2

I write program for defence system, antivirus anti malware etc. And i have a problem with defensing process from killing thru tast manager->Kill Process. I test some antiviruses and they dont let me to kill his process. I only can stop them in services. How i can create this defence for my programm. Thanks!

lebron2323
  • 990
  • 2
  • 14
  • 29

3 Answers3

2

Stopping a process is done with a call to TerminateProcess (Win32 API). By default, it is not possible to kill a process that is running under a security context different than the one of the process who issued the call to TerminateProcess.

A user mode running service can be configured (with Service control manager) such that it will be restarted if some one kills the service. However if you don't want the service to be stopped from service control manager interface or using "net stop " command, you can set the "dwControlsAccepted" field of SERVICE_STATUS structure appropriately when creating the service.

Also keep this in consideration that it is possible to end any process even though it is a service or a system process by previously enabling the debug privilege. This privilege is assigned to Administrators and is disabled in the access token. While Task Manager does not make use of the debug privilege, the KILL utility (provided with windows resource kit) does.

Vikram.exe
  • 4,565
  • 3
  • 29
  • 40
0

What you observe is common for service applications, i.e. you need to have a service for this.

Antivirus software usually employs several kernel-mode drivers (network filters, file system filters etc.), which have an additional function of checking if user-mode process is available, and if no, they restart it (they also control execution state for the service).

Also a service can monitor presense of the UI process and restart it. And UI process in turn can check the state of the service. It's quite tricky (though possible) to stop both processes in parallel, so this scheme can also work.

I guess you will come to the same architecture.

But in general, rootkits bypass all those tricks, and rootkits are what possesses the most significant threat to modern computers.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • I create servise but i easy kill servise process thru task manager->processes->end process. maybe i know what flags in registry i must set to do process protection from kill and when somebody try they have message access denied – lebron2323 Dec 29 '10 at 14:46
0

You can use this code if you want to prevent kill (it will bluescreen the system) but make sure you have auto startup.put this code include the system and put the dllimport and stuff in the same way as yourForm_Load and here switches (run this in your Form1_Load code, execute). critical 1 is anti kill. critical 0 is no anti kill. @ https://pastebin.com/BpS79Sa0

critical(1)

critical(0)

c#

using System.Runtime.InteropServices;
using System.Diagnostics;

[DllImport("ntdll.dll", SetLastError = true)]
    private static extern int NtSetInformationProcess(IntPtr hProcess, int processInformationClass
        , ref int processInformation, int processInformationLength);
 
 public void critical(int status)
    {
        int BreakOnTermi =0x1D;
        Process.EnterDebugMode();
        NtSetInformationProcess(Process.GetCurrentProcess().Handle, 
        BreakOnTermi, 
        ref status, sizeof(int));

    }
visualCoder2022
  • 1