Prevent process killing in Windows 8

c++ / delphi package - dll injection and api hooking
televes
Posts: 13
Joined: Mon Jul 27, 2009 4:10 pm

Prevent process killing in Windows 8

Post by televes »

Hello

I’m working on a small security application that users are not supposed to close through the task manager. On Windows XP, Vista and 7 I was able to do so just by hooking NTTerminateProcess and ignoring the call to the real function if certain conditions are met:

Code: Select all

DWORD WINAPI NtTerminateProcessCallback(HANDLE hProcess, UINT uExitCode){
//(AppendToLog is just a function that prints text to a file)
	AppendToLog(L"NTTerminateProcess", hProcess);
	if (!IsAllowed(hProcess)){
		AppendToLog(L"NTTerminateProcess blocked", hProcess);
		return STATUS_ACCESS_DENIED;
	}else{
		return NtTerminateProcessNext(hProcess, uExitCode);
	}
}
but in Windows 8 there is a strange behavior when I try to kill the application using task manager:
The callback function is executed fine and the process (let’s call it A.EXE) is not killed just as expected (I can even see the "NTTerminateProcess blocked" text in the log), BUT what happens next is that A.EXE starts to increase its CPU usage with no reason, and after 15 seconds or so it reaches 98% and then crashes (an therefore is closed).

I have made the same test with a different process (let’s call it B.EXE) and this time the process is killed immediately, even if the callbackfunction did not called the real NtTerminateProcess function.

Does anyone have an idea to effectively prevent the killing of a process in Windows 8, at least by using the Windows task manager?

Thank you for any help!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Post by madshi »

You could try hooking NtOpenProcess. I hope this is for a legal ("good") purpose?
televes
Posts: 13
Joined: Mon Jul 27, 2009 4:10 pm

Re: Prevent process killing in Windows 8

Post by televes »

Hello

Yes, it's for a legal purpose. I'm working on a program to monitor employee activity in my workplace, and there is a process I need to keep running even if the user has admin rights.

I'm going to look further into NtOpenProcess and let you know.

Thanks!
pinya
Posts: 18
Joined: Tue Feb 05, 2013 4:39 am

Re: Prevent process killing in Windows 8

Post by pinya »

Hello...
same problem this NtTerminateProcess.

it is never called then I kill app from task manager.
How hooking NtOpenProcess can help? I do not want prevent OpenProcess....

It is for good, legal software...

madCHook ver. 3.1.2
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Post by madshi »

In order to call NtTerminateProcess you need a process handle. So if you block NtOpenProcess, NtTerminateProcess can't work (unless a process handle was retrieved without calling NtOpenProcess somehow). I don't know if blocking NtOpenProcess is a good idea, though. Maybe it will hurt the OS somehow. I haven't tried it...
pinya
Posts: 18
Joined: Tue Feb 05, 2013 4:39 am

Re: Prevent process killing in Windows 8

Post by pinya »

Have you any idea why it is not called? May be in win8 TerminateProcess is in differend library or...
NtOpenProcess may need to be opened for other purpouses then kill proc (also with GENERIC_ALL) and I don't like to prevent this.

I want minimize hooking technique in my product... I only need unterminated service.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Post by madshi »

I don't know what win8 does for process termination. Maybe it terminates in driver land, or maybe it uses a different native API (NtTerminateEx?). I don't really know.
pinya
Posts: 18
Joined: Tue Feb 05, 2013 4:39 am

Re: Prevent process killing in Windows 8

Post by pinya »

hooking NtOpenProcess don't help :(
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Post by madshi »

Then I can only guess that the termination might be done in driver land. I don't know for sure, but it could be. In that case you can't hook it with madCodeHook.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Prevent process killing in Windows 8

Post by iconic »

There are a million + 1 ways to kill a process, honestly protecting a process is a pointless endeavor. Here are 12 (not just limited to these) ways to do this effortlessly http://wj32.org/wp/2009/05/10/12-ways-t ... a-process/

Think about an alternative solution instead of process protection

--Iconic
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: Prevent process killing in Windows 8

Post by choochy2003 »

Iconic

I disagree that process protection is pointless. While I do agree that it is completely impossible to stop all forms of preventing someone terminating a process, there is still value in covering as much as you can. Reducing the ability to easily stop the process reduces it down to the academic hackers/users but still cutting out a large percentage of the general users. The majority of users have no idea how to even go about stopping a process in Task Manager let along using more advanced methods. If we can stop a simple user clicking end task/process then the job is done and its added value. the the academic users how can stop it, well thats something we have to live with. 50,60,70% coverage is still better than none.

Chris
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: Prevent process killing in Windows 8

Post by choochy2003 »

pinya

As Madshi suggested, Hooking NtOpenProcess is the way to go in this case. Please see the following code:

Code: Select all

function NtOpenProcessCallback(ProcessHandle: PHANDLE; DesiredAccess: DWORD; ObjectAttributes: Pointer; ClientId: PClientId): DWORD; stdcall;
const
  PROCESS_TERMINATE    = 1;
  STATUS_ACCESS_DENIED = $C0000022;
begin
    if (DesiredAccess and PROCESS_TERMINATE <> 0) and IsProtectedProcess(ClientId.UniqueProcess) then
    begin
        Result := STATUS_ACCESS_DENIED;
    end else
        Result := NtOpenProcessNext(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
end;
1. Its best to reduce the scope of which NtOpenProcess callbacks you deny by checking the DesiredAccess mask and seeing if the PROCESS_TERMINATE query flag is set and focus on just those.
2. ClientId.UniqueProcess holds the Process Id of the process being requested to be opened.
3. I would suggest using this code for only Vista and above as the usage requirements of the NtOpenProcess differs with earlier OS's.
4. The above is Delphi code but the principles are the same under C.

Chris
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Prevent process killing in Windows 8

Post by iconic »

Sorry for necro posting but I've not been on this forum for a while and searched for unanswered posts in which I was mentioned... Hooking NtOpenProcess and NtOpenThread can thwart off most usermode attacks, sure. However, even in usermode without a driver, calls to DebugActiveProcess / Exiting your own process or simply scanning of the csrss process' handle table and duplicating the process handle of the PID desired offers PROCESS/THREAD_ALL_ACCESS rights. No need to call NtOpenProcess or NtOpenThread, just NtDuplicateObject, which DuplicateHandle() API wraps, and you now have a fully qualified all access handle to the desired process or thread object. At this point calls to NtTerminateProcess and NtTerminateThread no longer require you to call the OpenProcess/Thread APIs, to make matters worse any hooked APIs that translate to system calls can be emulated with interrupt 0x2E / SYSCALL so there's nothing to hook from an ntdll.dll export perspective anymore. This is why I said it's better to choose a better defense mechanism than usermode hooking of the APIs suggested. Process termination protection is definitely a pipe dream, ask any seasoned security expert. There are virtually endless methods available and some still yet to be discovered.

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Prevent process killing in Windows 8

Post by madshi »

That's true, user mode hooking has its limits. Even if user mode hooking is done perfectly, a driver can always do anything it wants without being affected at all by user mode hooking. Because of that user mode hooking usually can't be 100% foolproof. That said, some protection is better than none. Often it's good enough to protect from things like the end user trying to terminate a process with standard tools. And for that user mode API hooking usually works fine. In the end it's not my job to decide which purpose madCodeHook should be used for (not for bad things, though, please). I'm just providing a user mode hooking framework. Whether or not it makes sense to do something specific by using user mode API hooking is for the madCodeHook user/developer to decide, in the context of his specific situation/needs.
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: Prevent process killing in Windows 8

Post by power888 »

Hi... I have same issues.

and I found the reason.

When I call ProcessIdToFileNameW in NTTerminateProcessCallback(..),
ProcessIdToFileNameW's pFileName retrun wrong filename like '?'

below is very strange..

If I kill Journal.exe (app that window 8.1 installed), then ProcessIdToFileNameW return correct file name.
But I kill Notepad.exe then ProcessIdToFileNameW return '?'

How can I do?
Post Reply