Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


why Task Manager can kill my protected process easily?

tanda996tanda996 Member Posts: 17
edited November 16 in NTDEV

My service was protected by my driver (turn off PROCESS_TERMINATE flag in Object Callback routine).
Task manager can't terminate my process in "Details" tab, but in "Processes" tab, it can kill my service with "End Task" option easily (tested on windows 10).
What mechanism behind that? How i can prevent that action in my driver?
thank you.

Comments

  • ThatsBerkanThatsBerkan Member Posts: 17

    You might also need to protect the threads owned by the process.
    Closing every threads owned by a process will end up "terminating" that process.

  • MBond2MBond2 Member Posts: 210

    the short answer is, don't try to do this. If I am admin or have physical access to the system, there is nothing you can do except delay and frustrate me. I can always press the power button to terminate your process. and prevent it from running again by deleting the .sys / .exe files from another OS.

    non-admin users can't terminate service processes because of simple ACL checks. So this is malware

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,695

    Mr. Bond makes an important point. It's not your computer, it's MY computer. If I want to kill your process, and I have suitable authority, I need to be able to do so. Otherwise, as he says, you are malware.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • anton_bassovanton_bassov Member MODERATED Posts: 5,190

    How i can prevent that action in my driver?

    As Marion and Tim pointed out already, there is nothing that you can (and, in fact, should be able to) do against the Admin user's actions.
    Any process that tries to protect itself against the termination or the deletion of its files by the Admin user automatically classifies as a piece of malware. We have discussed it so many times in this NG......

    Anton Bassov

  • tanda996tanda996 Member Posts: 17

    how about AVs? They must protect themself from malware (with Admin privilege) and always be active, don't they?.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,695

    If malware has admin privilege, the game is over. You have lost. There is no hope.

    Antivirals use the normal system mechanisms to protect themselves. Again, if an antiviral gets in the way, I (as the admin) need to be able to kill it temporarily.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • MBond2MBond2 Member Posts: 210

    well, isn't that what ring 2 was for? lol. Do not take this post seriously. It is Friday night and I'm tired, but to address the suggestion of protecting the threads:

    By default administrators have the 'debug programs' right. This can be controlled by group policy etc. But any sufficiently knowledgeable user with this right can effectively render useless any UM program of any kind. KM is different story of course, but no software of any sort should try to thwart the administrators

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,695

    well, isn't that what ring 2 was for?

    Many years ago, when I worked for Control Data Corporation, the operating system for their first virtual memory mainframes (NOS/VE for the Cyber 180) used 15 rings, borrowing the concept from MULTICS. Every pointer had a ring number in the high-order bits. User apps ran in ring 13, the kernel ran in ring 3, utility subsystems ran in ring 8. In order to call inward, you called through a gate in the next ring down. It really didn't get in the way very much, and it did increase security.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • 0xrepnz0xrepnz Member Posts: 42

    My service was protected by my driver (turn off PROCESS_TERMINATE flag in Object Callback routine).
    Task manager can't terminate my process in "Details" tab, but in "Processes" tab, it can kill my service with "End Task" option easily (tested on windows 10).
    What mechanism behind that? How i can prevent that action in my driver?
    thank you.

    If you want to understand "what is the mechanism behind it" I recommend you open a debugger and take a look at the callstack in the process exit callback.

    Anyway, If your application has a UI, Maybe the reason this "bypassed" your "protection" is because Task Manager is sending a window message like WM_SYSCOMMAND + SC_CLOSE to your the application. Sending this message does not require the caller to have PROCESS_TERMINATE permissions or even a handle to your process - It only needs to get a handle to a Window inside your process. I'm actually not sure about the security mechanisms that are used to protect Window Handles, so maybe someone else can elaborate on that. Anyway, Your application has a "message loop" that handles messages of this kind and kindly services this message by stopping the message loop and terminating itself.

    I agree with the rest of the comments on this thread - trying to "protect" against a process that have admin privileges is hopeless. For example, the attacker can install a driver and remove your protection altogether...

    - Ori Damari
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE