But using Process Explorer from Sysinternals I still can't kill my process but however I can use the Kill Thread method instead to kill my test.exe also I can suspend it! Is there a way to prevent Kill thread and suspend thread!
Am I missing something?? or I need to add more thing? Please help!
Library Code is bellow:
Code: Select all
Library mydll;
Uses
Windows,
madRemote,
madCodeHook,
madStrings;
Var TerminateProcessNext : Function (ProcessHandle, ExitCode: DWord) : Bool; stdcall;
NtTerminateProcessNext : Function (ProcessHandle, ExitCode: DWord) : DWord; stdcall;
Function ThisIsOurProcess(processHandle: DWord): Boolean;
Var Pid : DWord;
ArrCh : Array [0..MAX_PATH] Of Char;
Begin
Pid:= ProcessHandleToId(ProcessHandle);
Result:= (Pid <> 0) And ProcessIdToFileName(Pid, ArrCh) And
(PosText('Test.exe', ArrCh) > 0);
End;
Function TerminateProcessCallback(ProcessHandle, ExitCode: DWord): Bool; stdcall;
Begin
If ThisIsOurProcess(processHandle) Then
Begin
Result:= False;
SetLastError(ERROR_ACCESS_DENIED);
End
Else
Begin
Result:= TerminateProcessNext(ProcessHandle, ExitCode);
End;
End;
Function NtTerminateProcessCallback(ProcessHandle, ExitCode: DWord): DWord; stdcall;
Const
STATUS_ACCESS_DENIED = $C0000022;
Begin
If ThisIsOurProcess(processHandle) Then
Begin
Result:= STATUS_ACCESS_DENIED;
End
Else
Begin
Result:= NtTerminateProcessNext(ProcessHandle, ExitCode);
End;
End;
Begin
If GetVersion And $80000000 = 0 Then
HookAPI('ntdll.dll', 'NtTerminateProcess', @NtTerminateProcessCallback, @NtTerminateProcessNext)
Else
HookAPI(kernel32, 'TerminateProcess', @TerminateProcessCallback, @TerminateProcessNext)
End.
When the application start I call InjectLibrary
InjectLibrary(ALL_SESSIONS or SYSTEM_PROCESSES, 'mydll.dll')
I call the uninjectLibray when I want to quit the application.
UninjectLibrary(ALL_SESSIONS or SYSTEM_PROCESSES, 'mydll.dll')
Help is appreciated