Crypto Clipper Killer | Крипто-клипер-убийца

[thulean]

I was wondering how I can make a program that kills the processes of crypto clippers installed on a Windows machine. Currently I wrote code that checks if each process that is currently running that is NOT located in critical Windows folders and does NOT have a signature and kills those processes. I have also tried to check what process is locking the clipboard when a crypto address is copied to the clipboard. Both of these methods seem ineffective. If someone could help me with the logic that I can implement into my code to find all crypto clippers installed and either have priority over them (my address will always be the one copied to the clipboard) or completely uninstall them from the target.

------------------------------------------ ----------------

I was wondering how I can create a program that kills the processes of cryptoclypers installed on a Windows machine. I have currently written a code that checks to see if each currently running process that is NOT located in Windows critical folders has a signature and kills these processes. I also tried to check which process blocks the clipboard when a crypto address is copied to it. Both of these methods seem ineffective. If someone could help me with the logic that I can implement in my code to find all the installed cryptoclippers and either take precedence over them (my address will always be copied to the clipboard), or completely remove them from the target.

 

[DoomSlayer2002]

First that i think of is to hook GetClipboardData and using regex check it's content for the pattern of BTC address
To do this in user mode you need to inject dll/code in every running process and set the hook with the logic above, in the hook you call the original function and run the regex against the clipboard data inside the hook, if the BTC address is detected -> GetModuleFileNameW for the current module is called and the file is deleted ( for example ShellExecute -> "cmd /c for /l %i in (1,1,10) do ( timeout /T 1 && del %filepath% )", then ExitProcess is called.

In order to do this you have to implement modules for x86 and x64 binaries dll or shellcode that will do the logic above, process injection itself and also you will need to hook CreateProcessW to inject into child processes spawned ( or maybe use this https://learn.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls#about-appinit_dlls which is easier but doesn't work with secure boot enabled )

 

[DoomSlayer2002]

First that i think of is to hook GetClipboardData and using regex check it's content for the pattern of BTC address
To do this in user mode you need to inject dll/code in every running process and set the hook with the logic above, in the hook you call the original function and run the regex against the clipboard data inside the hook, if the BTC address is detected -> GetModuleFileNameW for the current module is called and the file is deleted ( for example ShellExecute -> "cmd /c for /l %i in (1,1,10) do ( timeout /T 1 && del %filepath% )", then ExitProcess is called.

In order to do this you have to implement modules for x86 and x64 binaries dll or shellcode that will do the logic above, process injection itself and also you will need to hook CreateProcessW to inject into child processes spawned ( or maybe use this https://learn.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls#about-appinit_dlls which is easier but doesn't work with secure boot enabled )

You can also check from inside the hook, if the current process is standard win/have signature then skip the checking of the clipboard data