How to protect my process from being killed???

Jul 14, 2013 at 11:31am
closed account (3hMz8vqX)
Hi everyone,
I im making a small parental controls example
I have searched a lot of protecting process and came across functions such as "RtlSetprocessIsCritical" etc, Then I also came across the SetKernelObjectSecurity() etc. . .
On using the SetKernelObjectSecurity() I could prevent regular users from killing my process but when the taskmanager is run as admin it will kill the program!

Have you seen AV programs like avast and Kaspersky etc
They cant be killed even from taskmgr as admin How do I get the same effect on WINAPI c++ Im using Win7 Orwell dev c++ TDM-Gccx64

I know you people have some solution . . .
Can you please shed some light on this ???
Jul 14, 2013 at 4:22pm
Hi,
could You show what DACL do You set by SetKernelObjectSecurity ?
Are You sure You don't left PROCESS_TERMINATE right granted to any user?

You can ensure what is current ACL for your process via Process Explorer from Windows Internals:
http://technet.microsoft.com/pl-pl/sysinternals/bb896653.aspx
Please search inside 'Security' -> 'privileges' -> 'Special privileges' tab.

Last edited on Jul 14, 2013 at 4:42pm
Jul 14, 2013 at 8:47pm
AV programs uses 2 processes (usually windows services) which monitor each other. Once one of them is terminated it relaunches the second process and so on.
Jul 15, 2013 at 3:01am
closed account (3hMz8vqX)
hi all this is how i set the acl#include <Windows.h>
#include <Aclapi.h>
BOOL DenyAccess()
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
SECURITY_ATTRIBUTES sa;
TCHAR * szSD = TEXT("D:P") ;
TEXT("(D;OICI;GA;;;BG)"); // Deny access to
// built-in guests
TEXT("(D;OICI;GA;;;AN)") ; // Deny access to
// anonymous logon
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(szSD, SDDL_REVISION_1, &(sa.lpSecurityDescriptor), NULL))
return FALSE;
if (!SetKernelObjectSecurity(hProcess, DACL_SECURITY_INFORMATION, sa.lpSecurityDescriptor))
return FALSE;
return TRUE;
}
Usage:
1
2
3
4
Topic archived. No new replies allowed.