Make Process unstoppable


Some of the ways to make a process un-terminable are:
  1. Rename your Process to one of these: smss.exe, lsass.exe or csrss.exe. Note that this method only works on Pre-Windows 7 Releases and your process will simply get terminated when you try it in Windows 7. If it is Vista or earlier, one will see the ACCESS DENIED error when he tries to terminate the process named any of the above.
  2. Use the Win32 API Call called RtlSetProcessIsCritical(). It is exported by NTDLL.DLL and the Operating System will suffer a Blue Screen of Death if one terminates the process.
  3. Use the API called SetKernelObjectSecurity() it's effect will be same as the first option, one will see the ACCESS DENIED. 
CSRSS.EXE on directory other that System32 sounds suspicious to AVs.


 #include "windows.bi"

Dim As HMODULE hNTDLL = LoadLibrary("Ntdll")
Dim RtlCritical As Function (As BOOL, As BOOL, As BOOL) As Long
    RtlCritical = Cast(Long, GetProcAddress(hNTDLL, "RtlSetProcessIsCritical"))
    Dim As HANDLE hToken
    Dim As luid LUID
    Dim As TOKEN_PRIVILEGES tkpriv
    ZeroMemory(@tkpriv, sizeof(tkpriv))
    If (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, @hToken)) Then
        If (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, @luid)) Then
            tkpriv.PrivilegeCount = 1  
            tkpriv.Privileges(0).Luid = luid
            tkpriv.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
            AdjustTokenPrivileges(hToken,FALSE, @tkpriv, sizeof(tkpriv), NULL, NULL)
            CloseHandle(hToken)
            RtlCritical(TRUE, NULL, FALSE)
        Else
            CloseHandle(hToken)
        EndIf
    EndIf  
FreeLibrary(hNTDLL)
The above is the Freebasic Version of RtlSetProcessIsCritical(). Under UAC, you will need to run as Administrator or the Code won't work. The result is a BSOD in case the Process is terminated.

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

No comments:

Post a Comment