- Forum
- Windows Programming
- How to make a function execute on termin
How to make a function execute on termination using c++?
Pages: 12
Hi all,
I have a small program it handles critical info.
so if it is killed by task manager then data is lost,
so i need to detect termination and execute a function called
SaveData() when process is killed help?
I have a small program it handles critical info.
so if it is killed by task manager then data is lost,
so i need to detect termination and execute a function called
SaveData() when process is killed help?
closed account (Dy7SLyTq)
stdlib.h has atexit() http://www.cplusplus.com/reference/cstdlib/atexit/ which is the c way
idk if there is a c++ way
idk if there is a c++ way
No way to counter that.
Just provide a Close button and keep your app alive without getting it frozen.
Just provide a Close button and keep your app alive without getting it frozen.
If Task Manager uses TerminateProcess() internally then there is nothing you can do to stop it.
However, if "data" meand some database text file replace it with sqlite3, you will get much better results than implementing your own.
If sqlite is not an option, then use 2 processes which communicate each other through some form an IPC (shared memory for example) and do the saving task if one of them is killed (please consider that "data" itself must be in shared memory zone to survive process killing).
However, if "data" meand some database text file replace it with sqlite3, you will get much better results than implementing your own.
If sqlite is not an option, then use 2 processes which communicate each other through some form an IPC (shared memory for example) and do the saving task if one of them is killed (please consider that "data" itself must be in shared memory zone to survive process killing).
| If Task Manager uses TerminateProcess() internally then there is nothing you can do to stop it. |
how can we know whether task manager is using TerminateProcess() internally or not?
Is there a way to tell windows to do something when my process gets terminated by some program or task manager?
closed account (Dy7SLyTq)
dont quote me on this because im just guessing but i think there is a way to see what signal is sent to the program. i know you can in linux because you can tell when its ended with ctrl + c. why doesnt atexit work with gui apps?
Task Manager DOES use TerminateProcess.
The side effects are the same.
Terminating a process doesn't send any message to GUI apps, if the app is waiting for devices, it won't terminate the process (e.g. Broken CD's), and so on.
On Windows, there is NO WAY to counter TerminateProcess, as TerminateProcess is the lowest level process terminator function, and it may even f**k DLL reference count.
The side effects are the same.
Terminating a process doesn't send any message to GUI apps, if the app is waiting for devices, it won't terminate the process (e.g. Broken CD's), and so on.
On Windows, there is NO WAY to counter TerminateProcess, as TerminateProcess is the lowest level process terminator function, and it may even f**k DLL reference count.
closed account (13bSLyTq)
Hi,
Nope There are more lower level function which can be used using moving values manually into ESP and EAX - KiFastSystemCall, Wow64SystemServiceEx
Additionally no need to go this deep, a more "commercial" solution is NtTerminateProcess\ZwTerminateProcess.
In Windows 8 a lot of NT functions changed according to a lot of Reverse-Engineers not sure if NtTerminateProcess has been effected by change. Additionally, the best way to go on about this is using debugger (Ollydbg or IDA pro).
Nope There are more lower level function which can be used using moving values manually into ESP and EAX - KiFastSystemCall, Wow64SystemServiceEx
Additionally no need to go this deep, a more "commercial" solution is NtTerminateProcess\ZwTerminateProcess.
In Windows 8 a lot of NT functions changed according to a lot of Reverse-Engineers not sure if NtTerminateProcess has been effected by change. Additionally, the best way to go on about this is using debugger (Ollydbg or IDA pro).
Last edited on
| lowest level process terminator function |
Dose KiFastSystemCall act like TerminateProcess ?
Uh.... Your process must check for the WM_TERMINATE message. you cannot counteract it -- your process will die no matter what -- but you should have enough time to save state before being terminated.
Hi,
my main goal is to prevent my process from being killed...
I made a watchdog process to do it!
my main goal is to prevent my process from being killed...
I made a watchdog process to do it!
WM_TERMINATE?? Do you mean WM_DESTROY? Or WM_QUIT??
If the user uses End Task from the Applications list then Task Manager will send a GUI application a WM_CLOSE message, to give it the chance to exit gracefully. If the application ignores the exit request it is then terminated with TerminateProcess.
But if the application is shutdown from the Processes view, using either End Process or End Process Tree, then the WM_CLOSE message is not sent; TerminateProcess is called immediately.
In a similar way, if a console application has configured a handler routine using SetConsoleCtrlHandler then it will receive a CTRL_CLOSE_EVENT if the app is closed in the Applications list using End Task.
Andy
SetConsoleCtrlHandler function
http://msdn.microsoft.com/en-us/library/windows/desktop/ms686016%28v=vs.85%29.aspx
HandlerRoutine callback function
http://msdn.microsoft.com/en-us/library/windows/desktop/ms683242%28v=vs.85%29.aspx
| so if it is killed by task manager then data is lost,... |
If the user uses End Task from the Applications list then Task Manager will send a GUI application a WM_CLOSE message, to give it the chance to exit gracefully. If the application ignores the exit request it is then terminated with TerminateProcess.
But if the application is shutdown from the Processes view, using either End Process or End Process Tree, then the WM_CLOSE message is not sent; TerminateProcess is called immediately.
In a similar way, if a console application has configured a handler routine using SetConsoleCtrlHandler then it will receive a CTRL_CLOSE_EVENT if the app is closed in the Applications list using End Task.
Andy
SetConsoleCtrlHandler function
http://msdn.microsoft.com/en-us/library/windows/desktop/ms686016%28v=vs.85%29.aspx
HandlerRoutine callback function
http://msdn.microsoft.com/en-us/library/windows/desktop/ms683242%28v=vs.85%29.aspx
Last edited on
closed account (13bSLyTq)
@EssGeEich
Yes, actually pass in correct parameters and yes it will. Nevertheless NtTerminateProcess is lower, than TerminateProcess as you stated.
Yes, actually pass in correct parameters and yes it will. Nevertheless NtTerminateProcess is lower, than TerminateProcess as you stated.
Last edited on
Is RtlSetProcessIsCritical() good
for preventing users and other programs from killing my process?
for preventing users and other programs from killing my process?
closed account (13bSLyTq)
No, especially because the protection can be easily removed. This is how I would kill your process if it had RtlSetProcessIsCritical():
Step 1:
Gain Elevation via a SE technique using either Services or cmd.exe
Step 2:
Inject into your process, nothing is stopping me
Step 3:
Set the first parameter of RtlSetProcessIsCritical() to 0, in other words removing the protection
Step 4:
Kill the Process.
____________
As you may see, it needs a little bit creativity to bypass even the Windows API functions. But I am sure others can think like this as well.
____________
Try to be more creativity don't use the same old methods.
Step 1:
Gain Elevation via a SE technique using either Services or cmd.exe
Step 2:
Inject into your process, nothing is stopping me
Step 3:
Set the first parameter of RtlSetProcessIsCritical() to 0, in other words removing the protection
Step 4:
Kill the Process.
____________
As you may see, it needs a little bit creativity to bypass even the Windows API functions. But I am sure others can think like this as well.
____________
Try to be more creativity don't use the same old methods.
Last edited on
closed account (13bSLyTq)
Well, still no I can still do a code injection rather than DLL injection. Additionally I can load my DLL through there.
Next I can even do a PE injection or a Custom Injection Or Kernel Injection
Next I can even do a PE injection or a Custom Injection Or Kernel Injection
Last edited on
Pages: 12