chevron_left chevron_right
Login Register invert_colors photo_library
Thread Rating:
  • 0 Vote(s) - 0 Average


filter_list Unkillable process
Author
Message
RE: Unkillable process #11
(07-20-2017, 01:47 PM)karstenfl Wrote: Well, the c++ code were almost perfect, however admins with debug rights would still have access to terminate the application. :-(

I found this that might work, since it uses kernel mode callbacks. However my c++ skills lacks code understanding at this level: https://stackoverflow.com/questions/2055...thout-ssdt

This is probably the lowest level hook you can get but you might as well use IAT patching or DLL injection because these techniques can all be defeated.

Reply

RE: Unkillable process #12
(08-11-2017, 04:48 AM)titbang Wrote:
(07-20-2017, 01:47 PM)karstenfl Wrote: Well, the c++ code were almost perfect, however admins with debug rights would still have access to terminate the application. :-(

I found this that might work, since it uses kernel mode callbacks. However my c++ skills lacks code understanding at this level: https://stackoverflow.com/questions/2055...thout-ssdt

This is probably the lowest level hook you can get but you might as well use IAT patching or DLL injection because these techniques can all be defeated.

Not really, you can go much lower.

It's often impractical, but you can do kernel injection, and many similar things. There has been PoC code for BIOS injection and I believe that at some point there was something (malware, I think) that hooked interrupts used by the bootloader to run custom code. (but if you go that far, why not just inject directly into the bootloader, instead of hooking interrupts...)

I mean... You can technically sneak into someones house and replace physical components with backdoored ones (which you'll have to buy a factory to make, on top of figuring out how to make them)...

Lesson: You can always go lower if you haven't hit hardware yet.

Everything past higher-level kernel injection is usually useless though.
(This post was last modified: 08-11-2017, 07:00 AM by Ender.)
+++++++++[>++++++++++>>++++++++++<<<-]>+>>+++<<<++++[>>++++++++++>>++++++++++>++++++++++<<<<<-]>>+++++>>+++>++++++[<<<<<,[>>>>.<<<<-]>>>>>.<<<<.>.>.>>]

[Image: kphlxb.jpg]

[+] 1 user Likes Ender's post
Reply

RE: Unkillable process #13
(08-11-2017, 07:00 AM)Ender Wrote:
(08-11-2017, 04:48 AM)titbang Wrote:
(07-20-2017, 01:47 PM)karstenfl Wrote: Well, the c++ code were almost perfect, however admins with debug rights would still have access to terminate the application. :-(

I found this that might work, since it uses kernel mode callbacks. However my c++ skills lacks code understanding at this level: https://stackoverflow.com/questions/2055...thout-ssdt

This is probably the lowest level hook you can get but you might as well use IAT patching or DLL injection because these techniques can all be defeated.

Not really, you can go much lower.

It's often impractical, but you can do kernel injection, and many similar things.  There has been PoC code for BIOS injection and I believe that at some point there was something (malware, I think) that hooked interrupts used by the bootloader to run custom code. (but if you go that far, why not just inject directly into the bootloader, instead of hooking interrupts...)

I mean... You can technically sneak into someones house and replace physical components with backdoored ones (which you'll have to buy a factory to make, on top of figuring out how to make them)...

Lesson: You can always go lower if you haven't hit hardware yet.

Everything past higher-level kernel injection is usually useless though.

In that case why not just implement a micro-kernel with an abstraction layer for specific functions on different systems. At the end it all comes down to deployment. If the scenario is realistic or not in regards to deployability and execution there is no purpose for the legwork. Even firmware modifications can be detected. What matters is the target audience.
(This post was last modified: 08-11-2017, 07:49 AM by titbang.)

Reply

RE: Unkillable process #14
(08-11-2017, 07:48 AM)titbang Wrote:
(08-11-2017, 07:00 AM)Ender Wrote:
(08-11-2017, 04:48 AM)titbang Wrote: This is probably the lowest level hook you can get but you might as well use IAT patching or DLL injection because these techniques can all be defeated.

Not really, you can go much lower.

It's often impractical, but you can do kernel injection, and many similar things.  There has been PoC code for BIOS injection and I believe that at some point there was something (malware, I think) that hooked interrupts used by the bootloader to run custom code. (but if you go that far, why not just inject directly into the bootloader, instead of hooking interrupts...)

I mean... You can technically sneak into someones house and replace physical components with backdoored ones (which you'll have to buy a factory to make, on top of figuring out how to make them)...

Lesson: You can always go lower if you haven't hit hardware yet.

Everything past higher-level kernel injection is usually useless though.

In that case why not just implement a micro-kernel with an abstraction layer for specific functions on different systems.

How is this relevant?

titbang Wrote:At the end it all comes down to deployment. If the scenario is realistic or not in regards to deployability and execution there is no purpose for the legwork. Even firmware modifications can be detected. What matters is the target audience.
Correct, I was just making a point.
+++++++++[>++++++++++>>++++++++++<<<-]>+>>+++<<<++++[>>++++++++++>>++++++++++>++++++++++<<<<<-]>>+++++>>+++>++++++[<<<<<,[>>>>.<<<<-]>>>>>.<<<<.>.>.>>]

[Image: kphlxb.jpg]

[+] 1 user Likes Ender's post
Reply

RE: Unkillable process #15
(07-19-2017, 09:37 PM)flickmywetpeen Wrote: Not sure if this is what you're looking for. But google seems pretty responsive on this.
https://www.codeproject.com/Articles/116...ws-Process

If you can be fast enough to kill both processes without giving them time to clone themselves (can be done in few lines of code), that is not useful.

But in most cases i guess it can help.
Visit my website: http://kidux.ga/. I hope you'll like it, i post my projects there! Smile

Reply






Users browsing this thread: 1 Guest(s)