[void]

Hi forum, I would like to know what is good persistance for ring3 process today? I usually see these two examples:

1) payload.exe starts and maps itself in some other process completly and then call ExitProcess();
2) payload.exe is running and visible(!) in taskmngr but has some thread running in other process that will watch and restart payload.exe if needed (Mutex based, handle based, thread is injected normaly via WriteProcessMemory/CreateRemoteThread)

Are there some other tricks I don't know about ?


PS (1) is probably better because AV software needs to restart PC in order to remove it after detection (payload.exe is locked -- or in recent malware injected code will recreate itself on hdd)

[wacked2]

The best persistence is a Rootkit. Period.
Ring-3 Rootkits can be detected or circumvented easily so either don't even try or go hardcore more and also try to disable the simple unhooking techniques.
Your only done when one needs to use the syscalls directly.

[void]

Are you suggesting hooks? I'm afraid that little to none can be done to prevent some AV from killing standalone process and thats why malware doesnt hook *Terminate* || *Thread* related API calls unless its in ring0 and keeps itself in some trusted process.

Well for ring0 there are 6 million ways to do this, for example there is really old non-rootkit POC from Mark R. (it was some unexpected behavior) where process keeps open handle to ring0 device, I tested in like 4 years ago and I couldnt find a way to terminate that process with gmer,icesword etc. but lets talk about ring3 first.

[EP_X0FF]

Number one. Most malware use it. Still need body on the disk and a way to execute it after reboot. Visible malware processes is too noobish and looking like Chinese autoruner worms.