Is so easy to prevent kill process using x32, for thaht i?m using Hook, replacing the ZwOpenProcess and returning ACESS_DENIED ! that pretty in x32 ! But, x64 not allow any patch !
I know that exists any solutions ! i?m seeking several times without success.
Any Ideas or source code ?
thanks guys
Why do you want to prevent a process from being killed? It’s the
user’s machine, not yours.
On Tue, Apr 9, 2013 at 10:50 AM, wrote:
> Is so easy to prevent kill process using x32, for thaht i´m using Hook, replacing the ZwOpenProcess and returning ACESS_DENIED ! that pretty in x32 ! But, x64 not allow any patch !
>
> I know that exists any solutions ! i´m seeking several times without success.
>
> Any Ideas or source code ?
>
>
> thanks guys
>
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I think you can prevent creation (
http://msdn.microsoft.com/en-us/library/windows/hardware/ff542860(v=vs.85).aspx)
but cant prevent termination.
El martes, 9 de abril de 2013, Nik Bougalis escribi?:
Why do you want to prevent a process from being killed? It’s the
user’s machine, not yours.On Tue, Apr 9, 2013 at 10:50 AM, >
> wrote:
> > Is so easy to prevent kill process using x32, for thaht i?m using Hook,
> replacing the ZwOpenProcess and returning ACESS_DENIED ! that pretty in x32
> ! But, x64 not allow any patch !
> >
> > I know that exists any solutions ! i?m seeking several times without
> success.
> >
> > Any Ideas or source code ?
> >
> >
> > thanks guys
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > OSR is HIRING!! See http://www.osr.com/careers
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
To prevent process from being killed you need to create it under the properly privileged account.
Before trying to implement a half-assed security solution, you need to study Windows security architecture first.
Why does anyone bother to respond when he names x32 as an architecture?
wrote in message news:xxxxx@ntdev…
To prevent process from being killed you need to create it under the
properly privileged account.
Before trying to implement a half-assed security solution, you need to study
Windows security architecture first.
Write crap, and you end up with crap. That’s the lesson of hooking.
You have not said what the “process” is; is it a service? If it’s a
service, there are already mechanisms for doing this. If it isn’t, maybe
it should be.
If it is a process started in the user’s login session, there may be no
way to prevent this, and that suggests tat the fundamental design is
wrong.
The notion that a process is “unkillable” is, in a login session, a truly
silly idea. I can always kill it by logging off, then logging back in.
Most attempts to do something like this are either easily abused or enable
other abuse. Read Matk Russinovich’s analysis of the Sony malware
incident; Sony essentially enabled a massive attack surface. Hooking is
often tested in only one case (“does it stop this process from being
killed?”) rather than under stress, for example, “If I start another
process of the same name, is it unkillable?”, or “Can I make this process
killable?” Sadly, most “security” kludges are p-baked, largely untested,
solutions with p < 0.1.
So why does your process need to be unkillable? Why is making it
unkillable a Bad Thing? What problem are you REALLY trying to solve?
joe
Is so easy to prevent kill process using x32, for thaht i´m using Hook,
replacing the ZwOpenProcess and returning ACESS_DENIED ! that pretty in
x32 ! But, x64 not allow any patch !I know that exists any solutions ! i´m seeking several times without
success.Any Ideas or source code ?
thanks guys
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
This seems to be a better aproach:
“The ObCallback sample driver demonstrates the use of registered callbacks
for process protection”
http://code.msdn.microsoft.com/windowshardware/ObCallback-Sample-67a47841
Julian
2013/4/10
> Write crap, and you end up with crap. That’s the lesson of hooking.
>
> You have not said what the “process” is; is it a service? If it’s a
> service, there are already mechanisms for doing this. If it isn’t, maybe
> it should be.
>
> If it is a process started in the user’s login session, there may be no
> way to prevent this, and that suggests tat the fundamental design is
> wrong.
>
> The notion that a process is “unkillable” is, in a login session, a truly
> silly idea. I can always kill it by logging off, then logging back in.
>
> Most attempts to do something like this are either easily abused or enable
> other abuse. Read Matk Russinovich’s analysis of the Sony malware
> incident; Sony essentially enabled a massive attack surface. Hooking is
> often tested in only one case (“does it stop this process from being
> killed?”) rather than under stress, for example, “If I start another
> process of the same name, is it unkillable?”, or “Can I make this process
> killable?” Sadly, most “security” kludges are p-baked, largely untested,
> solutions with p < 0.1.
>
> So why does your process need to be unkillable? Why is making it
> unkillable a Bad Thing? What problem are you REALLY trying to solve?
> joe
> > Is so easy to prevent kill process using x32, for thaht i?m using Hook,
> > replacing the ZwOpenProcess and returning ACESS_DENIED ! that pretty in
> > x32 ! But, x64 not allow any patch !
> >
> > I know that exists any solutions ! i?m seeking several times without
> > success.
> >
> > Any Ideas or source code ?
> >
> >
> > thanks guys
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > OSR is HIRING!! See http://www.osr.com/careers
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>