- Forum
- Windows Programming
- How to kill access denied processes thru
How to kill access denied processes thru c++?????
Hi people!
How to kill access denied processes thru c++?????
I made a small task manager utility to kill processes but some processes running under SYSTEM cant be killed, My app uses TerminateProcess()...
I have SeSecurityPrivilege enabled and I have admin privileges...
Please help:/
How to kill access denied processes thru c++?????
I made a small task manager utility to kill processes but some processes running under SYSTEM cant be killed, My app uses TerminateProcess()...
I have SeSecurityPrivilege enabled and I have admin privileges...
Please help:/
closed account (13bSLyTq)
Hi,
I am pretty sure you are trying to kill AVs processes, if so the chances are they hooked Zw\NtTerminateProcess in Kernel mode. To make sure you can kill them - you must develop a Unhook driver. Which also makes the unhook persistent, via splicing NtProtectVirtualMemory.
A even better idea is to hook SYSENTER_MSR or Interrupts:
CodeEmpire SYSENTER_MSR hook:
http://codeempire.blogspot.co.uk/2013/10/kernel-driver-sysenter-hook.html
Good Luck!
I am pretty sure you are trying to kill AVs processes, if so the chances are they hooked Zw\NtTerminateProcess in Kernel mode. To make sure you can kill them - you must develop a Unhook driver. Which also makes the unhook persistent, via splicing NtProtectVirtualMemory.
A even better idea is to hook SYSENTER_MSR or Interrupts:
CodeEmpire SYSENTER_MSR hook:
http://codeempire.blogspot.co.uk/2013/10/kernel-driver-sysenter-hook.html
Good Luck!
@OrionMaster:
BTW, some days back I made a hook for NtTerminateProcess()
Can I use this callback:
__declspec(naked) Callback()
{
__asm{
jmp [dwKiFastEntryCall Address]
}
}
Please help:/
BTW, some days back I made a hook for NtTerminateProcess()
Can I use this callback:
__declspec(naked) Callback()
{
__asm{
jmp [dwKiFastEntryCall Address]
}
}
Please help:/
Last edited on
closed account (13bSLyTq)
Hi,
I am pretty sure you are aravind, sorry to say but I if you have the skill to hook NtTerminateProcess then the callback would be simple that too for NtTerminateProcess.
Besides the above code will fail in Usermode, it only works in Kernel Mode.
GL
I am pretty sure you are aravind, sorry to say but I if you have the skill to hook NtTerminateProcess then the callback would be simple that too for NtTerminateProcess.
Besides the above code will fail in Usermode, it only works in Kernel Mode.
GL
Why are you confusing of me?
Im not aravind!
BTW, what should i do for user mode?
Im not aravind!
BTW, what should i do for user mode?
closed account (13bSLyTq)
Hi,
Anyhow, you need to manually inject the code either via DLL with manual mapping then using injection OR code injection directly into system-wide available processes with all modules sub-procs being added into a code struct to be given to the injection thread or you can inject ONLY callback in then perform a remote hook.
Then simply patch the callback with the math being address of NtTerminateProcess and the remote thread memory location.
Hope I helped.
Anyhow, you need to manually inject the code either via DLL with manual mapping then using injection OR code injection directly into system-wide available processes with all modules sub-procs being added into a code struct to be given to the injection thread or you can inject ONLY callback in then perform a remote hook.
Then simply patch the callback with the math being address of NtTerminateProcess and the remote thread memory location.
Hope I helped.
Hi,
when you click shutdown in start menu windows shutdowns killing AV processes, right?
Now is there a simpler way to trick such processes into thinking that windows is shutting down and make them quit?
when you click shutdown in start menu windows shutdowns killing AV processes, right?
Now is there a simpler way to trick such processes into thinking that windows is shutting down and make them quit?
Last edited on
closed account (13bSLyTq)
Hi,
No, there is no other way unless you can inject into csrss.exe process then you can kill the processes through there however many AV solutions protect vulnerable processes such as csrss.exe.
If you want to cripple the AV solutions why no duplicate the AV handle?
No, there is no other way unless you can inject into csrss.exe process then you can kill the processes through there however many AV solutions protect vulnerable processes such as csrss.exe.
If you want to cripple the AV solutions why no duplicate the AV handle?
how will you duplicate the AV handle?
I dint understand what you meant?
BTW, injecting into csrss.exe can be dangerous?
I dint understand what you meant?
BTW, injecting into csrss.exe can be dangerous?
closed account (13bSLyTq)
Well, this is where your research comes into play.
What part did you not understand?
I know it can be dangerous however attempting to take down AV processes can be dangerous. Nevertheless if the injection into csrss.exe is done correctly there is no danger. Malwares do it all the time.
What part did you not understand?
I know it can be dangerous however attempting to take down AV processes can be dangerous. Nevertheless if the injection into csrss.exe is done correctly there is no danger. Malwares do it all the time.
Im NOT trying to hack!
I WILL NOT AND NEVER FOREVER USE MY KNOWLEDGE FOR BAD...
I WILL ONLY USE IT FOR GOOD,
FOREVER!
---WindowsProgrammer777
I WILL NOT AND NEVER FOREVER USE MY KNOWLEDGE FOR BAD...
I WILL ONLY USE IT FOR GOOD,
FOREVER!
---WindowsProgrammer777
Topic archived. No new replies allowed.