Un-Terminatable process
Short answer: resistance to termination is one of the deadly sins of programming. Up there with associating a bunch of common file types with your program without asking, installing a rootkit, etc. The kind of thing any programmer should be taken out back and shot for.
Quote:Original post by CatafriggmUnless, of course, the purpose of the program is to secure a computer from guest accounts (which require local admin access because few existing programs work without it). Of course, if this is the case, the most difficult part is preventing uninstallation (which can easily be done even to a running process by scheduling a delete on reboot and then rebooting, or editing the appropriate config, etc).
Short answer: resistance to termination is one of the deadly sins of programming. Up there with associating a bunch of common file types with your program without asking, installing a rootkit, etc. The kind of thing any programmer should be taken out back and shot for.
Reguardless, I'm working on making a process that can't be terminated as an example, and if I get it working I'll post it here.
Author
Quote:Original post by ExtrariusQuote:Original post by CatafriggmUnless, of course, the purpose of the program is to secure a computer from guest accounts (which require local admin access because few existing programs work without it). Of course, if this is the case, the most difficult part is preventing uninstallation (which can easily be done even to a running process by scheduling a delete on reboot and then rebooting, or editing the appropriate config, etc).
Short answer: resistance to termination is one of the deadly sins of programming. Up there with associating a bunch of common file types with your program without asking, installing a rootkit, etc. The kind of thing any programmer should be taken out back and shot for.
Reguardless, I'm working on making a process that can't be terminated as an example, and if I get it working I'll post it here.
Wow, thanks, that would be awesome!
Ok, well I got my code working, and it creates a process that debugs itself by launching a copy of itself, _BUT_ it can still be terminated.
It seems that the behavior of TerminateProcess (or whatever the task manager uses) has been changed to allow any process to be terminated by the administrator.
It seems that the behavior of TerminateProcess (or whatever the task manager uses) has been changed to allow any process to be terminated by the administrator.
The right to dictate what programs run and what programs don't should not be taken away from the user. No good can come of this.
Author
Quote:Original post by daerid
The right to dictate what programs run and what programs don't should not be taken away from the user. No good can come of this.
Lol, okay, okay, I get the point. This program is intended only for me so this isn't an issue really.
Well, you can always use two processes which will "look" for each other. If process A is closed process B launches new instance of it, and vice versa. It's still killable, but this time not so easly.
Might as well just buy the driver kit[1] (free plus ~15$USD shipping to the US last I checked). Then, you could create make a special driver that allocates user space, loads the program there (making the proper adjustments for relocation and the like), and then runs it, all without ever touching the standard process tables (thus, no record exists that there is a program loaded, except for the driver itself).
Actually, it might be possible to do that without the DDK, but I'm not sure how to allocate memory that will stay around after the loader process terminates. I guess one option would be abusing the CreateRemoteThread function to inject the allocation into something interesting, such as the desktop process or maybe the idle process (hrmm, I don't think the latter is possible). I'll investigate when I get home.
If you have two drivers that check eachother as Kiput suggested, I'm not sure if there is a way to get rid of them at all (beyond a reformat)
[1] http://www.microsoft.com/whdc/devtools/ddk/default.mspx
-Extrarius
Actually, it might be possible to do that without the DDK, but I'm not sure how to allocate memory that will stay around after the loader process terminates. I guess one option would be abusing the CreateRemoteThread function to inject the allocation into something interesting, such as the desktop process or maybe the idle process (hrmm, I don't think the latter is possible). I'll investigate when I get home.
If you have two drivers that check eachother as Kiput suggested, I'm not sure if there is a way to get rid of them at all (beyond a reformat)
[1] http://www.microsoft.com/whdc/devtools/ddk/default.mspx
-Extrarius
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
