please wait
- Forum
- Windows Programming
- How to kill access denied processes thru
How to kill access denied processes thru c++?????
Nov 19, 2013 at 10:55am
Hi people!
How to kill access denied processes thru c++?????
I made a small task manager utility to kill processes but some processes running under SYSTEM cant be killed, My app uses TerminateProcess()...
I have SeSecurityPrivilege enabled and I have admin privileges...
Please help:/
How to kill access denied processes thru c++?????
I made a small task manager utility to kill processes but some processes running under SYSTEM cant be killed, My app uses TerminateProcess()...
I have SeSecurityPrivilege enabled and I have admin privileges...
Please help:/
Nov 19, 2013 at 4:40pmclosed account (13bSLyTq)
Hi,
I am pretty sure you are trying to kill AVs processes, if so the chances are they hooked Zw\NtTerminateProcess in Kernel mode. To make sure you can kill them - you must develop a Unhook driver. Which also makes the unhook persistent, via splicing NtProtectVirtualMemory.
A even better idea is to hook SYSENTER_MSR or Interrupts:
CodeEmpire SYSENTER_MSR hook:
http://codeempire.blogspot.co.uk/2013/10/kernel-driver-sysenter-hook.html
Good Luck!
I am pretty sure you are trying to kill AVs processes, if so the chances are they hooked Zw\NtTerminateProcess in Kernel mode. To make sure you can kill them - you must develop a Unhook driver. Which also makes the unhook persistent, via splicing NtProtectVirtualMemory.
A even better idea is to hook SYSENTER_MSR or Interrupts:
CodeEmpire SYSENTER_MSR hook:
http://codeempire.blogspot.co.uk/2013/10/kernel-driver-sysenter-hook.html
Good Luck!
Nov 19, 2013 at 8:50pm
@OrionMaster:
BTW, some days back I made a hook for NtTerminateProcess()
Can I use this callback:
__declspec(naked) Callback()
{
__asm{
jmp [dwKiFastEntryCall Address]
}
}
Please help:/
BTW, some days back I made a hook for NtTerminateProcess()
Can I use this callback:
__declspec(naked) Callback()
{
__asm{
jmp [dwKiFastEntryCall Address]
}
}
Please help:/
Last edited on Nov 19, 2013 at 8:54pm
Nov 19, 2013 at 9:10pmclosed account (13bSLyTq)
Hi,
I am pretty sure you are aravind, sorry to say but I if you have the skill to hook NtTerminateProcess then the callback would be simple that too for NtTerminateProcess.
Besides the above code will fail in Usermode, it only works in Kernel Mode.
GL
I am pretty sure you are aravind, sorry to say but I if you have the skill to hook NtTerminateProcess then the callback would be simple that too for NtTerminateProcess.
Besides the above code will fail in Usermode, it only works in Kernel Mode.
GL
Nov 19, 2013 at 9:18pm
Why are you confusing of me?
Im not aravind!
BTW, what should i do for user mode?
Im not aravind!
BTW, what should i do for user mode?
Nov 19, 2013 at 9:29pmclosed account (13bSLyTq)
Hi,
Anyhow, you need to manually inject the code either via DLL with manual mapping then using injection OR code injection directly into system-wide available processes with all modules sub-procs being added into a code struct to be given to the injection thread or you can inject ONLY callback in then perform a remote hook.
Then simply patch the callback with the math being address of NtTerminateProcess and the remote thread memory location.
Hope I helped.
Anyhow, you need to manually inject the code either via DLL with manual mapping then using injection OR code injection directly into system-wide available processes with all modules sub-procs being added into a code struct to be given to the injection thread or you can inject ONLY callback in then perform a remote hook.
Then simply patch the callback with the math being address of NtTerminateProcess and the remote thread memory location.
Hope I helped.
Nov 30, 2013 at 7:33am
Hi,
when you click shutdown in start menu windows shutdowns killing AV processes, right?
Now is there a simpler way to trick such processes into thinking that windows is shutting down and make them quit?
when you click shutdown in start menu windows shutdowns killing AV processes, right?
Now is there a simpler way to trick such processes into thinking that windows is shutting down and make them quit?
Last edited on Nov 30, 2013 at 7:34am
Nov 30, 2013 at 11:16amclosed account (13bSLyTq)
Hi,
No, there is no other way unless you can inject into csrss.exe process then you can kill the processes through there however many AV solutions protect vulnerable processes such as csrss.exe.
If you want to cripple the AV solutions why no duplicate the AV handle?
No, there is no other way unless you can inject into csrss.exe process then you can kill the processes through there however many AV solutions protect vulnerable processes such as csrss.exe.
If you want to cripple the AV solutions why no duplicate the AV handle?
Nov 30, 2013 at 2:23pm
how will you duplicate the AV handle?
I dint understand what you meant?
BTW, injecting into csrss.exe can be dangerous?
I dint understand what you meant?
BTW, injecting into csrss.exe can be dangerous?
Nov 30, 2013 at 4:19pmclosed account (13bSLyTq)
Well, this is where your research comes into play.
What part did you not understand?
I know it can be dangerous however attempting to take down AV processes can be dangerous. Nevertheless if the injection into csrss.exe is done correctly there is no danger. Malwares do it all the time.
What part did you not understand?
I know it can be dangerous however attempting to take down AV processes can be dangerous. Nevertheless if the injection into csrss.exe is done correctly there is no danger. Malwares do it all the time.
Dec 1, 2013 at 1:39pm
Im NOT trying to hack!
I WILL NOT AND NEVER FOREVER USE MY KNOWLEDGE FOR BAD...
I WILL ONLY USE IT FOR GOOD,
FOREVER!
---WindowsProgrammer777
I WILL NOT AND NEVER FOREVER USE MY KNOWLEDGE FOR BAD...
I WILL ONLY USE IT FOR GOOD,
FOREVER!
---WindowsProgrammer777
Dec 1, 2013 at 1:59pm
Real hackers does not waste their time on these forums I think.
Topic archived. No new replies allowed.