un-killable process

is there some way my user mode process becomes
immortal both on 9x and NT or atleast on 9x.
thankx.
kudrt


Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

What do you like to achieve by this strange thing?

----- Original Message -----
From: “kudrt si”
To: “NT Developers Interest List”
Sent: Friday, August 10, 2001 1:10 PM
Subject: [ntdev] un-killable process

> is there some way my user mode process becomes
> immortal both on 9x and NT or atleast on 9x.
> thankx.
> kudrt
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

The achievement is a process that can not be killed even by a privledged
process.
At least that’s how this feature works under VMS. I once wrote privilidged
monitor process that changed mode to kernel, via a system service, and set
the
special undocumented bit in the process PCB. Even if some user ever got
their hands on the
SYSTEM account they could not kill this monitor process unless they knew
about the special
bit in the PCB. The secret was published only in the VMS source code
listings as I remember.
One would have to write a program to clear the bit and the program would
have to change its
mode from user to kernel. VMS offered a system service to do this while
Windows does not.

I would think this type of feature would be useful under an OS with security
like NT/2000/XP.

----- Original Message -----
From: “Maxim S. Shatskih”
To: “NT Developers Interest List”
Sent: Saturday, August 11, 2001 8:38 AM
Subject: [ntdev] Re: un-killable process

> What do you like to achieve by this strange thing?
>
> ----- Original Message -----
> From: “kudrt si”
> To: “NT Developers Interest List”
> Sent: Friday, August 10, 2001 1:10 PM
> Subject: [ntdev] un-killable process
>
>
> > is there some way my user mode process becomes
> > immortal both on 9x and NT or atleast on 9x.
> > thankx.
> > kudrt
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Make international calls for as low as $.04/minute with Yahoo! Messenger
> > http://phonecard.yahoo.com/
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@home.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Well the util is such that i have to start along with
the shell and exit when windows shuts down. during
that time nobody should be able to kill the program.
now i know if we make the process(as the api suggests)
a service(on 9x mind you) then it does not show up in
the Task Manager window. But still one can write a
program that can kill it(i have not tried it as i dont
have 9x box, but i guess so).

On NT/2k it’s easy with gina. Another way i had done
was using the hookint code from “undocumented nt”
which used to hook service(80h if i’m not wrong).

Another thing is there are some api which msdn claims
do not work on 9x, but they are exported on 9x and i’m
sure they are used, think CreateDesktop is one of
them. Is it ok to use them?

I also want to know when the system is about to
shutdown, do i have to patch it or is there some other
way(like write a vxd).

kudrt

Subject: Re: un-killable process
From: “Bruce Allen”
>Date: Tue, 14 Aug 2001 21:23:34 -0600
>X-Message-Number: 20
>
>The achievement is a process that can not be killed
>even by a
>privledged
>process.
>At least that’s how this feature works under VMS. I
>once wrote
>privilidged
>monitor process that changed mode to kernel, via a
>system service, and
>set
>the
>special undocumented bit in the process PCB. Even if
>some user ever got
>their hands on the
>SYSTEM account they could not kill this monitor
>process unless they
>knew
>about the special
>bit in the PCB. The secret was published only in the
>VMS source code
>listings as I remember.
>One would have to write a program to clear the bit
>and the program
>would
>have to change its
>mode from user to kernel. VMS offered a system
>service to do this while
>Windows does not.
>
>I would think this type of feature would be useful
>under an OS with
>security
>like NT/2000/XP.
>
>
>----- Original Message -----
>From: “Maxim S. Shatskih”
>To: “NT Developers Interest List”
>
>Sent: Saturday, August 11, 2001 8:38 AM
>Subject: [ntdev] Re: un-killable process
>
>
> What do you like to achieve by this strange thing?
>
> ----- Original Message -----
> From: “kudrt si”
> To: “NT Developers Interest List”
>
> Sent: Friday, August 10, 2001 1:10 PM
> Subject: [ntdev] un-killable process
>
>
> > is there some way my user mode process becomes
> > immortal both on 9x and NT or atleast on 9x.
> > thankx.
> > kudrt

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Kudrt,

you wrote on Friday, August 17, 2001, 12:24:33:

ks> Well the util is such that i have to start along with
ks> the shell and exit when windows shuts down. during
ks> that time nobody should be able to kill the program.
ks> now i know if we make the process(as the api suggests)
ks> a service(on 9x mind you) then it does not show up in
ks> the Task Manager window. But still one can write a
ks> program that can kill it(i have not tried it as i dont
ks> have 9x box, but i guess so).

For Windows 9x/ME, look into RegisterServiceProcess():


RegisterServiceProcess

The RegisterServiceProcess function registers or unregisters a service
process. A service process continues to run after the user logs off.

To call RegisterServiceProcess, retrieve a function pointer using
GetProcAddress on KERNEL32.DLL. Use the function pointer to call
RegisterServiceProcess.

DWORD RegisterServiceProcess(
DWORD dwProcessId,
DWORD dwType
);

Parameters

dwProcessId
Specifies the identifier of the process to register as a service
process. Specifies NULL to register the current process.

dwType
Specifies whether the service is to be registered or unregistered.
This parameter can be one of the following values.

Value Meaning
0 Unregisters the process as a service process.
1 Registers the process as a service process.

Return Values
The return value is 1 if successful or 0 if an error occurs.

Ralf.

/*======================== Foot shot for today =========================
Objective-C (NeXT):

You write a protocol for shooting yourself in the foot so that all
people can get shot in their feet.
======================================================================*/


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Well, the brute force method always works, well, sort of: write yourself a
VxD that loads at boot time. That VxD hooks a timer interrupt, and
implements a short and sweet dispatcher that switches your own processes,
invisible to Windows. One of these processes will be a surrogate to the
Windows system itself, that is, you time-slice windows as if it was one of
your processes. And then you can have a standard Ring 3 app that implements
a control console to your dispatcher. The problem is because Windows 9x is
an open system, it’s easy for people to find you in there and turn you off.

Hope this helps,

Alberto.

-----Original Message-----
From: kudrt si [mailto:xxxxx@yahoo.com]
Sent: Friday, August 17, 2001 6:25 AM
To: NT Developers Interest List
Subject: [ntdev] Re: un-killable process

Well the util is such that i have to start along with
the shell and exit when windows shuts down. during
that time nobody should be able to kill the program.
now i know if we make the process(as the api suggests)
a service(on 9x mind you) then it does not show up in
the Task Manager window. But still one can write a
program that can kill it(i have not tried it as i dont
have 9x box, but i guess so).

On NT/2k it’s easy with gina. Another way i had done
was using the hookint code from “undocumented nt”
which used to hook service(80h if i’m not wrong).

Another thing is there are some api which msdn claims
do not work on 9x, but they are exported on 9x and i’m
sure they are used, think CreateDesktop is one of
them. Is it ok to use them?

I also want to know when the system is about to
shutdown, do i have to patch it or is there some other
way(like write a vxd).

kudrt

Subject: Re: un-killable process
From: “Bruce Allen”
>Date: Tue, 14 Aug 2001 21:23:34 -0600
>X-Message-Number: 20
>
>The achievement is a process that can not be killed
>even by a
>privledged
>process.
>At least that’s how this feature works under VMS. I
>once wrote
>privilidged
>monitor process that changed mode to kernel, via a
>system service, and
>set
>the
>special undocumented bit in the process PCB. Even if
>some user ever got
>their hands on the
>SYSTEM account they could not kill this monitor
>process unless they
>knew
>about the special
>bit in the PCB. The secret was published only in the
>VMS source code
>listings as I remember.
>One would have to write a program to clear the bit
>and the program
>would
>have to change its
>mode from user to kernel. VMS offered a system
>service to do this while
>Windows does not.
>
>I would think this type of feature would be useful
>under an OS with
>security
>like NT/2000/XP.
>
>
>----- Original Message -----
>From: “Maxim S. Shatskih”
>To: “NT Developers Interest List”
>
>Sent: Saturday, August 11, 2001 8:38 AM
>Subject: [ntdev] Re: un-killable process
>
>
> What do you like to achieve by this strange thing?
>
> ----- Original Message -----
> From: “kudrt si”
> To: “NT Developers Interest List”
>
> Sent: Friday, August 10, 2001 1:10 PM
> Subject: [ntdev] un-killable process
>
>
> > is there some way my user mode process becomes
> > immortal both on 9x and NT or atleast on 9x.
> > thankx.
> > kudrt

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/


You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com