Prevent process killing in Windows 8

c++ / delphi package - dll injection and api hooking
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: Prevent process killing in Windows 8

Post by power888 »

Hi..

Solved it using OpenProcess and PROCESS_TERMINATE option...

BTW, in NTTerminateProcess and TerminateProcess API, when I used CreateToolhelp32Snapshot API, Process32First return FALSE.
and sometimes ProcessIdToFileName's processName return NULL.
(When I Kill process in [Process] or [User] tab in Task Manager)

Do you have a plan to support ProcessIdToFileName in NTTerminateProcess and TerminateProcess API ?

** Test Environment : Window 8.1 and 8
With Window 7, everything work fine..
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Post by madshi »

How do you get the process ID needed for ProcessIdToFileName? Sometimes NtTerminateProcess is called with a NULL or -1 process handle. Do you handle those cases properly? I'd suggest that you log the process ID to make sure it's the correct one.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Prevent process killing in Windows 8

Post by iconic »

(HANDLE)-1 is equal to GetCurrentProcess() pseudo handle (to itself) so PID would always equal GetCurrentProcessId(). Calling TerminateProcess with a NULL handle wouldn't do anything since it's not a valid process handle causing the API to return False.
Like Madshi said, check the process handle value inside the NtTerminateProcess callback and also see what ProcessHandleToId is returning (I assume you're using this?).

--Iconic
Post Reply