I’m working on a small security application that users are not supposed to close through the task manager. On Windows XP, Vista and 7 I was able to do so just by hooking NTTerminateProcess and ignoring the call to the real function if certain conditions are met:
Code: Select all
DWORD WINAPI NtTerminateProcessCallback(HANDLE hProcess, UINT uExitCode){
//(AppendToLog is just a function that prints text to a file)
AppendToLog(L"NTTerminateProcess", hProcess);
if (!IsAllowed(hProcess)){
AppendToLog(L"NTTerminateProcess blocked", hProcess);
return STATUS_ACCESS_DENIED;
}else{
return NtTerminateProcessNext(hProcess, uExitCode);
}
}
The callback function is executed fine and the process (let’s call it A.EXE) is not killed just as expected (I can even see the "NTTerminateProcess blocked" text in the log), BUT what happens next is that A.EXE starts to increase its CPU usage with no reason, and after 15 seconds or so it reaches 98% and then crashes (an therefore is closed).
I have made the same test with a different process (let’s call it B.EXE) and this time the process is killed immediately, even if the callbackfunction did not called the real NtTerminateProcess function.
Does anyone have an idea to effectively prevent the killing of a process in Windows 8, at least by using the Windows task manager?
Thank you for any help!