Kill Process

NTDEV
1

Hi all,

I need kill a process under PsSetCreateNotifyRoutine. Is it possible ? Haw can I do it ?

Thanks in advance,

Heldai

Security Software Programmer
xxxxx@scuasecurity.com.br
www.scuasecurity.com.br
Tel.: 55 11 3106-2299

Confiabilidade e tecnologia em seguran?a de informa??es

2

First, why would you want to kill a process at
the time of PsSetCreateProcessNotifyRoutine
callback? You know the processes parent id
and its id and nothing else, you have no idea
what executable is going to run or other useful
data for a security context.

I cannot speak of future versions of Windows, but
at present the callback is called by the initial
thread of the process, I have not tried this but
a call PsTerminateSystemThread in the callback,
would probably terminate the process.

Don Burn
Windows NT/2000/XP Filesystem and Driver consulting

3

Well,

I need block some file execution and I was thinking block it when it is
being executed. For example I need block “calc.exe” execution.

----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Monday, April 01, 2002 5:07 PM
Subject: [ntdev] Re: Kill Process

> First, why would you want to kill a process at
> the time of PsSetCreateProcessNotifyRoutine
> callback? You know the processes parent id
> and its id and nothing else, you have no idea
> what executable is going to run or other useful
> data for a security context.
>
> I cannot speak of future versions of Windows, but
> at present the callback is called by the initial
> thread of the process, I have not tried this but
> a call PsTerminateSystemThread in the callback,
> would probably terminate the process.
>
> Don Burn
> Windows NT/2000/XP Filesystem and Driver consulting
>
> —
> You are currently subscribed to ntdev as: xxxxx@scuasecurity.com.br
> To unsubscribe send a blank email to %%email.unsub%%

4

Would it not then be better to do this when the executable image is opened
for execute access? That’s more akin to what you are doing and would allow
you to stop execution of the program BEFORE a new process is created.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

“Whoever would overthrow the liberty of a nation must begin by subduing the
freeness of speech.”
– Benjamin Franklin

-----Original Message-----
From: Heldai [mailto:xxxxx@scuasecurity.com.br]
Sent: Monday, April 01, 2002 3:10 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Kill Process

Well,

I need block some file execution and I was thinking block it when it is
being executed. For example I need block “calc.exe” execution.

----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Monday, April 01, 2002 5:07 PM
Subject: [ntdev] Re: Kill Process

> First, why would you want to kill a process at
> the time of PsSetCreateProcessNotifyRoutine
> callback? You know the processes parent id
> and its id and nothing else, you have no idea
> what executable is going to run or other useful
> data for a security context.
>
> I cannot speak of future versions of Windows, but
> at present the callback is called by the initial
> thread of the process, I have not tried this but
> a call PsTerminateSystemThread in the callback,
> would probably terminate the process.
>
> Don Burn
> Windows NT/2000/XP Filesystem and Driver consulting
>
> —
> You are currently subscribed to ntdev as: xxxxx@scuasecurity.com.br
> To unsubscribe send a blank email to %%email.unsub%%


You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

5

Heldai wrote:

> I need block some file execution and I was thinking block it when it is
> being executed. For example I need block “calc.exe” execution.

Problem is there is no way from the callback to
know that “calc.exe” is being executed.

Don Burn
Windows NT/2000/XP Filesystem and Driver consulting

6

I know the process that is executed in routine passed to
PsSetCreateProcessNotifyRoutine.

I have tried block file execution when executable image is loading, but many
files get with FILE_EXECUTE flag actives, and sometimes this is not a file
that will be executed.

----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Monday, April 01, 2002 5:20 PM
Subject: [ntdev] Re: Kill Process

> Heldai wrote:
>
> >> I need block some file execution and I was thinking block it when it is
> >> being executed. For example I need block “calc.exe” execution.
>
>
> Problem is there is no way from the callback to
> know that “calc.exe” is being executed.
>
> Don Burn
> Windows NT/2000/XP Filesystem and Driver consulting
>
> —
> You are currently subscribed to ntdev as: xxxxx@scuasecurity.com.br
> To unsubscribe send a blank email to %%email.unsub%%

7

Maybe you could try patching the service descriptor table.
Patch the NtCreateProcess etc…

I know the process that is executed in routine passed to
PsSetCreateProcessNotifyRoutine.

I have tried block file execution when executable image is loading, but many
files get with FILE_EXECUTE flag actives, and sometimes this is not a file
that will be executed.

----- Original Message -----
From:
> To: “NT Developers Interest List”
> Sent: Monday, April 01, 2002 5:20 PM
> Subject: [ntdev] Re: Kill Process
>
>
> > Heldai wrote:
> >
> > >> I need block some file execution and I was thinking block it when it is
> > >> being executed. For example I need block “calc.exe” execution.
> >
> >
> > Problem is there is no way from the callback to
> > know that “calc.exe” is being executed.
> >
> > Don Burn
> > Windows NT/2000/XP Filesystem and Driver consulting
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@scuasecurity.com.br
> > To unsubscribe send a blank email to %%email.unsub%%

8

> thread of the process, I have not tried this but

a call PsTerminateSystemThread in the callback,
would probably terminate the process.

I don’t think it is a good idea to call PsTerminateSystemThread on a user-mode thread created by NtCreateThread called from user
mode.
System threads called by PsCreateSystemThread as not completely set up, they have not some data structures (necessary to do kernel
<-> user transitions) which the real app threads have.
So, I can expect PsTerminateSystemThread to not clean up these structures.

Max

9

Try to install a hook to NtCreateSection syscall and then fail it for SEC_IMAGE flag and given file name.
This can also block the loading of some particular DLL.

Max

----- Original Message -----
From: “Heldai”
To: “NT Developers Interest List”
Sent: Tuesday, April 02, 2002 12:09 AM
Subject: [ntdev] Re: Kill Process

> Well,
>
> I need block some file execution and I was thinking block it when it is
> being executed. For example I need block “calc.exe” execution.
>
>
> ----- Original Message -----
> From:
> To: “NT Developers Interest List”
> Sent: Monday, April 01, 2002 5:07 PM
> Subject: [ntdev] Re: Kill Process
>
>
> > First, why would you want to kill a process at
> > the time of PsSetCreateProcessNotifyRoutine
> > callback? You know the processes parent id
> > and its id and nothing else, you have no idea
> > what executable is going to run or other useful
> > data for a security context.
> >
> > I cannot speak of future versions of Windows, but
> > at present the callback is called by the initial
> > thread of the process, I have not tried this but
> > a call PsTerminateSystemThread in the callback,
> > would probably terminate the process.
> >
> > Don Burn
> > Windows NT/2000/XP Filesystem and Driver consulting
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@scuasecurity.com.br
> > To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>

10

I was tried block the executable in File System Filter Driver, but I’m not
sure that one file will be executable. Sometimes it come with FILE_EXECUTE
flag, but is not executed.

I thing it is a good idea hook NTCreateSection, I will try it.

Thanks in advance,

Heldai

----- Original Message -----
From: “Maxim S. Shatskih”
To: “NT Developers Interest List”
Sent: Monday, April 01, 2002 6:45 PM
Subject: [ntdev] Re: Kill Process

> Try to install a hook to NtCreateSection syscall and then fail it for
SEC_IMAGE flag and given file name.
> This can also block the loading of some particular DLL.
>
> Max
>
> ----- Original Message -----
> From: “Heldai”
> To: “NT Developers Interest List”
> Sent: Tuesday, April 02, 2002 12:09 AM
> Subject: [ntdev] Re: Kill Process
>
>
> > Well,
> >
> > I need block some file execution and I was thinking block it when it is
> > being executed. For example I need block “calc.exe” execution.
> >
> >
> > ----- Original Message -----
> > From:
> > To: “NT Developers Interest List”
> > Sent: Monday, April 01, 2002 5:07 PM
> > Subject: [ntdev] Re: Kill Process
> >
> >
> > > First, why would you want to kill a process at
> > > the time of PsSetCreateProcessNotifyRoutine
> > > callback? You know the processes parent id
> > > and its id and nothing else, you have no idea
> > > what executable is going to run or other useful
> > > data for a security context.
> > >
> > > I cannot speak of future versions of Windows, but
> > > at present the callback is called by the initial
> > > thread of the process, I have not tried this but
> > > a call PsTerminateSystemThread in the callback,
> > > would probably terminate the process.
> > >
> > > Don Burn
> > > Windows NT/2000/XP Filesystem and Driver consulting
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@scuasecurity.com.br
> > > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@scuasecurity.com.br
> To unsubscribe send a blank email to %%email.unsub%%