New
#11
Sorry, I didn't have time to write it until just now. I made it simpler than originally planned. This program will just wait for bitsadmin and then print its parent process name to a file so we can see what starts it.
Also, this may not be malware, I'm just always suspicious when it comes to things potentially accessing the internet without consent.
Here's the program virus scan:Scan
Here's the program: bitsadmin buster.zip
To use it, unzip the exe somewhere. Where ever the exe is, is where the text file with parents name will be created.
Run the program and it will ask for admin access, which it requires. If you get a smartscreen pop up, hit more info link and then allow it to run.
Here's the source code, its fairly basic.
Code:#include <Windows.h> #include <TlHelp32.h> #include <fstream> #include <string> #include <thread> typedef LONG(NTAPI *NtSuspendProcess)(IN HANDLE procHandle); void SuspendProcess(DWORD pid); bool GetProcInfo(const std::wstring name, PROCESSENTRY32 &pe32); bool GetProcInfo(DWORD pid, PROCESSENTRY32 &pe32); int WINAPI WinMain(HINSTANCE, HINSTANCE, char*, int) { std::wstring name(L"bitsadmin.exe"); PROCESSENTRY32 pe32; while (!GetProcInfo(name, pe32)) { std::this_thread::sleep_for(std::chrono::milliseconds(25)); } SuspendProcess(pe32.th32ProcessID); PROCESSENTRY32 p_pe32; if (GetProcInfo(pe32.th32ParentProcessID, p_pe32)) { std::wofstream file(L"bitsadmin_info.txt"); if (file.is_open()) { file << L"Parent Process Name: " << p_pe32.szExeFile; file.flush(); file.close(); } } else { return GetLastError(); } return 0; } void SuspendProcess(DWORD pid) { HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (hProc) { NtSuspendProcess pNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess"); pNtSuspendProcess(hProc); CloseHandle(hProc); } } bool GetProcInfo(const std::wstring name, PROCESSENTRY32 &pe32) { bool found = false; HANDLE hSnap; pe32.dwSize = sizeof(PROCESSENTRY32); hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnap) { if (Process32First(hSnap, &pe32)) { do { if (name == pe32.szExeFile) { found = true; break; } } while (Process32NextW(hSnap, &pe32)); } CloseHandle(hSnap); } return found; } bool GetProcInfo(DWORD pid, PROCESSENTRY32 &pe32) { bool found = false; HANDLE hSnap; pe32.dwSize = sizeof(PROCESSENTRY32); hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnap) { if (Process32First(hSnap, &pe32)) { do { if (pid == pe32.th32ProcessID) { found = true; break; } } while (Process32NextW(hSnap, &pe32)); } CloseHandle(hSnap); } return found; }