Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C++ C# VB.NET
Hi guys what's up!!!
 
I have a quesion needs to be answered Smile | :) ...
 
How to Make a program that boots before any services start????????
 
let me explain my quession, if I want to program an anti-virus for example and this anti-virus when try to delete an active virus, first the virus must located and then it's must be stoped from its running in a process, in this case the computer must restart so no processes are active in when the system booting and then we can easly delete it from the hard disk..... when I mention "the computer must restart when the system booting" that's mean I must make my anti-virus run before any processes or services get started so I can delete that virus from hard disk....
 
Ofcourse, you wander "why when system boot, why you just stop this virus from processes list?" it's a good quession but some viruses have the ability to hide in the system and in the memory so can't to delete it......
 
I hope you have answer to my quession....... Smile | :)
 
thanks
Posted 15-Mar-12 4:00am
Edited 15-Mar-12 4:03am
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

As far as I know, this file deletion is typically done using a windows feature.
One simply marks a file for deletion at reboot by either calling MoveFileEx, with MOVEFILE_DELAY_UNTIL_REBOOT as the third param.
 
This places keys in the registry which are processed the next time the machine boots.
 
See here for more info:
http://stackoverflow.com/questions/7777874/how-to-cancel-deferred-movefileex-operation[^]
 

However, this still doesn't solve the problem of locating and identifying files in an already compromised system. Since, as you mention - some virii are able to hide themselves from both Directory listings and ProcessList listings.
  Permalink  
v2
Comments
Rasool Ahmed at 15-Mar-12 11:15am
   
Yes this solve will make my program delete the virus but how can I locate that virus, in this way when I make my program start at the system boot will check my hard drive for a viruses and delete before the virus can run......
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Assuming you are asking about Windows, I don't believe you can: the system must completely boot before applications can be started, and a complete boot requires that services be up and running. As I remember, the launch process is
 
1. Load the BIOS kernel
2. Perform hardware checks
3. Launch the hardware drivers
4. Launch the core services
5. Launch the all-users at-startup services
5. Wait until the user logs in
6. Launch the user's at-startup services
7. Launch the user's at-startup applications
8. Launch the delayed-startup services
 
Added: I believe most anti-virus software operates as an all-users at-startup service with a very high priority, meaning that it is one of the very first pieces outside the core system to be activated. The likelihood that a virus would start before then is pretty small: a lot of the security work Microsoft has been doing to Windows in the last few years has involved checks to make sure that drivers, core services and other system infrastructure have not been tampered with. If one of the infrastructure components did get infected, it is probably too late to eliminate the virus itself; you would need to wipe the harddrive and reinstall the operating system from an uninfected source.
 
Of course it would be possible to have a driver that was tampered with (a trojan rather than an actual virus); there is not much that can be done about that other than being very careful about where you get your drivers.
  Permalink  
v2
Comments
Rasool Ahmed at 15-Mar-12 11:13am
   
No my friend, I am not asking about windows, I quession is how to run my program before any processes run? I mean when my anti-viruses locate that virus and schedule for virus paths, at the next startup the anti-virus will delete these viruses ( as schedule said ) from the hard drives before any programs get started.... you know what I mean????!
enhzflep at 15-Mar-12 11:45am
   
I disagree!
In orig post, you wrote "How to Make a program that boots before any services start????????"
 
Based on the fact you had VB.NET as one of the tags for the question, I took a punt & assumed you were using windows. Though, that was an assumption.
 
Gregory.Gadow also furnished you with an answer. A far more complete (and relevant) solution than mine, I might add.
 
Clearly, Greg's post provides a quick overview, followed by a step-by-step rundown of system boot, followed by telling you by what means anti-virus software is able to load so early in the boot process.
 
Short of providing you compilable code, Greg's post couldn't have been better directed at answering the question as posed.
Now, if what you wish to know is other than what you've asked - then that's a different question altogether.
 

Now then, nick-off and do some research on (1) how to write a service (2) how to install (it) so that it runs very early in the boot process (3) how to ensure that it runs for all users.
Dave Kreskowiak at 15-Mar-12 13:45pm
   
You can't do it in VB.NET. "Before any processes start" also includes stuff like the Windows Kernel, drivers, kernel-level processes, which you cannot preempt with managed code because the .NET Framework runs ON TOP OF the kernel level stuff. If the .NET Framework cannot run yet, your code cannot run yet either.
 
Simply, you cannot do what you want to do using .NET code.
Rasool Ahmed at 15-Mar-12 15:14pm
   
you right about that, so I have must program it in C++ or assembly.....
 
do you agree with that???
Gregory.Gadow at 15-Mar-12 15:21pm
   
Your choice of framework will not make any difference. Even if you could interrupt the OS bootup -- and most operating systems will not let you do that -- the system will not be in any state capable of executing your code, because it has not finished booting.
Rasool Ahmed at 15-Mar-12 15:24pm
   
Alright that's it, what you suggest for me to do so I can solve my problem?
Dave Kreskowiak at 15-Mar-12 15:37pm
   
Virus software usually has a driver (executes in the kernel space) that handles this stuff. But, you are not going to get loaded before the kernel processes start, ever!
 
Yes, the best choice for this is C/C++. There's no need for assembler in this case.
 
Have fun! Good Luck! You're going to need it.
 
Oh! Get the Windows WDK. You really can't do any of this stuff without it. And pickup a couple of books on Windows Internals, because you don't appear to have the prerequisite knowledge of how Windows works, when things are loaded, how they are loaded, the security involved, blah, blah, blah, ...
 
Windows Internals 5: http://www.microsoft.com/learning/en/us/book.aspx?id=12069
 
Windows Internals 6 comes out next month: http://www.amazon.com/Windows-Internals-Part-Covering-Server/dp/0735648735/ref=sr_1_1?ie=UTF8&qid=1331840108&sr=8-1
 
You'll also need to cover Windows Device Drivers: http://www.amazon.com/Windows-Device-Addison-Wesley-Microsoft-Technology/dp/0321670213/ref=sr_1_1?s=books&ie=UTF8&qid=1331840187&sr=1-1
 
Windows WDK: http://msdn.microsoft.com/en-us/windows/hardware/gg487428
Rasool Ahmed at 15-Mar-12 12:18pm
   
Dear my friend, I know I have did wrong with my explaination, because I'm a little confused with my problem the picture in my head not stable, only I want is kill that virus before get started... looks I have out of mind... sorry!!!
but any way I will search in these tips and I will post a solution here if I have it..... thank you for your corporation....
but one last thing do you have a refrences (ex. msdn) about how to make the service runs early when the system boot????.
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

I don't think you can. I think this is wrong approach, especially if you are dealing with the virus. And if you are dealing virus, especially with a root kit, you should not load OS anymore. Instead, either boot with other disk, presumably a CD/DVD with special system-saving tools on it, or remove the hard drive and connect it to another, healthy system (make sure you don't have even a tiny chance to boot you drive, otherwise you can infect one more system!) and deal with you disk without booting OS on it.
 
It's very good to always have a stand-along docking system connected to a PC via USB-2 or USB-3 and/or eSATA, where you can plug your drives. Such systems are inexpensive, good for many other works (like backups and transferring or restoration of data in other cases) and can really save you from a real disaster.
 
If you use a second way, I would advice not to cure the virus. Instead, just save your data and then reinstall the OS.
 
—SA
  Permalink  
Comments
Espen Harlinn at 15-Mar-12 19:05pm
   
5'ed!
SAKryukov at 15-Mar-12 19:23pm
   
Thank you, Espen.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 5

Hi,
 
Yes you can absolutely do this. You would need to build a "Native Application" and add the application to the to the HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute registry key. These native applications are executed by the session manager right before the system services start.
 
Best Wishes,
-David Delaune
  Permalink  
Comments
Rasool Ahmed at 16-Mar-12 3:56am
   
yes, thank you very much.... :)
this is the absolutely the answer........ thank you for all of you.
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 4

You would essentially have to write what amounts to a rootkit.
  Permalink  
Comments
Rasool Ahmed at 16-Mar-12 3:55am
   
Can you explain more?!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 205
1 Sergey Alexandrovich Kryukov 185
2 jlopez788 144
3 Rob Philpott 100
4 Prakriti Goyal 97
0 OriginalGriff 6,837
1 Sergey Alexandrovich Kryukov 5,559
2 Maciej Los 3,479
3 Peter Leow 3,323
4 DamithSL 2,505


Advertise | Privacy | Mobile
Web01 | 2.8.140721.1 | Last Updated 15 Mar 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100