ansaurus

Question

Answer 1

A:

You will need API hooking to guard your process against termination. API hooking is not easy, as it requires either system-wide dll injection and memory editing or a device driver. Read this to get an idea.

Luckily, there are existing libraries out there, like this one, which I think is shareware now unfortunately. I also found this, and you can probably find more freeware stuff on google.

To answer your first question, terminating system processes is fairly easy. In C# using the Process.Kill method you can terminate system processes and cause a blue screen if doing it from a windows system service, at least on Windows 7 (I learned this the hard way...). Doing it using the TerminateProcess() function from outside a service will only work if you enable certain permissions: http://www.codase.com/search/call?name=AdjustTokenPrivileges - if I'm not mistaken you need to enable SE_DEBUG_NAME.

To turn off your antivirus, well, they usually have a menu for that :). To forcefully terminate them, you'll have to use a termination method that they don't hook. This page describes a lot.

Here's a sample that can terminate the processes you want, supposing the used API functions aren't hooked. DO NOT RUN THIS UNLESS YOU KNOW WHAT YOU'RE DOING AS IT CAN CAUSE A BLUE SCREEN!

#include <stdio.h>
#include <windows.h>
#include <process.h>
#include <iostream>

using namespace std;

int EnablePrivilege(const char * lpPrivilegeName, BOOL bEnable)
{
    TOKEN_PRIVILEGES Privileges;
    ZeroMemory(&Privileges, sizeof(Privileges));

    HANDLE hToken;
    BOOL bResult;

    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
        return 1;
    Privileges.PrivilegeCount = 1;
    Privileges.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
    if (!LookupPrivilegeValue(NULL, lpPrivilegeName,
                               &Privileges.Privileges[0].Luid))
    {


        CloseHandle(hToken);
        return 2;
    }
    bResult = AdjustTokenPrivileges(hToken, FALSE, &Privileges, sizeof(Privileges), NULL, NULL);
    CloseHandle(hToken);
    return bResult;
}

int main()
{
    cout << EnablePrivilege(SE_DEBUG_NAME, TRUE);

    HANDLE procHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 500); // replace 500 with the PID of the process you want to terminate - can be taken from taskmanager.

    TerminateProcess(procHandle, 0);

    CloseHandle(procHandle);
}

IVlad 2010-03-14 20:21:26

There is a problem with the TerminateProcess function you've mentioned: You again need the rights to kill it (this it what it says on msdn).

jemper 2010-03-14 20:42:59

Thank you, I would have had a hard time figuring it out without your help. Someone upvote this please, I can't yet.

jemper 2010-03-14 21:57:17

Answer 2

A:

If terminating a process the "normal" way doesn't work, then more extreme measures are required. You can try elevating your security level, but that may not work.

Here are two rather brute force methods you can try, both requiring you to be able to successfully inject into the target application (2% failure rate on NT 4, 5% failure rate on XP, higher failure rate on Vista, Windows 7, etc).

You could try injecting a DLL into the application using CreateRemoteThread() and in the DLLMain for the injected DLL do one of the following:

Call ExitProcess(exitCode);
Register an exception handler, then cause an exception which you will catch with your exception handler. In your exception handler cause another exception (and/or stackoverflow). Exception during exception handling will cause instant program death.

void KillApp()
{
    int *p;

    p = NULL;

    __try
    {
            *b = 0;
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
        killApp();
    }
}

Plenty of articles on injecting using CreateRemoteThread

Stephen Kellett 2010-03-29 21:09:36

ansaurus

tags:

views:

answers:

Windows and system processes

related questions