chevron_left chevron_right
Login Register invert_colors photo_library


Upgrade your account to hide advertisements.

Thread Rating:
  • 0 Vote(s) - 0 Average


filter_list Unkillable process
Author
Message
RE: Unkillable process #11
(07-20-2017, 01:47 PM)karstenfl Wrote: Well, the c++ code were almost perfect, however admins with debug rights would still have access to terminate the application. :-(

I found this that might work, since it uses kernel mode callbacks. However my c++ skills lacks code understanding at this level: https://stackoverflow.com/questions/2055...thout-ssdt

This is probably the lowest level hook you can get but you might as well use IAT patching or DLL injection because these techniques can all be defeated.

Reply

RE: Unkillable process #12
(08-11-2017, 04:48 AM)titbang Wrote:
(07-20-2017, 01:47 PM)karstenfl Wrote: Well, the c++ code were almost perfect, however admins with debug rights would still have access to terminate the application. :-(

I found this that might work, since it uses kernel mode callbacks. However my c++ skills lacks code understanding at this level: https://stackoverflow.com/questions/2055...thout-ssdt

This is probably the lowest level hook you can get but you might as well use IAT patching or DLL injection because these techniques can all be defeated.

Not really, you can go much lower.

It's often impractical, but you can do kernel injection, and many similar things. There has been PoC code for BIOS injection and I believe that at some point there was something (malware, I think) that hooked interrupts used by the bootloader to run custom code. (but if you go that far, why not just inject directly into the bootloader, instead of hooking interrupts...)

I mean... You can technically sneak into someones house and replace physical components with backdoored ones (which you'll have to buy a factory to make, on top of figuring out how to make them)...

Lesson: You can always go lower if you haven't hit hardware yet.

Everything past higher-level kernel injection is usually useless though.
(This post was last modified: 08-11-2017, 07:00 AM by Ender.)
"The noblest pleasure is the joy of understanding."
- Leonardo da Vinci (supposedly)

[Image: kphlxb.jpg]

[+] 1 user Likes Ender's post
Reply

RE: Unkillable process #13
(08-11-2017, 07:00 AM)Ender Wrote:
(08-11-2017, 04:48 AM)titbang Wrote:
(07-20-2017, 01:47 PM)karstenfl Wrote: Well, the c++ code were almost perfect, however admins with debug rights would still have access to terminate the application. :-(

I found this that might work, since it uses kernel mode callbacks. However my c++ skills lacks code understanding at this level: https://stackoverflow.com/questions/2055...thout-ssdt

This is probably the lowest level hook you can get but you might as well use IAT patching or DLL injection because these techniques can all be defeated.

Not really, you can go much lower.

It's often impractical, but you can do kernel injection, and many similar things.  There has been PoC code for BIOS injection and I believe that at some point there was something (malware, I think) that hooked interrupts used by the bootloader to run custom code. (but if you go that far, why not just inject directly into the bootloader, instead of hooking interrupts...)

I mean... You can technically sneak into someones house and replace physical components with backdoored ones (which you'll have to buy a factory to make, on top of figuring out how to make them)...

Lesson: You can always go lower if you haven't hit hardware yet.

Everything past higher-level kernel injection is usually useless though.

In that case why not just implement a micro-kernel with an abstraction layer for specific functions on different systems. At the end it all comes down to deployment. If the scenario is realistic or not in regards to deployability and execution there is no purpose for the legwork. Even firmware modifications can be detected. What matters is the target audience.
(This post was last modified: 08-11-2017, 07:49 AM by titbang.)

Reply

RE: Unkillable process #14
(08-11-2017, 07:48 AM)titbang Wrote:
(08-11-2017, 07:00 AM)Ender Wrote:
(08-11-2017, 04:48 AM)titbang Wrote: This is probably the lowest level hook you can get but you might as well use IAT patching or DLL injection because these techniques can all be defeated.

Not really, you can go much lower.

It's often impractical, but you can do kernel injection, and many similar things.  There has been PoC code for BIOS injection and I believe that at some point there was something (malware, I think) that hooked interrupts used by the bootloader to run custom code. (but if you go that far, why not just inject directly into the bootloader, instead of hooking interrupts...)

I mean... You can technically sneak into someones house and replace physical components with backdoored ones (which you'll have to buy a factory to make, on top of figuring out how to make them)...

Lesson: You can always go lower if you haven't hit hardware yet.

Everything past higher-level kernel injection is usually useless though.

In that case why not just implement a micro-kernel with an abstraction layer for specific functions on different systems.

How is this relevant?

titbang Wrote:At the end it all comes down to deployment. If the scenario is realistic or not in regards to deployability and execution there is no purpose for the legwork. Even firmware modifications can be detected. What matters is the target audience.
Correct, I was just making a point.
"The noblest pleasure is the joy of understanding."
- Leonardo da Vinci (supposedly)

[Image: kphlxb.jpg]

[+] 1 user Likes Ender's post
Reply






Users browsing this thread: 1 Guest(s)