How are some malware persistant?

[Videogamer555]

For example some malware seem to know when they have been shut down via task manager, and start themselves running again. How does that work? If you stop it from running, it's not running, so it has no code running that can then detect that it's not running. It seems almost like magic.

[nimaarek]

On 5/27/2019 at 6:18 AM, Videogamer555 said:

How does that work?

Is process having services or driver as a protector Or check whether process is running or not?

can u up an example/sample

[JMC31337]

Think like a virus... you want to stay alive in order to spread

usually...

“First, malicious code is placed into a new or existing executable page within a remote process. Attackers typically use the Win32 APIs VirtualAllocEx and CreateFileMapping/MapViewOfSectionto allocate new executable pages. They then use VirtualProtectEx to turn existing pages into executable and writeable pages.

Next, the injected malicious code is executed through control of the thread and execution context. In many notable cases, attackers use the API CreateRemoteThread” - see Microsoft and when you see that combination of API, question it (ATP does)

With those those API, (ill call it a cuckoos egg),  inject virus shellcode into the process and that shellcode is designed to detect if virus.exe is running, if it is not, fire it up again - keep it threaded nicely and the now parasitic host process is running normally all the while a thread is looking for virus.exe and doing other things

And yeah, yu can do drivers and services that do the same checking which requires more skilled code not to mention root access to load the driver - assuming you’re using user access level account...

or there me be two virus processes where 1 is designed to detect the other as being active