Kill Process

c++ / delphi package - dll injection and api hooking

Kill Process

Postby pambol » Thu Jul 05, 2018 2:49 am

How i can kill a process without use windows apis (ExitProcess, TerminateProcess, ZwXXX, NtXXX)? like simulate a app crash.
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: Kill Process

Postby madshi » Thu Jul 05, 2018 6:31 am

For which purpose?
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm

Re: Kill Process

Postby pambol » Thu Jul 05, 2018 9:41 pm

close my own process if someone hook ExitProcess, ZwTerminateProcess and RtlExitUserProcess.
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: Kill Process

Postby madshi » Thu Jul 05, 2018 10:28 pm

Oh, you want to crash your own process from within your own process? That's very easy. E.g. you could use SetThreadContext to set EIP to NULL for all threads (or at least the main thread). Or you could memset the callstack of each thread. Or you could unprotect (VirtualProtect) the ntdll.dll code section and memset it. Etc etc, there are a million ways.
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm

Re: Kill Process

Postby pambol » Thu Jul 05, 2018 10:42 pm

what is more easy and they can't hook to prevent it?
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: Kill Process

Postby madshi » Thu Jul 05, 2018 10:47 pm

Clearing your own thread's callstack should be possible without even calling any APIs. Just check ESP register and clear around it.
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Exabot [Bot] and 12 guests

cron