Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/chainski/terminator

Terminator is a compact utility coded in C#, designed to end processes that have RtlSetProcessIsCritical enabled.
https://github.com/chainski/terminator

backdoorkiller bypassrtlsetprocessiscritical criticalprocess dynamic-analysis malware-detection malware-remover malwareanalysis malwarekiller ntdll ntraiseharderror payloadkiller rootkit-killer rtlsetprocessiscritical terminator trojankiller uac viruskiller

Last synced: 3 days ago
JSON representation

Terminator is a compact utility coded in C#, designed to end processes that have RtlSetProcessIsCritical enabled.

Host: GitHub
URL: https://github.com/chainski/terminator
Owner: Chainski
License: gpl-3.0
Created: 2024-05-01T16:39:46.000Z (7 months ago)
Default Branch: main
Last Pushed: 2024-06-23T01:40:49.000Z (5 months ago)
Last Synced: 2024-06-23T05:13:57.177Z (5 months ago)
Topics: backdoorkiller, bypassrtlsetprocessiscritical, criticalprocess, dynamic-analysis, malware-detection, malware-remover, malwareanalysis, malwarekiller, ntdll, ntraiseharderror, payloadkiller, rootkit-killer, rtlsetprocessiscritical, terminator, trojankiller, uac, viruskiller
Language: C#
Homepage:
Size: 2.93 MB
Stars: 4
Watchers: 0
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

Terminator

Terminator is a compact utility coded in C#, designed to end processes that have ```RtlSetProcessIsCritical``` enabled see [bsod.cs](https://github.com/Chainski/Terminator/blob/main/bsod.cs)

### Requirements
- An administrator account.
- Tested on ```Windows 10, version 22H2 (19045.4355) amd64```

### Usage
- Download the program from [releases](https://github.com/Chainski/Terminator/releases).
- Run ```Terminator.exe```

### Proof of Concept 👁
https://github.com/Chainski/Terminator/assets/96607632/135842a2-e5f8-41b4-abbc-72b6bec5fdbd

### How it Works ?
Terminator defines a method called ```UnProtectAndTerminate``` that aims to terminate a specified process after removing its protection. It utilizes platform invoke to call functions from system DLLs.
First, it imports functions from ```ntdll.dll``` and ```kernel32.dll``` using DllImport attribute. These functions are ```NtSetInformationProcess``` to alter process information and ```TerminateProcess``` to forcibly terminate a process.
Within the ```UnProtectAndTerminate``` method, it enters debug mode using ```Process.EnterDebugMode()```. Then it attempts to open the target process using ```OpenProcess```, passing necessary parameters including the process ID.
Afterward, it calls ```NtSetInformationProcess``` with appropriate arguments to remove the process protection. If successful, it terminates the process using ```TerminateProcess``` with an exit code of 0.
Terminator also provides feedback via console output, indicating success or failure in terminating the process.

### Why was this tool made ?

I developed this tool specifically designed to terminate processes containing the ```RtlSetProcessIsCritical``` feature, after encountering several malware samples utilizing this technique during my analysis. This tool proved invaluable for expediting dynamic analysis, enabling swift termination of potentially harmful processes. By swiftly neutralizing these processes, analysts can efficiently investigate malware behavior, identify malicious activities, and develop effective countermeasures. Such tools not only streamline the analysis process but also enhance cybersecurity efforts by empowering analysts to respond proactively to emerging threats.

### License
This project is licensed under the GNU License - see the [LICENSE](https://github.com/chainski/Terminator/blob/main/LICENSE) file for details