Protect own application from termination...issues
Protect own application from termination...issues
I hook NTTerminateProcess/TerminateProcess, and also take care of WM_CLOSE. This all prevent my app from being closed by process explorer or task manager via end process and end task.
But I just tested APT, and it can terminate my app with 3 different methods: WM_QUIT, TerminateThread, and something with DebugActivate or similar.
About WM_QUIT, I did not find any solution to prevent that...???
TerminateThread: Can this be hooked safely?
What about that DebugActivatexxx?
And what about when malware inject code into my app? How can I prevent that?
But I just tested APT, and it can terminate my app with 3 different methods: WM_QUIT, TerminateThread, and something with DebugActivate or similar.
About WM_QUIT, I did not find any solution to prevent that...???
TerminateThread: Can this be hooked safely?
What about that DebugActivatexxx?
And what about when malware inject code into my app? How can I prevent that?
Thanks for the quick answer.madshi wrote:You could block NtOpenProcess. That should help with most of the problems. WM_QUIT is usually sent by either PostThreadMessage or PostQuitMessage. TerminateThread can be safely hooked. Debug*, too.
However, I blocked NtOpenProcess when the process is my exe, and taskmanager went crazy (the application tab, not the process tab), until the system freeze and I had to restart. So I am certain I did something wrong...
vmWare do a free version that can be downloaded and used.
I've been reading a lot of your posts and have tried to reply to a few of them.. However (and don’t take this the wrong way), you seem to be quick to post with issues. Everyone is happy to help and I've had countless amounts of help from the forum users.
However, some of the things you are asking are basic Windows programming concepts. Take on board that people spend quite a bit of time trying to help other users but this time is not limitless. Personally I'd stick to asking things that are totally specific to injection / hooking and problems related directly to them.
For example, you asked about determining which program made a registry call - madshi answered your question but you didn’t read the reply. GetModuleFileName() will return the full path of the current process if you pass NULL as the first parameter.
As for your process termination issue, you will NEVER get a fool-proof solution using user-mode hooks. APT can kill pretty much everything using one or more of there techniques. At the end of the day - if a process has a kernel mode driver, it's going to be able to beat any user-mode hook you make. I have a system now, after many weeks work that will withstand all the non-kernel mode options provided by APT but it wasn’t an easy solution.
I'm sure you will take this the wrong way but you need to look at the previous posts made, do some research yourself and read up on windows internals. You should always aim to hook as a last resort - not the first option. Searching MSDN will give you all the information you need i.e. WM_QUIT. Start thinking around the problems that you’re having and 9 times out of 10 you can find an acceptable solution which doesn’t include hooking.
Finally, if your NtOpenProcess hook is hanging your box - there is obviously an issue with your hook. Look at previous posts on NtOpenProcess and you will find out what you need. First test the hook in a pure, relay capacity - this will tell you if your prototype is ok. If this doesn’t work - your prototype is incorrect. Again, search and see if you can find a prototype on the forum - if you cant then this would make a valid question. If a pure relay function works, then something you are doing in the hook is not working - again, search for previous posts (for example, you can’t do IPC stuff from within NtOpenProcess).
Hope this information helps, please don’t take my points the wrong way but in the end, people will just stop replying if you aren’t prepared to do the ground work yourself.
Regards,
Mike C
I've been reading a lot of your posts and have tried to reply to a few of them.. However (and don’t take this the wrong way), you seem to be quick to post with issues. Everyone is happy to help and I've had countless amounts of help from the forum users.
However, some of the things you are asking are basic Windows programming concepts. Take on board that people spend quite a bit of time trying to help other users but this time is not limitless. Personally I'd stick to asking things that are totally specific to injection / hooking and problems related directly to them.
For example, you asked about determining which program made a registry call - madshi answered your question but you didn’t read the reply. GetModuleFileName() will return the full path of the current process if you pass NULL as the first parameter.
As for your process termination issue, you will NEVER get a fool-proof solution using user-mode hooks. APT can kill pretty much everything using one or more of there techniques. At the end of the day - if a process has a kernel mode driver, it's going to be able to beat any user-mode hook you make. I have a system now, after many weeks work that will withstand all the non-kernel mode options provided by APT but it wasn’t an easy solution.
I'm sure you will take this the wrong way but you need to look at the previous posts made, do some research yourself and read up on windows internals. You should always aim to hook as a last resort - not the first option. Searching MSDN will give you all the information you need i.e. WM_QUIT. Start thinking around the problems that you’re having and 9 times out of 10 you can find an acceptable solution which doesn’t include hooking.
Finally, if your NtOpenProcess hook is hanging your box - there is obviously an issue with your hook. Look at previous posts on NtOpenProcess and you will find out what you need. First test the hook in a pure, relay capacity - this will tell you if your prototype is ok. If this doesn’t work - your prototype is incorrect. Again, search and see if you can find a prototype on the forum - if you cant then this would make a valid question. If a pure relay function works, then something you are doing in the hook is not working - again, search for previous posts (for example, you can’t do IPC stuff from within NtOpenProcess).
Hope this information helps, please don’t take my points the wrong way but in the end, people will just stop replying if you aren’t prepared to do the ground work yourself.
Regards,
Mike C
mikec, I do not take it the wrong way, I know I post too much.
I think to complicated related to hooking, and do not see the simplest solutions because of that. And where else can I get correct information when not here, where madshi is the hooking specialist?
Oh, and I have again an issue, related to hooking, but that's another post...
I think to complicated related to hooking, and do not see the simplest solutions because of that. And where else can I get correct information when not here, where madshi is the hooking specialist?
Oh, and I have again an issue, related to hooking, but that's another post...
I understand that, but you do post more questions than anyone else has ever done. The prices of madCodeHook were not made with so much support work in mind. If all of my customers asked as many questions, I would have to raise prices *a lot*. Just think about this: The price of the Single Developer Edition of madCodeHook is only 199 USD. That is less than what really good programmers take per hour. So basically after one hour of support work I'm already "losing" money.softtouch wrote:I think to complicated related to hooking, and do not see the simplest solutions because of that. And where else can I get correct information when not here, where madshi is the hooking specialist?
Anyway, I'm here to help and I will. But it would be most welcome if you tried to get an answer to your questions yourself by doing your own research before you come here to ask for help. Thanks.