Click here to Skip to main content
15,997,860 members
Please Sign up or sign in to vote.
2.33/5 (3 votes)
We are trying to create a security application as a part of our college project.

We understand there is are no real unkillable processes. What we are trying to create is a process that can't be killed from task manager (or any other easy way).

For example, try killing Kaspersky's AVP process. You will always end up with "Unable to terminate process" and "Operation could not be performed".

What I have tried:

Been searching around the web for days and always kept ending at results like "No, you cannot do it", "No, you should not do it"

And keep on ending up here Unterminable process

What we would like

Some help on identifying the issues we need to address, or tricks others have used, or links or pointers to help us get a handle on this problem.
Posted
Updated 10-Nov-21 8:31am
v2
Comments
Afzaal Ahmad Zeeshan 30-Jun-17 5:05am    
You cannot do that. Why would you even want to do that?

If you want Windows to automatically start the process, why not consider Windows Services?
T.s. Arun 4-Jul-17 1:42am    
planning on developing a security suite. what good would it be worth, if it is going to killed easily by any rookie malware out there?

Hi,

You can absolutely do this but it is a lot of work and will require a very high level of expertise.

1.) You will need to create a signed ELAM driver[^]. You can put your workstation in Test Mode[^] and generate a self-signed EKU certificate.

2.) You will need to create a system service that runs as a protected service[^].

3.) From the protected system service you may launch child processes which will run as a protected process. Note that protected processes cannot have any GUI threads.

All of the DLL's and executables involved need to be signed by the same certificate. You will need to generate special certificates with the 1.3.6.1.5.5.7.3.3 (codesigning) and 1.3.6.1.4.1.311.61.4.1 (early-launch) EKUs.

Something like this:
makecert.exe -a SHA256 -r -pe -ss YourCertStore -n "CN=YourTestElam" -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 -sr localmachine YourTestElam.cer


Good luck. There are a lot of missing steps in this brief summary.

Best Wishes,
-David Delaune
 
Share this answer
 
v2
Comments
T.s. Arun 4-Jul-17 1:45am    
But windows protected service are up from windows 8.1. But we are primarily developing for XP and Vista. Read something about its backward compatibility with vista. But what about XP?
[no name] 4-Jul-17 9:38am    
First: There are two ways to kill a process on Microsoft Windows.

1.) Nicely with a WM_CLOSE message.
2.) Forcefully with a TerminateProcess which kills and destroys the process potentially leaving much of the processes handles and objects remaining in the kernel. In other words this one can cause a resource leak.

To handle the NICE method: For Windows XP you simply need to handle/intercept the WM_CLOSE window message in a GUI app or the CTRL_CLOSE_EVENT on a console application to prevent 'End Task' from the Windows XP Task manager.

Task manager on Windows XP calls the EndTask function to kill a process.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms633492(v=vs.85).aspx

The forceful method to kill a process: To prevent your process from the forced termination on Windows XP you can hook NtTerminateProcess from a kernel-mode device driver and filter by process id (PID).

You are encouraged to not do these things... the method I gave in my original answer is how anti-virus and security products protect their usermode process. My original answer is the only Microsoft sanctioned method for protecting a process from usermode termination.

Best Wishes,
-David Delaune
T.s. Arun 6-Jul-17 6:34am    
Sorry for my ignorance.
Are you suggesting as to develop different product implementation for different OS?

It is legit to go with Windows Protected Service. But what shall we do about XP computers?
And Does windows protected service even compatible with Windows 7 and Vistas?

Should we develop a separate EXE for XP that hooks itself with NtTerminateProcess?
[no name] 6-Jul-17 17:21pm    
There is no such thing as a stupid question. Everyone has to start somewhere.

Yes, if you plan on supporting outdated operating systems such as Windows XP and a modern OS then you will most likely need to implement multiple techniques.

I believe protected processes are only supported on Vista and above. There are additional requirements for Windows 10... it's a moving target.

In the old XP days it was common for nearly all commercial security vendors to implement SSDT hook of NtTerminateProcess and NtCreateProcess via device driver to both protect the anti-malware process and filter process creation/termination. Today these techniques are frowned upon and completely unsupported. You cannot do this on Vista+ operating systems due to KPP/PatchGuard.

Again, the only Microsoft sanctioned technique for protecting a process is the Microsoft ELAM program outlined in my solution above.
T.s. Arun 7-Jul-17 2:05am    
Thank you for your patience.

Since Microsoft has dropped its support for Windows XP, I understand that's why they are not extending Protected Service to XP.

Can you elaborate a bit about how to register one product as windows protected service? Is it only available for anti - malwares? How about a security suite that provides USB management, Data Protection and similar stuffs? Does Windows protected service can be extended to Security suites like that?
You can do that in 5 ways.

1. have a signed kernel driver and run your process as protected through it. (the most recommended)

2. use RtlSetProcessIsCritical Function in ntdll.dll to flag your process as a critical system process.

3. Make 2 processes if the other terminates the another one starts it.

4. Use System Exploits to gain Kernel Privilges or to load an unsigned kernel driver.

5. this technique which i will tell you are being used by usermode rootkits which hooks functions in task manager (some other rootkits hooks all processes that it can hook) and the function that they hook are TerminateProcess to return ERROR_ACCESS_DENIED if it tried to terminate your process or if it wasn't your process then you will continue with termination normally, and i don't recommend this technique cause a lot of AV's will flag you as a rootkit.
 
Share this answer
 
v3

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900