Skip to content

NovoCore/UniversalRemover

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github
.github
 
 
UniversalRemover
UniversalRemover
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
UniversalRemover.sln
UniversalRemover.sln
 
 

Repository files navigation

Universal Remover

About

I developed Universal Remover out of frustration with antivirus solutions that overload you with unnecessary features yet fail to effectively eliminate Malware. The truly insidious aspect lies in how crypters can evade detection by your antivirus, disable it, and subsequently allow Malware to operate unimpeded.

How Does Universal Remover Disable Malware's Critical Process Privileges?

The Universal Remover identifies Malware on your system and then strips it of its critical process status by setting this attribute to false. After demoting Malware from its critical status, the tool proceeds to safely terminate it. Below is the code snippet that facilitates this crucial step:

const int STATUS_SUCCESS = 0;
const int ProcessBreakOnTermination = 0x1D;

[DllImport("ntdll.dll", SetLastError = true)]
static extern int NtSetInformationProcess(IntPtr processHandle, int processInformationClass, ref int processInformation, int processInformationLength);

static void SetProcessCriticalStatus(int pid, bool setStatus, Action<string, Color> logAction)
{
    try
    {
        Process process = Process.GetProcessById(pid);
        if (process == null)
        {
            logAction("Couldn't find the process.", Color.Red);
            return;
        }

        int isCritical = setStatus ? 1 : 0;
        int result = NtSetInformationProcess(process.Handle, ProcessBreakOnTermination, ref isCritical, sizeof(int));
        if (result == STATUS_SUCCESS)
        {
            logAction($"Process {(setStatus ? "is now vulnerable" : "is back to normal")} successfully.", Color.Green);
        }
        else
        {
            logAction($"Couldn't change the process. Error: {result}", Color.Red);
        }
    }
    catch (Exception ex)
    {
        logAction($"Something went wrong: {ex.Message}", Color.Red);
    }
}

Since you don't have the same logging setup as me, I've tweaked the code to use Console.WriteLine instead. Check it out:

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

const int STATUS_SUCCESS = 0;
const int ProcessBreakOnTermination = 0x1D;

[DllImport("ntdll.dll", SetLastError = true)]
static extern int NtSetInformationProcess(IntPtr processHandle, int processInformationClass, ref int processInformation, int processInformationLength);

static void SetProcessCriticalStatus(int pid, bool setStatus)
{
    try
    {
        Process process = Process.GetProcessById(pid);
        if (process == null)
        {
            Console.WriteLine("Couldn't find the process.");
            return;
        }

        int isCritical = setStatus ? 1 : 0;
        int result = NtSetInformationProcess(process.Handle, ProcessBreakOnTermination, ref isCritical, sizeof(int));
        if (result == STATUS_SUCCESS)
        {
            Console.WriteLine($"Process {(setStatus ? "is now vulnerable" : "is back to normal")} successfully.");
        }
        else
        {
            Console.WriteLine($"Couldn't change the process. Error: {result}");
        }
    }
    catch (Exception ex)
    {
        Console.WriteLine($"Something went wrong: {ex.Message}");
    }
}

About

The Universal Malware Remover

Resources

Readme

License

AGPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Release Latest
Jun 1, 2024

Sponsor this project

Packages

No packages published

Languages