1

I've tried to protect a process in c++ windows, the code is:

#include <iostream>
#include <Aclapi.h>
#include <iostream>
#include <windows.h>
#include <sddl.h>
#include <stdio.h>

using namespace std;

BOOL DenyAccess()
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
    SECURITY_ATTRIBUTES sa;
    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa.bInheritHandle = FALSE;
    SetKernelObjectSecurity(hProcess, DACL_SECURITY_INFORMATION, sa.lpSecurityDescriptor);
    return TRUE;
}

int main()
{
    while(DenyAccess());
    return 0;
}

But I can kill process from task manager! what's wrong ?

Bo Persson
  • 90,663
  • 31
  • 146
  • 203
user3671325
  • 306
  • 2
  • 6
  • 14
  • http://www.tutorialspoint.com/cplusplus/cpp_signal_handling.htm –  Jan 28 '16 at 11:42
  • @Holonout I don't understand, this URL is about signalling, is it anything connected to this ?! can you explain more ? – user3671325 Jan 28 '16 at 11:52
  • 1
    sorry user, wrong link. this would fit your request better: http://security.stackexchange.com/questions/30985/create-a-unterminable-process-in-windows –  Jan 28 '16 at 12:03
  • 1
    IIRC, anti-virus software on modern versions of Windows use a special technology (something like "protected processes" I think) but you have to have a special digital signature from Microsoft for that. Older anti-virus software cheated, running partly in kernel mode and messing with the operating system in undocumented and unsupported ways. (That's why so many of them had an unfortunate tendency to cause Windows to malfunction.) – Harry Johnston Jan 28 '16 at 22:17
  • what is the overall objective? Unkillable process? Write a device driver. – Sergei Vorobiev Jan 29 '16 at 07:29
  • @SergeiVorobiev i think i need that! write driver or kernel base, can you give me some documents ? how i start that and what subjects are close to my problem ? – user3671325 Jan 29 '16 at 14:52

2 Answers2

2

Windows server uses a pair of threads that monitor each other to enforce licensing of Windows Server vs Windows Client. If one thread is stopped or suspended the other thread revives the affected thread or starts a new thread. The threads run in the system process. You can't kill the system process without crashing windows.

So an approach is to inject code into the system process that starts a pair of threads and have the threads protect each and do whatever you would've had your unkillable process do (or have a third thread to do whatever work you want). You can set the threads at a very high priority level to make sure nothing can successfully target both threads at the same time.

Χpẘ
  • 3,403
  • 1
  • 13
  • 22
1

There is one work around. Instead of making a process unkillable you can make a process "critical" which means killing this process causes the Windows system to crash (BSOD).

This can be done by calling the undocumented function RtlSetProcessIsCritical in ntdll.dll.
See a detailed example in http://www.codeproject.com/Articles/43405/Protecting-Your-Process-with-RtlSetProcessIsCriti

But keep in min mind: You have to implement a proper termination on logoff and/or system shutdown. Otherwise the system would crash in this situation.

Konrad
  • 321
  • 2
  • 4
  • thanks , i will test that and share if results work! – user3671325 Jan 29 '16 at 14:54
  • it's didn't work! i just close the process easy as other process! not make a different. – user3671325 Jan 29 '16 at 19:23
  • Did you start the applicction with administrator privileges? This is required. I use this in Windows XP, 7 and 8.1 - works fine. When trying to kill the process in Task Manager you get a warning about the system termination. – Konrad Feb 01 '16 at 09:27