Greetings to all users of this lists, my first post here though i’ve been
following for a while.
I have a question, as the thread topic sugests regarding the issue of
terminating processes and threads. I’ve developed a filter driver before but
never involved in the issue of terminationg threads and processes. The new
driver i am soposed to implement at the moment has a requirement that will
allow users of the application to terminate processes and threads.
I’ve been looking around for a while and i am really not sure how to do
this, in the native API referens i saw some functions like
ZwTerminateProcess and ZwTerminateThread, the first parameter to this
functions are the handles which i gues i can get from the ZwOpenThread and
ZwOpenProcess functions by passing the id of the process or thread.
Is this way OK or am i dreaming… Hope i explained my self correctly…
Thanks in advance…
Regards
Try to queue the user APC to kernel32!ExitProcess. This will require some
work though, for instance, to find this routine in the user process.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Velio Roumenov”
To: “Windows System Software Devs Interest List”
Sent: Thursday, May 11, 2006 11:21 AM
Subject: [ntdev] How to terminate processes and threads
Greetings to all users of this lists, my first post here though i’ve been
following for a while.
I have a question, as the thread topic sugests regarding the issue of
terminating processes and threads. I’ve developed a filter driver before but
never involved in the issue of terminationg threads and processes. The new
driver i am soposed to implement at the moment has a requirement that will
allow users of the application to terminate processes and threads.
I’ve been looking around for a while and i am really not sure how to do
this, in the native API referens i saw some functions like
ZwTerminateProcess and ZwTerminateThread, the first parameter to this
functions are the handles which i gues i can get from the ZwOpenThread and
ZwOpenProcess functions by passing the id of the process or thread.
Is this way OK or am i dreaming… Hope i explained my self correctly…
Thanks in advance…
Regards
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
If you have enough rights, you may consider a Jeffry Richter - styled
solution, which is 100% user-mode. If you need to do it from the
kernel, some kind of proxy (service?) may be necessary.
The idea is to create a remote thread in the target process and then
do whatever you want/need with it.
Yet again, you must be close to a full-blown admin to inject the code
in this manner.
I used this approach to avoid calling TerminateProcess and/or to change
some running process properties as necessary.
If this is what you need, I can elaborate.
----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Thursday, May 11, 2006 5:37 AM
Subject: Re: [ntdev] How to terminate processes and threads
> Try to queue the user APC to kernel32!ExitProcess. This will require
> some
> work though, for instance, to find this routine in the user process.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Velio Roumenov”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, May 11, 2006 11:21 AM
> Subject: [ntdev] How to terminate processes and threads
>
>
> Greetings to all users of this lists, my first post here though i’ve been
> following for a while.
>
> I have a question, as the thread topic sugests regarding the issue of
> terminating processes and threads. I’ve developed a filter driver before
> but
> never involved in the issue of terminationg threads and processes. The new
> driver i am soposed to implement at the moment has a requirement that will
> allow users of the application to terminate processes and threads.
>
> I’ve been looking around for a while and i am really not sure how to do
> this, in the native API referens i saw some functions like
>
> ZwTerminateProcess and ZwTerminateThread, the first parameter to this
> functions are the handles which i gues i can get from the ZwOpenThread and
> ZwOpenProcess functions by passing the id of the process or thread.
>
> Is this way OK or am i dreaming… Hope i explained my self correctly…
>
> Thanks in advance…
>
> Regards
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> The idea is to create a remote thread in the target process and then
do whatever you want/need with it.
Yet again, you must be close to a full-blown admin to inject the code
in this manner.
I used this approach to avoid calling TerminateProcess and/or to change
some running process properties as necessary.
Will this work on Vista with the stronger session separation? I think many
processes will be safeguarded from that method on Vista ...
Input anyone? ...
Oliver
--
May the source be with you, stranger 
ICQ: #281645
URL: http://assarbad.net
> Will this work on Vista
I’m almost sure it will, it’s not hooking or smth else that breaks or
circumvents the rules. It is a fully documented and supported
way.
[I can’t verify it right now though, my 5365 says that activation
has expired (why?).]
The problem may be with permissions, as it should be
(SeXyzPrivilege and friends).
If this is not a problem, then you can do amazing
and useful things quite legally.
----- Original Message -----
From: “Oliver Schneider”
To: “Windows System Software Devs Interest List”
Sent: Thursday, May 11, 2006 12:38 PM
Subject: Re: [ntdev] How to terminate processes and threads
>> The idea is to create a remote thread in the target process and then
>> do whatever you want/need with it.
>>
>> Yet again, you must be close to a full-blown admin to inject the code
>> in this manner.
>>
>> I used this approach to avoid calling TerminateProcess and/or to change
>> some running process properties as necessary.
> Will this work on Vista with the stronger session separation? I think many
> processes will be safeguarded from that method on Vista …
>
> Input anyone? …
>
> Oliver
>
> –
> ---------------------------------------------------
> May the source be with you, stranger 
>
> ICQ: #281645
> URL: http://assarbad.net
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Except for a couple of problems
-
APCs and how they are used are not documented.
-
This won’t work on a 64 bit system and the target process is a 32
bit process. You somehow need to get wow64 involved, but that is not
documented either.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of sh_alex
Sent: Thursday, May 11, 2006 10:34 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to terminate processes and threads
Will this work on Vista
I’m almost sure it will, it’s not hooking or smth else that breaks or
circumvents the rules. It is a fully documented and supported
way.
[I can’t verify it right now though, my 5365 says that activation
has expired (why?).]
The problem may be with permissions, as it should be
(SeXyzPrivilege and friends).
If this is not a problem, then you can do amazing
and useful things quite legally.
----- Original Message -----
From: “Oliver Schneider”
To: “Windows System Software Devs Interest List”
Sent: Thursday, May 11, 2006 12:38 PM
Subject: Re: [ntdev] How to terminate processes and threads
>> The idea is to create a remote thread in the target process and then
>> do whatever you want/need with it.
>>
>> Yet again, you must be close to a full-blown admin to inject the code
>> in this manner.
>>
>> I used this approach to avoid calling TerminateProcess and/or to
change
>> some running process properties as necessary.
> Will this work on Vista with the stronger session separation? I think
many
> processes will be safeguarded from that method on Vista …
>
> Input anyone? …
>
> Oliver
>
> –
> ---------------------------------------------------
> May the source be with you, stranger
>
> ICQ: #281645
> URL: http://assarbad.net
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
sh_alex wrote:
The problem may be with permissions, as it should be
(SeXyzPrivilege and friends).
Hmmm, I wonder how many corporate e-mail systems will block that message
for referring to the “sexy Z privilege”…
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
>Except for a couple of problems
- APCs and how they are used are not documented.
Reverse engineering IopCompleteRequest helps a lot. It queues the IRP itself as
a user APC (KAPC is defined in some union in IRP’s tail) to satisfy the
Read/WriteFileEx calls - which are mapped to ZwRead/WriteFile with APC
provided.
- This won’t work on a 64 bit system and the target process is a 32
bit process. You somehow need to get wow64 involved, but that is not
Is it possible in wow64 to use ReadFileEx? QueueUserApc? sending QueueUserApc
from the 64bit process to 32bit?
I dislike user APCs as a means of data transport from kernel to user. I think
that for inverted calls, the pending IRPs are better, or at least the
IRP-initiated APCs - by ReadFileEx.
Advantages a) no undocumented feature use b) wow64 compatibility c) the
inverted calls transfer some amount of data with them, not being just stupidly
a call d) the inverted calls cannot arrive unsolicited.
But to terminate a process from the driver there are not many other options.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
On 5/11/06 2:21 AM, “Velio Roumenov” wrote:
> I have a question, as the thread topic sugests regarding the issue of
> terminating processes and threads.
It’s worth pointing out that terminating a thread out of a running process
is not a very nice thing to do to. I’d be curious to know why you need to
terminate specific threads in a process.
-Steve
“Velio Roumenov” wrote in message news:xxxxx@ntdev…
>…The new
>driver i am soposed to implement at the moment has a requirement that will
>allow users of the application to terminate processes and threads.
Can you try to turn this requirement down as not reasonable?
There can be other ways to implement what the user really needs.
–PA
It’s not malicious code i am trying to write here, this piece of code will
be used as part in a thesis project at my university in Sweden (everything
will not be revealed though since it’s going to be a comercial product), all
i want to do is to make it possible to unload images that have been loaded
by some malware, and also kill the thread (maybe process also). As said, i
am really new to this (really fun stuff though, really interesting) and i
didn’t understand some of the answers, and some of you think i am trying to
do something evil, and this is not in my intentions, i hate evil software.
Thanks to everyone, when i understand more i’ll start answering questions
too.
/Faik
On 5/12/06, Pavel A. wrote:
>
> “Velio Roumenov” wrote in message news:xxxxx@ntdev…
> >…The new
> >driver i am soposed to implement at the moment has a requirement that
> will
> >allow users of the application to terminate processes and threads.
>
> Can you try to turn this requirement down as not reasonable?
> There can be other ways to implement what the user really needs.
>
> --PA
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>i want to do is to make it possible to unload images that have been loaded
by some malware, and also kill the thread (maybe process also).
Kill the whole process. Unloading the image will most likely crash the thread
running within it. Killing a thread will most likely cause a
deadlock/starvation. Killing the whole process (if it is not winlogon or lsass)
has no side effects.
Anyway - this is a 100% wrong direction of dealing with malware. The correct
directions are proactive (“do not work as Administrator” etc), and the only
really decent reactive protection is booting off the recovery CD which will at
least clean away the stealth virii, if not restore the correct Windows core
images (from Windows Update site if necessary).
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
“Faik Riza” wrote in message news:xxxxx@ntdev…
> As said, i
>am really new to this (really fun stuff though, really interesting) and i
>didn’t understand some of the answers, and some of you think i am trying to
>do something evil, and this is not in my intentions, i hate evil software.
So perhaps when you understand the answers, what you’re trying to do
won’t look funny … rather it will look somewhat sinister ?
–PA