I have searched on many places and everyone suggest me to hook TerminateProcess() in the kernel. Don Burn, I know your position about hooking and I would like to know your opinion. I need to do it because I’m doing a research about proactive defense (like Kaspersky antivirus 6.0).
Any suggestion will be very appreciated.
Thanks in advance.
First even if you do hook the ZwTerminateProcess call you cannot stop
anyone determined to stop the process. If I wanted to write MALWARE and
needed to stop your process, I would try ZwTerminateProcess, if that didn’t
work use ZwTerminateThread for each thread in your process, if that didn’t
work use the debug calls to corrupt your process space so you crash. I
once got into an argument with someone who justified hooking this way, and
bottom line was it took very little time to work around the hooks.
Now, a more proactive way might be to recognize that program could crash or
be stopped, but have multiple processes that if one fails restarts the
other. This is harder to develop but can also be harder to stop.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
wrote in message news:xxxxx@ntdev…
>I have searched on many places and everyone suggest me to hook
>TerminateProcess() in the kernel. Don Burn, I know your position about
>hooking and I would like to know your opinion. I need to do it because I’m
>doing a research about proactive defense (like Kaspersky antivirus 6.0).
> Any suggestion will be very appreciated.
> Thanks in advance.
>
I found at least two software products (ProcessGuard by example) that avoid the most common ways to kill process (you mention some of them) and I’m doing my diploma work about a similar software. How that programs do it???
There is any way to do that without hooking?
In other posts, you explain why hooking are dangerous and I know some of the reasons but in this case to achieve the goals of the software would be justified their use???
Well lots of hookers try to justify things by saying they need to stop
termination. My arguments against this are:
-
You cannot stop it, you can make it harder, but remember if the
MALWARE does not have administrator access then standard security will
protect the process. If the MALWARE does have administrator access it is
essentially impossible to protect the system, because I can always do
something to stop you including having a hook over your hook to bypass your
check of the termination. -
You will not be able to hook on 64-bit systems, so you are not
solving the problem for the future. For those who complain about
PatchGuard, my view is it does a ton more good than harm. For those who
say popular adoption of 64-bit is a long ways off, I recently found an
article where the pundits indicated “that using the 32-bit capabilities of
the 386 design will not be mainstream before the end of the century!” -
As I said in my first post, if you back up enough in your
design, there are otherways to do the same thing, such as a number of
cooperating processes that monitor one another. Properly designed this is
very hard to attack. In general this is the trap the hookers fall into,
they define the implementation as the requirements, which then causes them
to justify their hooking.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
wrote in message news:xxxxx@ntdev…
>I found at least two software products (ProcessGuard by example) that
>avoid the most common ways to kill process (you mention some of them) and
>I’m doing my diploma work about a similar software. How that programs do
>it???
> There is any way to do that without hooking?
> In other posts, you explain why hooking are dangerous and I know some of
> the reasons but in this case to achieve the goals of the software would
> be justified their use???
>