Prevent process killing in Windows 8

c++ / delphi package - dll injection and api hooking

Re: Prevent process killing in Windows 8

Postby power888 » Sat Aug 23, 2014 7:46 am

Hi..

Solved it using OpenProcess and PROCESS_TERMINATE option...

BTW, in NTTerminateProcess and TerminateProcess API, when I used CreateToolhelp32Snapshot API, Process32First return FALSE.
and sometimes ProcessIdToFileName's processName return NULL.
(When I Kill process in [Process] or [User] tab in Task Manager)

Do you have a plan to support ProcessIdToFileName in NTTerminateProcess and TerminateProcess API ?

** Test Environment : Window 8.1 and 8
With Window 7, everything work fine..
power888
 
Posts: 50
Joined: Sat May 23, 2009 8:55 am

Re: Prevent process killing in Windows 8

Postby madshi » Sun Aug 31, 2014 5:27 pm

How do you get the process ID needed for ProcessIdToFileName? Sometimes NtTerminateProcess is called with a NULL or -1 process handle. Do you handle those cases properly? I'd suggest that you log the process ID to make sure it's the correct one.
madshi
Site Admin
 
Posts: 10021
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Postby iconic » Sun Aug 31, 2014 11:08 pm

(HANDLE)-1 is equal to GetCurrentProcess() pseudo handle (to itself) so PID would always equal GetCurrentProcessId(). Calling TerminateProcess with a NULL handle wouldn't do anything since it's not a valid process handle causing the API to return False.
Like Madshi said, check the process handle value inside the NtTerminateProcess callback and also see what ProcessHandleToId is returning (I assume you're using this?).

--Iconic
iconic
Site Admin
 
Posts: 877
Joined: Wed Jun 08, 2005 5:08 am

Previous

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests