How to catch Terminate Process in my Application with MadCod

Post by **madshi** » Tue Apr 19, 2005 12:57 pm

EndItAll uses a remote thread to execute "ExitProcess" in the context of the process which it wants to be stopped. This is not (yet) hooked by the HookProcessTermination demo. I should probably add that to the next version.

Runner · Post by **Runner** » Tue Apr 19, 2005 12:57 pm

You can't use delphi for writing drivers. You need Microsofr DDK. There are some solutions that give delphi driver writing capabilites on the market but I don't know how efficient or easy to use they are.

hexa · Post by **hexa** » Tue Apr 19, 2005 2:06 pm

Thanks for your reply, madshi.

madshi wrote:EndItAll uses a remote thread to execute "ExitProcess" in the context of the process which it wants to be stopped.

Hmm. I'm not sure I have understood

"In the context" = dll injection?

What if I wanted to stop EndItAll? Which api's should I hook?
Thanks!

Post by **madshi** » Tue Apr 19, 2005 2:32 pm

No, not dll injection, but remote threads (CreateRemoteThread).

You need to hook ExitProcess in your own process and only allow it if you want your process to end. Furthermore you also need to do what HookProcessTermination does, namely hooking (Nt)TerminateProcess system wide.

Please note, that you don't need to hook ExitProcess system wide. So don't put that code into the hook dll. It's enough to hook that only inside of your own process (= in your own exe).

Hopefully you'll use this for legal purpose only?

hexa · Post by **hexa** » Wed Apr 20, 2005 6:54 am

Of course

I would never use madCollection for illegal purposes. That would make Antivirus producers block it as "trojan tool" and we couldn't use it anymore

Thanks a lot for your explaination madshi!

Post by **madshi** » Wed Apr 20, 2005 7:16 am

hexa wrote:Of course I would never use madCollection for illegal purposes. That would make Antivirus producers block it as "trojan tool" and we couldn't use it anymore

Exactly!