Hi people!
How to kill access denied processes thru c++?????
I made a small task manager utility to kill processes but some processes running under SYSTEM cant be killed, My app uses TerminateProcess()...
I have SeSecurityPrivilege enabled and I have admin privileges...
Please help:/
I am pretty sure you are trying to kill AVs processes, if so the chances are they hooked Zw\NtTerminateProcess in Kernel mode. To make sure you can kill them - you must develop a Unhook driver. Which also makes the unhook persistent, via splicing NtProtectVirtualMemory.
A even better idea is to hook SYSENTER_MSR or Interrupts:
@OrionMaster:
BTW, some days back I made a hook for NtTerminateProcess()
Can I use this callback:
__declspec(naked) Callback()
{
__asm{
jmp [dwKiFastEntryCall Address]
}
}
Please help:/
I am pretty sure you are aravind, sorry to say but I if you have the skill to hook NtTerminateProcess then the callback would be simple that too for NtTerminateProcess.
Besides the above code will fail in Usermode, it only works in Kernel Mode.
Anyhow, you need to manually inject the code either via DLL with manual mapping then using injection OR code injection directly into system-wide available processes with all modules sub-procs being added into a code struct to be given to the injection thread or you can inject ONLY callback in then perform a remote hook.
Then simply patch the callback with the math being address of NtTerminateProcess and the remote thread memory location.
Hi,
when you click shutdown in start menu windows shutdowns killing AV processes, right?
Now is there a simpler way to trick such processes into thinking that windows is shutting down and make them quit?
No, there is no other way unless you can inject into csrss.exe process then you can kill the processes through there however many AV solutions protect vulnerable processes such as csrss.exe.
If you want to cripple the AV solutions why no duplicate the AV handle?
Well, this is where your research comes into play.
What part did you not understand?
I know it can be dangerous however attempting to take down AV processes can be dangerous. Nevertheless if the injection into csrss.exe is done correctly there is no danger. Malwares do it all the time.