Prevent process killing in Windows 8

c++ / delphi package - dll injection and api hooking

Prevent process killing in Windows 8

Postby televes » Sat Feb 09, 2013 12:25 am

Hello

I’m working on a small security application that users are not supposed to close through the task manager. On Windows XP, Vista and 7 I was able to do so just by hooking NTTerminateProcess and ignoring the call to the real function if certain conditions are met:

Code: Select all
DWORD WINAPI NtTerminateProcessCallback(HANDLE hProcess, UINT uExitCode){
//(AppendToLog is just a function that prints text to a file)
   AppendToLog(L"NTTerminateProcess", hProcess);
   if (!IsAllowed(hProcess)){
      AppendToLog(L"NTTerminateProcess blocked", hProcess);
      return STATUS_ACCESS_DENIED;
   }else{
      return NtTerminateProcessNext(hProcess, uExitCode);
   }
}


but in Windows 8 there is a strange behavior when I try to kill the application using task manager:
The callback function is executed fine and the process (let’s call it A.EXE) is not killed just as expected (I can even see the "NTTerminateProcess blocked" text in the log), BUT what happens next is that A.EXE starts to increase its CPU usage with no reason, and after 15 seconds or so it reaches 98% and then crashes (an therefore is closed).

I have made the same test with a different process (let’s call it B.EXE) and this time the process is killed immediately, even if the callbackfunction did not called the real NtTerminateProcess function.

Does anyone have an idea to effectively prevent the killing of a process in Windows 8, at least by using the Windows task manager?

Thank you for any help!
televes
 
Posts: 13
Joined: Mon Jul 27, 2009 4:10 pm

Re: Prevent process killing in Windows 8

Postby madshi » Sat Feb 09, 2013 12:50 am

You could try hooking NtOpenProcess. I hope this is for a legal ("good") purpose?
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Postby televes » Tue Feb 12, 2013 3:24 pm

Hello

Yes, it's for a legal purpose. I'm working on a program to monitor employee activity in my workplace, and there is a process I need to keep running even if the user has admin rights.

I'm going to look further into NtOpenProcess and let you know.

Thanks!
televes
 
Posts: 13
Joined: Mon Jul 27, 2009 4:10 pm

Re: Prevent process killing in Windows 8

Postby pinya » Wed Feb 27, 2013 4:57 pm

Hello...
same problem this NtTerminateProcess.

it is never called then I kill app from task manager.
How hooking NtOpenProcess can help? I do not want prevent OpenProcess....

It is for good, legal software...

madCHook ver. 3.1.2
pinya
 
Posts: 18
Joined: Tue Feb 05, 2013 4:39 am

Re: Prevent process killing in Windows 8

Postby madshi » Wed Feb 27, 2013 5:03 pm

In order to call NtTerminateProcess you need a process handle. So if you block NtOpenProcess, NtTerminateProcess can't work (unless a process handle was retrieved without calling NtOpenProcess somehow). I don't know if blocking NtOpenProcess is a good idea, though. Maybe it will hurt the OS somehow. I haven't tried it...
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Postby pinya » Thu Feb 28, 2013 2:26 am

Have you any idea why it is not called? May be in win8 TerminateProcess is in differend library or...
NtOpenProcess may need to be opened for other purpouses then kill proc (also with GENERIC_ALL) and I don't like to prevent this.

I want minimize hooking technique in my product... I only need unterminated service.
pinya
 
Posts: 18
Joined: Tue Feb 05, 2013 4:39 am

Re: Prevent process killing in Windows 8

Postby madshi » Thu Feb 28, 2013 7:24 am

I don't know what win8 does for process termination. Maybe it terminates in driver land, or maybe it uses a different native API (NtTerminateEx?). I don't really know.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Postby pinya » Thu Feb 28, 2013 10:05 am

hooking NtOpenProcess don't help :(
pinya
 
Posts: 18
Joined: Tue Feb 05, 2013 4:39 am

Re: Prevent process killing in Windows 8

Postby madshi » Thu Feb 28, 2013 10:22 am

Then I can only guess that the termination might be done in driver land. I don't know for sure, but it could be. In that case you can't hook it with madCodeHook.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Postby iconic » Tue Mar 05, 2013 3:08 am

There are a million + 1 ways to kill a process, honestly protecting a process is a pointless endeavor. Here are 12 (not just limited to these) ways to do this effortlessly http://wj32.org/wp/2009/05/10/12-ways-t ... a-process/

Think about an alternative solution instead of process protection

--Iconic
iconic
 
Posts: 851
Joined: Wed Jun 08, 2005 5:08 am

Re: Prevent process killing in Windows 8

Postby choochy2003 » Fri May 17, 2013 8:40 am

Iconic

I disagree that process protection is pointless. While I do agree that it is completely impossible to stop all forms of preventing someone terminating a process, there is still value in covering as much as you can. Reducing the ability to easily stop the process reduces it down to the academic hackers/users but still cutting out a large percentage of the general users. The majority of users have no idea how to even go about stopping a process in Task Manager let along using more advanced methods. If we can stop a simple user clicking end task/process then the job is done and its added value. the the academic users how can stop it, well thats something we have to live with. 50,60,70% coverage is still better than none.

Chris
choochy2003
 
Posts: 79
Joined: Fri Mar 21, 2008 4:52 am

Re: Prevent process killing in Windows 8

Postby choochy2003 » Fri May 17, 2013 8:48 am

pinya

As Madshi suggested, Hooking NtOpenProcess is the way to go in this case. Please see the following code:

Code: Select all
function NtOpenProcessCallback(ProcessHandle: PHANDLE; DesiredAccess: DWORD; ObjectAttributes: Pointer; ClientId: PClientId): DWORD; stdcall;
const
  PROCESS_TERMINATE    = 1;
  STATUS_ACCESS_DENIED = $C0000022;
begin
    if (DesiredAccess and PROCESS_TERMINATE <> 0) and IsProtectedProcess(ClientId.UniqueProcess) then
    begin
        Result := STATUS_ACCESS_DENIED;
    end else
        Result := NtOpenProcessNext(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
end;

1. Its best to reduce the scope of which NtOpenProcess callbacks you deny by checking the DesiredAccess mask and seeing if the PROCESS_TERMINATE query flag is set and focus on just those.
2. ClientId.UniqueProcess holds the Process Id of the process being requested to be opened.
3. I would suggest using this code for only Vista and above as the usage requirements of the NtOpenProcess differs with earlier OS's.
4. The above is Delphi code but the principles are the same under C.

Chris
choochy2003
 
Posts: 79
Joined: Fri Mar 21, 2008 4:52 am

Re: Prevent process killing in Windows 8

Postby iconic » Sun Jun 15, 2014 4:38 am

Sorry for necro posting but I've not been on this forum for a while and searched for unanswered posts in which I was mentioned... Hooking NtOpenProcess and NtOpenThread can thwart off most usermode attacks, sure. However, even in usermode without a driver, calls to DebugActiveProcess / Exiting your own process or simply scanning of the csrss process' handle table and duplicating the process handle of the PID desired offers PROCESS/THREAD_ALL_ACCESS rights. No need to call NtOpenProcess or NtOpenThread, just NtDuplicateObject, which DuplicateHandle() API wraps, and you now have a fully qualified all access handle to the desired process or thread object. At this point calls to NtTerminateProcess and NtTerminateThread no longer require you to call the OpenProcess/Thread APIs, to make matters worse any hooked APIs that translate to system calls can be emulated with interrupt 0x2E / SYSCALL so there's nothing to hook from an ntdll.dll export perspective anymore. This is why I said it's better to choose a better defense mechanism than usermode hooking of the APIs suggested. Process termination protection is definitely a pipe dream, ask any seasoned security expert. There are virtually endless methods available and some still yet to be discovered.

--Iconic
iconic
 
Posts: 851
Joined: Wed Jun 08, 2005 5:08 am

Re: Prevent process killing in Windows 8

Postby madshi » Sun Jun 15, 2014 8:45 am

That's true, user mode hooking has its limits. Even if user mode hooking is done perfectly, a driver can always do anything it wants without being affected at all by user mode hooking. Because of that user mode hooking usually can't be 100% foolproof. That said, some protection is better than none. Often it's good enough to protect from things like the end user trying to terminate a process with standard tools. And for that user mode API hooking usually works fine. In the end it's not my job to decide which purpose madCodeHook should be used for (not for bad things, though, please). I'm just providing a user mode hooking framework. Whether or not it makes sense to do something specific by using user mode API hooking is for the madCodeHook user/developer to decide, in the context of his specific situation/needs.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Postby power888 » Fri Aug 22, 2014 11:22 am

Hi... I have same issues.

and I found the reason.

When I call ProcessIdToFileNameW in NTTerminateProcessCallback(..),
ProcessIdToFileNameW's pFileName retrun wrong filename like '?'

below is very strange..

If I kill Journal.exe (app that window 8.1 installed), then ProcessIdToFileNameW return correct file name.
But I kill Notepad.exe then ProcessIdToFileNameW return '?'

How can I do?
power888
 
Posts: 50
Joined: Sat May 23, 2009 8:55 am

Next

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 9 guests