : 0;
        int result = NtSetInformationProcess(process.Handle, ProcessBreakOnTermination, ref isCritical, sizeof(int));
        if (result == STATUS_SUCCESS)
        {
            Console.WriteLine($"Process {(setStatus ? "is now vulnerable" : "is back to normal")} successfully.");
        }
        else
        {
            Console.WriteLine($"Couldn't change the process. Error: {result}");
        }
    }
    catch (Exception ex)
    {
        Console.WriteLine($"Something went wrong: {ex.Message}");
    }
}

About

OrcusRemover searches for files with Assembly names that contain "Orcus", but mainly should detect the hidden files

Resources

License

Stars

Watchers

Forks

Sponsor this project

Packages

No packages published

Languages