Login Register





Unkillable process filter_list
Author
Message
Unkillable process #1
Do you guys know how to create a process that admins cant kill? Antivirus Vendors have a way of creating processes that returns "Access denied" when attempting to close the exe file from eg. task manager. Can you make this with VB? I presume they must hook terminate_process?
(This post was last modified: 07-19-2017, 08:25 PM by karstenfl.)

Reply

RE: Unkillable process #2
Not sure if this is what you're looking for. But google seems pretty responsive on this.
https://www.codeproject.com/Articles/116...ws-Process

[+] 1 user Likes flickmywetpeen's post
Reply

RE: Unkillable process #3
There are a lot of ways, but the simple one it to create a watchdog process wich monitors if your preocess ir running, if it's killed the wachdog restarts it, the same goes whit the main program, if the wachdog is killed the main program should restart it.

Reply

RE: Unkillable process #4
I have seen samples of watchdog methods, however they are not "true" unkillable processes. I am searching for a way to create a singular independant process that is prevented from being killed, like modern AV or firewall solutions do. They simply deny the request.

Reply

RE: Unkillable process #5
(07-19-2017, 09:45 PM)Pikami Wrote: There are a lot of ways, but the simple one it to create a watchdog process which monitors if your preocess ir running, if it's killed the wachdog restarts it, the same goes whit the main program, if the wachdog is killed the main program should restart it.

There's no way (to my Windows and Unix knowledge) to create truly "unkillable" processes. This strategy comes close, and it would probably stump most users, but what about if the target froze the watchdog, killed the main process, then killed the watchdog? Example for Unix-based systems:
Code:
# watchdog PID = 5551
# main process PID = 5552

kill -19 5551 # send SIGSTOP to watchdog which freezes it
kill -9 5552 5551 # send SIGKILL to main, then to watchdog so main doesn't restart it
(This post was last modified: 07-19-2017, 09:58 PM by Inori.)
It's often the outcasts, the iconoclasts ... those who have the least to lose because they
don't have much in the first place, who feel the new currents and ride them the farthest.

Reply

RE: Unkillable process #6
(07-19-2017, 08:21 PM)karstenfl Wrote: Antivirus Vendors have a way of creating processes that returns "Access denied" when attempting to close

You have to modify the ACL to remove PROCESS_TERMINATE permission, but for that you'll need to have admin access.

An example in c++
Code:
static const bool ProtectProcess()
{
    HANDLE hProcess = GetCurrentProcess();
    EXPLICIT_ACCESS denyAccess = {0};
    DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
    BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
    PACL pTempDacl = NULL;
    DWORD dwErr = 0;
    dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
    // check dwErr...
    dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
    // check dwErr...
    LocalFree( pTempDacl );
    CloseHandle( hProcess );
    return dwErr == ERROR_SUCCESS;
}
(This post was last modified: 07-19-2017, 10:41 PM by Pikami.)

Reply

RE: Unkillable process #7
(07-19-2017, 10:38 PM)Pikami Wrote:
(07-19-2017, 08:21 PM)karstenfl Wrote: Antivirus Vendors have a way of creating processes that returns "Access denied" when attempting to close

You have to modify the ACL to remove PROCESS_TERMINATE permission, but for that you'll need to have admin access.

An example in c++
Code:
static const bool ProtectProcess()
{
   HANDLE hProcess = GetCurrentProcess();
   EXPLICIT_ACCESS denyAccess = {0};
   DWORD dwAccessPermissions = GENERIC_WRITE|PROCESS_ALL_ACCESS|WRITE_DAC|DELETE|WRITE_OWNER|READ_CONTROL;
   BuildExplicitAccessWithName( &denyAccess, _T("CURRENT_USER"), dwAccessPermissions, DENY_ACCESS, NO_INHERITANCE );
   PACL pTempDacl = NULL;
   DWORD dwErr = 0;
   dwErr = SetEntriesInAcl( 1, &denyAccess, NULL, &pTempDacl );
   // check dwErr...
   dwErr = SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pTempDacl, NULL );
   // check dwErr...
   LocalFree( pTempDacl );
   CloseHandle( hProcess );
   return dwErr == ERROR_SUCCESS;
}

Thats exactly what im looking for ?

Reply

RE: Unkillable process #8
Any VB code for the above?

Reply

RE: Unkillable process #9
(07-19-2017, 10:52 PM)karstenfl Wrote: Any VB code for the above?

I'd recommend finding a working C/++ version and creating a dll to use within VB if you're doing this in Windows.
https://msdn.microsoft.com/en-us/library/ms235636.aspx
It's often the outcasts, the iconoclasts ... those who have the least to lose because they
don't have much in the first place, who feel the new currents and ride them the farthest.

Reply

RE: Unkillable process #10
Well, the c++ code were almost perfect, however admins with debug rights would still have access to terminate the application. :-(

I found this that might work, since it uses kernel mode callbacks. However my c++ skills lacks code understanding at this level: https://stackoverflow.com/questions/2055...thout-ssdt

Reply







Users browsing this thread: 1 Guest(s)