Secure pc from malware attacks?

[nebulainstalls]

[ THIS TOPIC IS RELATED ONLY FOR WINDOWS USERS]
i have a ques,
So if a pc is infected with RAT/Stealer or any other malware how can we close the communication of RAT or c2 and close and delete its process instantly just by executing a white exe file or any script etc and makes sure that that in future everytime any malware is being executed it will never get communicated with the c2 so that the pc owner can be safe from them.
Here the pc owners are general user not the big firms or any orginisation they are just general users.

if you get confused with my question here is short summary:
I want to make a program or a tool which will close the communication and delete the process of malware/stealer/rats etc from the pc permanently and in future whenever any malware is executed then it should never get communicated with the malware server/c2.
Help and ideas will be appreciated )

 

[bbyoda]

Just set up a network-wide firewall and monitor the traffic for anything unusual

 

[nebulainstalls]

Just set up a network-wide firewall and monitor the traffic for anything unusual

read the topic again

 

[codeless]

here is some tips you can try on infected pc .
1- Check Startup and disable unknown process
2- Check Windows Task Scheduler and remove unknow process most of time malware create exe file again or run exe file again
3- Unhide hidden files malwares mostly stay in C Drive and delete them incase you are unable to delete download unlocker or set permission to everyone
4- Don't forget to boot pc in safe mode without networking
5- Check Windows files health check if any system file infected
6- for checking which server RAT is communicating use Fiddler Classic or NMAP for checking which exe using which port but Fiddler is recomended before starting fiddler close all other application it will help you to get clean view of request by this way you can see what and which stuff is upload like text or files to hackers server you are also able to capture FTP credentials which hacker set on his server for storing data you can delete yours data but you need to learn a little before start . we decoded and captured many Ransomeware keys logs files and cracked many softwares with help of fiddler without decompiling anything
Good luck this only things in my mind for now there must be more tips but when i have access to infected pc

 

[nebulainstalls]

here is some tips you can try on infected pc .
1- Check Startup and disable unknown process
2- Check Windows Task Scheduler and remove unknow process most of time malware create exe file again or run exe file again
3- Unhide hidden files malwares mostly stay in C Drive and delete them incase you are unable to delete download unlocker or set permission to everyone
4- Don't forget to boot pc in safe mode without networking
5- Check Windows files health check if any system file infected
6- for checking which server RAT is communicating use Fiddler Classic or NMAP for checking which exe using which port but Fiddler is recomended before starting fiddler close all other application it will help you to get clean view of request by this way you can see what and which stuff is upload like text or files to hackers server you are also able to capture FTP credentials which hacker set on his server for storing data you can delete yours data but you need to learn a little before start . we decoded and captured many Ransomeware keys logs files and cracked many softwares with help of fiddler without decompiling anything
Good luck this only things in my mind for now there must be more tips but when i have access to infected pc

Still not relevant. Read my thread again, i want to make a program exe which should stop the communication of malware with its c2 and kill its process this should be done by a exe which will do this in background, and whenever any malware is executed in the device it should always autokill the process of that malware and it should also kill the communication of that malware with its server and protecting that windows computer

 

[codeless]

Still not relevant. Read my thread again, i want to make a program exe which should stop the communication of malware with its c2 and kill its process this should be done by a exe which will do this in background, and whenever any malware is executed in the device it should always autokill the process of that malware and it should also kill the communication of that malware with its server and protecting that windows computer

but problem is how you will identify ?
maybe using API of virustotal or similar then kill process .

 

[Apk_crypter]

If you do, just open a security company and compete with the big security companies xd

 

[codeless]

Here is tips for you .

1- Create a script which use python API to identify RAT / Malware / Viruses then block malware from using internet also set permission for deleting . but its more complicated

 

[codeless]

This maybe works but you can edit more

import os
import hashlib
import requests
import json
import time
import shutil
import subprocess

API_KEY = "YOUR_API_KEY"
VT_REPORT_URL = "https://www.virustotal.com/api/v3/analyses/%s"
VT_FILE_URL = "https://www.virustotal.com/api/v3/files/%s"
VT_UPLOAD_URL = "https://www.virustotal.com/api/v3/files"

# Hash function
def sha256_hash(filename):
    h = hashlib.sha256()
    with open(filename, 'rb') as f:
        while True:
            data = f.read(65536)
            if not data:
                break
            h.update(data)
    return h.hexdigest()

# Upload file to VirusTotal
def upload_file(filename):
    # Check if file has already been scanned
    file_hash = sha256_hash(filename)
    headers = {'x-apikey': API_KEY}
    params = {'hash': file_hash}
    response = requests.get(VT_FILE_URL % file_hash, headers=headers, params=params)
    if response.status_code == 200:
        data = response.json()['data']
        if data['attributes']['status'] == 'queued' or data['attributes']['status'] == 'in_progress':
            print("File already queued for analysis: %s" % filename)
            return None
        elif data['attributes']['status'] == 'completed':
            print("File already analyzed: %s" % filename)
            return data['id']
        else:
            print("Unknown file status for file %s: %s" % (filename, data['attributes']['status']))
            return None

    # Upload the file
    with open(filename, 'rb') as f:
        file_data = f.read()
    files = {'file': (filename, file_data)}
    response = requests.post(VT_UPLOAD_URL, headers=headers, files=files)
    if response.status_code != 200:
        print("Failed to upload file %s: %s" % (filename, response.text))
        return None
    data = response.json()['data']
    print("File queued for analysis: %s" % filename)
    return data['id']

# Get scan report from VirusTotal
def get_report(file_id):
    headers = {'x-apikey': API_KEY}
    url = VT_REPORT_URL % file_id
    while True:
        response = requests.get(url, headers=headers)
        if response.status_code != 200:
            print("Failed to get report for file %s: %s" % (file_id, response.text))
            return None
        data = response.json()['data']
        if data['attributes']['status'] == 'queued' or data['attributes']['status'] == 'in_progress':
            print("Analysis still in progress, waiting...")
            time.sleep(10)
        elif data['attributes']['status'] == 'completed':
            return data
        else:
            print("Unknown analysis status for file %s: %s" % (file_id, data['attributes']['status']))
            return None

# Scan a file
def scan_file(filename):
    file_id = upload_file(filename)
    if file_id is None:
        return None
    report = get_report(file_id)
    if report is None:
        return None
    return report

# Scan a directory
def scan_directory(directory):
    for filename in os.listdir(directory):
        if filename.lower().endswith(".exe") or filename.lower().endswith(".dll"):
            print("Scanning file: %s" % filename)
            full_filename =

 

[Balrog777]

[ THIS TOPIC IS RELATED ONLY FOR WINDOWS USERS]
i have a ques,
So if a pc is infected with RAT/Stealer or any other malware how can we close the communication of RAT or c2 and close and delete its process instantly just by executing a white exe file or any script etc and makes sure that that in future everytime any malware is being executed it will never get communicated with the c2 so that the pc owner can be safe from them.
Here the pc owners are general user not the big firms or any orginisation they are just general users.

if you get confused with my question here is short summary:
I want to make a program or a tool which will close the communication and delete the process of malware/stealer/rats etc from the pc permanently and in future whenever any malware is executed then it should never get communicated with the malware server/c2.
Help and ideas will be appreciated )

To break the connection between the server and the client just use a simple vpn

[ THIS TOPIC IS RELATED ONLY FOR WINDOWS USERS]
i have a ques,
So if a pc is infected with RAT/Stealer or any other malware how can we close the communication of RAT or c2 and close and delete its process instantly just by executing a white exe file or any script etc and makes sure that that in future everytime any malware is being executed it will never get communicated with the c2 so that the pc owner can be safe from them.
Here the pc owners are general user not the big firms or any orginisation they are just general users.

if you get confused with my question here is short summary:
I want to make a program or a tool which will close the communication and delete the process of malware/stealer/rats etc from the pc permanently and in future whenever any malware is executed then it should never get communicated with the malware server/c2.
Help and ideas will be appreciated )

To break the connection between the server and the client just use a simple vpn

 

[nebulainstalls]

To break the connection between the server and the client just use a simple vpn
To break the connection between the server and the client just use a simple vpn

lol

 

[nebulainstalls]

To break the connection between the server and the client just use a simple vpn
To break the connection between the server and the client just use a simple vpn

School kids please stay away from this thread im looking for professional and experienced people to answer my question

 

[nebulainstalls]

Here is tips for you .

1- Create a script which use python API to identify RAT / Malware / Viruses then block malware from using internet also set permission for deleting . but its more complicated

FYI vt does not allow 600mb+ files to get uploded also there are lots of ways to make a stealthy fud for longtime which bypass av so av is not a solution currently there are lots of malware/stealer fuds which are 0 detected on VT

 

[h1z1]

it's hard but you need to monitor all process check for RWX memory try read the memory and compare it to hashes if you find it's malware then get the process location and terminate the process and delete it from disk this is very simple tool act like a simple AV but still work

You can use YARA to compare the readed RWX memory

Note : this will code for shellcode Local and Remote ? also could work with others pe injections method

you could also try install hooks for all process and read args of suspicious functions like writeprocessmemory
or ntwritevirtualmemory

this all can be done from userland

 

[Dread Pirate Roberts]

School kids please stay away from this thread im looking for professional and experienced people to answer my question

you've got the correct answer in the very first reply to this topic: install a firewall and setup a hook to kill the suspicious process.

 

[Balrog777]

School kids please stay away from this thread im looking for professional and experienced people to answer my question

I'm curious to see some of your work, because I don't quite understand who you are...

 

[nebulainstalls]

you've got the correct answer in the very first reply to this topic: install a firewall and setup a hook to kill the suspicious process.

read the thread again, its a manuall process i want everything to be automated with just a single exe in that too in background if you translate my thread from eng to your language then you will come to know my point )

 

[h1z1]

you've got the correct answer in the very first reply to this topic: install a firewall and setup a hook to kill the suspicious process.

the answer is true , but he need to create a tool to automate the process , so in this way he need to make multi hooks for network functions and also for suspicious win/nt api as an example their more advanced ways but this is the very simple and easy way

 

[PR_O]

https://streamable.com/p0ahuj ....!

 

[nebulainstalls]

https://streamable.com/p0ahuj ....!

here you already know the port of the black application but how to automatically get the ports from the running process may be netstat can work but another thing how to differentiate between any white port and black port of the running processes?