Hi all,
I have a small program it handles critical info.
so if it is killed by task manager then data is lost,
so i need to detect termination and execute a function called
SaveData() when process is killed help?
If Task Manager uses TerminateProcess() internally then there is nothing you can do to stop it.
However, if "data" meand some database text file replace it with sqlite3, you will get much better results than implementing your own.
If sqlite is not an option, then use 2 processes which communicate each other through some form an IPC (shared memory for example) and do the saving task if one of them is killed (please consider that "data" itself must be in shared memory zone to survive process killing).
dont quote me on this because im just guessing but i think there is a way to see what signal is sent to the program. i know you can in linux because you can tell when its ended with ctrl + c. why doesnt atexit work with gui apps?
Task Manager DOES use TerminateProcess.
The side effects are the same.
Terminating a process doesn't send any message to GUI apps, if the app is waiting for devices, it won't terminate the process (e.g. Broken CD's), and so on.
On Windows, there is NO WAY to counter TerminateProcess, as TerminateProcess is the lowest level process terminator function, and it may even f**k DLL reference count.
Nope There are more lower level function which can be used using moving values manually into ESP and EAX - KiFastSystemCall, Wow64SystemServiceEx
Additionally no need to go this deep, a more "commercial" solution is NtTerminateProcess\ZwTerminateProcess.
In Windows 8 a lot of NT functions changed according to a lot of Reverse-Engineers not sure if NtTerminateProcess has been effected by change. Additionally, the best way to go on about this is using debugger (Ollydbg or IDA pro).
Uh.... Your process must check for the WM_TERMINATE message. you cannot counteract it -- your process will die no matter what -- but you should have enough time to save state before being terminated.
WM_TERMINATE?? Do you mean WM_DESTROY? Or WM_QUIT??
so if it is killed by task manager then data is lost,...
If the user uses End Task from the Applications list then Task Manager will send a GUI application a WM_CLOSE message, to give it the chance to exit gracefully. If the application ignores the exit request it is then terminated with TerminateProcess.
But if the application is shutdown from the Processes view, using either End Process or End Process Tree, then the WM_CLOSE message is not sent; TerminateProcess is called immediately.
In a similar way, if a console application has configured a handler routine using SetConsoleCtrlHandler then it will receive a CTRL_CLOSE_EVENT if the app is closed in the Applications list using End Task.
No, especially because the protection can be easily removed. This is how I would kill your process if it had RtlSetProcessIsCritical():
Step 1:
Gain Elevation via a SE technique using either Services or cmd.exe
Step 2:
Inject into your process, nothing is stopping me
Step 3:
Set the first parameter of RtlSetProcessIsCritical() to 0, in other words removing the protection
Step 4:
Kill the Process.
____________
As you may see, it needs a little bit creativity to bypass even the Windows API functions. But I am sure others can think like this as well.
____________
Try to be more creativity don't use the same old methods.
Well, still no I can still do a code injection rather than DLL injection. Additionally I can load my DLL through there.
Next I can even do a PE injection or a Custom Injection Or Kernel Injection