Some of the ways to make a process un-terminable are:
- Rename your Process to one of these: smss.exe, lsass.exe or csrss.exe. Note that this method only works on Pre-Windows 7 Releases and your process will simply get terminated when you try it in Windows 7. If it is Vista or earlier, one will see the ACCESS DENIED error when he tries to terminate the process named any of the above.
- Use the Win32 API Call called RtlSetProcessIsCritical(). It is exported by NTDLL.DLL and the Operating System will suffer a Blue Screen of Death if one terminates the process.
- Use the API called SetKernelObjectSecurity() it's effect will be same as the first option, one will see the ACCESS DENIED.
 |
| CSRSS.EXE on directory other that System32 sounds suspicious to AVs. |
#include "windows.bi" Dim As HMODULE hNTDLL = LoadLibrary("Ntdll") Dim RtlCritical As Function (As BOOL, As BOOL, As BOOL) As Long RtlCritical = Cast(Long, GetProcAddress(hNTDLL, "RtlSetProcessIsCritical")) Dim As HANDLE hToken Dim As luid LUID Dim As TOKEN_PRIVILEGES tkpriv ZeroMemory(@tkpriv, sizeof(tkpriv)) If (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, @hToken)) Then If (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, @luid)) Then tkpriv.PrivilegeCount = 1 tkpriv.Privileges(0).Luid = luid tkpriv.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED AdjustTokenPrivileges(hToken,FALSE, @tkpriv, sizeof(tkpriv), NULL, NULL) CloseHandle(hToken) RtlCritical(TRUE, NULL, FALSE) Else CloseHandle(hToken) EndIf EndIf FreeLibrary(hNTDLL) |
Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google
No comments:
Post a Comment