Page 1 of 2

Prevent process killing in Windows 8

PostPosted: Sat Feb 09, 2013 12:25 am
by televes
Hello

I’m working on a small security application that users are not supposed to close through the task manager. On Windows XP, Vista and 7 I was able to do so just by hooking NTTerminateProcess and ignoring the call to the real function if certain conditions are met:

Code: Select all
DWORD WINAPI NtTerminateProcessCallback(HANDLE hProcess, UINT uExitCode){
//(AppendToLog is just a function that prints text to a file)
   AppendToLog(L"NTTerminateProcess", hProcess);
   if (!IsAllowed(hProcess)){
      AppendToLog(L"NTTerminateProcess blocked", hProcess);
      return STATUS_ACCESS_DENIED;
   }else{
      return NtTerminateProcessNext(hProcess, uExitCode);
   }
}


but in Windows 8 there is a strange behavior when I try to kill the application using task manager:
The callback function is executed fine and the process (let’s call it A.EXE) is not killed just as expected (I can even see the "NTTerminateProcess blocked" text in the log), BUT what happens next is that A.EXE starts to increase its CPU usage with no reason, and after 15 seconds or so it reaches 98% and then crashes (an therefore is closed).

I have made the same test with a different process (let’s call it B.EXE) and this time the process is killed immediately, even if the callbackfunction did not called the real NtTerminateProcess function.

Does anyone have an idea to effectively prevent the killing of a process in Windows 8, at least by using the Windows task manager?

Thank you for any help!

Re: Prevent process killing in Windows 8

PostPosted: Sat Feb 09, 2013 12:50 am
by madshi
You could try hooking NtOpenProcess. I hope this is for a legal ("good") purpose?

Re: Prevent process killing in Windows 8

PostPosted: Tue Feb 12, 2013 3:24 pm
by televes
Hello

Yes, it's for a legal purpose. I'm working on a program to monitor employee activity in my workplace, and there is a process I need to keep running even if the user has admin rights.

I'm going to look further into NtOpenProcess and let you know.

Thanks!

Re: Prevent process killing in Windows 8

PostPosted: Wed Feb 27, 2013 4:57 pm
by pinya
Hello...
same problem this NtTerminateProcess.

it is never called then I kill app from task manager.
How hooking NtOpenProcess can help? I do not want prevent OpenProcess....

It is for good, legal software...

madCHook ver. 3.1.2

Re: Prevent process killing in Windows 8

PostPosted: Wed Feb 27, 2013 5:03 pm
by madshi
In order to call NtTerminateProcess you need a process handle. So if you block NtOpenProcess, NtTerminateProcess can't work (unless a process handle was retrieved without calling NtOpenProcess somehow). I don't know if blocking NtOpenProcess is a good idea, though. Maybe it will hurt the OS somehow. I haven't tried it...

Re: Prevent process killing in Windows 8

PostPosted: Thu Feb 28, 2013 2:26 am
by pinya
Have you any idea why it is not called? May be in win8 TerminateProcess is in differend library or...
NtOpenProcess may need to be opened for other purpouses then kill proc (also with GENERIC_ALL) and I don't like to prevent this.

I want minimize hooking technique in my product... I only need unterminated service.

Re: Prevent process killing in Windows 8

PostPosted: Thu Feb 28, 2013 7:24 am
by madshi
I don't know what win8 does for process termination. Maybe it terminates in driver land, or maybe it uses a different native API (NtTerminateEx?). I don't really know.

Re: Prevent process killing in Windows 8

PostPosted: Thu Feb 28, 2013 10:05 am
by pinya
hooking NtOpenProcess don't help :(

Re: Prevent process killing in Windows 8

PostPosted: Thu Feb 28, 2013 10:22 am
by madshi
Then I can only guess that the termination might be done in driver land. I don't know for sure, but it could be. In that case you can't hook it with madCodeHook.

Re: Prevent process killing in Windows 8

PostPosted: Tue Mar 05, 2013 3:08 am
by iconic
There are a million + 1 ways to kill a process, honestly protecting a process is a pointless endeavor. Here are 12 (not just limited to these) ways to do this effortlessly http://wj32.org/wp/2009/05/10/12-ways-t ... a-process/

Think about an alternative solution instead of process protection

--Iconic

Re: Prevent process killing in Windows 8

PostPosted: Fri May 17, 2013 8:40 am
by choochy2003
Iconic

I disagree that process protection is pointless. While I do agree that it is completely impossible to stop all forms of preventing someone terminating a process, there is still value in covering as much as you can. Reducing the ability to easily stop the process reduces it down to the academic hackers/users but still cutting out a large percentage of the general users. The majority of users have no idea how to even go about stopping a process in Task Manager let along using more advanced methods. If we can stop a simple user clicking end task/process then the job is done and its added value. the the academic users how can stop it, well thats something we have to live with. 50,60,70% coverage is still better than none.

Chris

Re: Prevent process killing in Windows 8

PostPosted: Fri May 17, 2013 8:48 am
by choochy2003
pinya

As Madshi suggested, Hooking NtOpenProcess is the way to go in this case. Please see the following code:

Code: Select all
function NtOpenProcessCallback(ProcessHandle: PHANDLE; DesiredAccess: DWORD; ObjectAttributes: Pointer; ClientId: PClientId): DWORD; stdcall;
const
  PROCESS_TERMINATE    = 1;
  STATUS_ACCESS_DENIED = $C0000022;
begin
    if (DesiredAccess and PROCESS_TERMINATE <> 0) and IsProtectedProcess(ClientId.UniqueProcess) then
    begin
        Result := STATUS_ACCESS_DENIED;
    end else
        Result := NtOpenProcessNext(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
end;

1. Its best to reduce the scope of which NtOpenProcess callbacks you deny by checking the DesiredAccess mask and seeing if the PROCESS_TERMINATE query flag is set and focus on just those.
2. ClientId.UniqueProcess holds the Process Id of the process being requested to be opened.
3. I would suggest using this code for only Vista and above as the usage requirements of the NtOpenProcess differs with earlier OS's.
4. The above is Delphi code but the principles are the same under C.

Chris

Re: Prevent process killing in Windows 8

PostPosted: Sun Jun 15, 2014 4:38 am
by iconic
Sorry for necro posting but I've not been on this forum for a while and searched for unanswered posts in which I was mentioned... Hooking NtOpenProcess and NtOpenThread can thwart off most usermode attacks, sure. However, even in usermode without a driver, calls to DebugActiveProcess / Exiting your own process or simply scanning of the csrss process' handle table and duplicating the process handle of the PID desired offers PROCESS/THREAD_ALL_ACCESS rights. No need to call NtOpenProcess or NtOpenThread, just NtDuplicateObject, which DuplicateHandle() API wraps, and you now have a fully qualified all access handle to the desired process or thread object. At this point calls to NtTerminateProcess and NtTerminateThread no longer require you to call the OpenProcess/Thread APIs, to make matters worse any hooked APIs that translate to system calls can be emulated with interrupt 0x2E / SYSCALL so there's nothing to hook from an ntdll.dll export perspective anymore. This is why I said it's better to choose a better defense mechanism than usermode hooking of the APIs suggested. Process termination protection is definitely a pipe dream, ask any seasoned security expert. There are virtually endless methods available and some still yet to be discovered.

--Iconic

Re: Prevent process killing in Windows 8

PostPosted: Sun Jun 15, 2014 8:45 am
by madshi
That's true, user mode hooking has its limits. Even if user mode hooking is done perfectly, a driver can always do anything it wants without being affected at all by user mode hooking. Because of that user mode hooking usually can't be 100% foolproof. That said, some protection is better than none. Often it's good enough to protect from things like the end user trying to terminate a process with standard tools. And for that user mode API hooking usually works fine. In the end it's not my job to decide which purpose madCodeHook should be used for (not for bad things, though, please). I'm just providing a user mode hooking framework. Whether or not it makes sense to do something specific by using user mode API hooking is for the madCodeHook user/developer to decide, in the context of his specific situation/needs.

Re: Prevent process killing in Windows 8

PostPosted: Fri Aug 22, 2014 11:22 am
by power888
Hi... I have same issues.

and I found the reason.

When I call ProcessIdToFileNameW in NTTerminateProcessCallback(..),
ProcessIdToFileNameW's pFileName retrun wrong filename like '?'

below is very strange..

If I kill Journal.exe (app that window 8.1 installed), then ProcessIdToFileNameW return correct file name.
But I kill Notepad.exe then ProcessIdToFileNameW return '?'

How can I do?