Click here to Skip to main content
14,665,813 members
Rate this:
Please Sign up or sign in to vote.
We are trying to create a security application as a part of our college project.

We understand there is are no real unkillable processes. What we are trying to create is a process that can't be killed from task manager (or any other easy way).

For example, try killing Kaspersky's AVP process. You will always end up with "Unable to terminate process" and "Operation could not be performed".

What I have tried:

Been searching around the web for days and always kept ending at results like "No, you cannot do it", "No, you should not do it"

And keep on ending up here Unterminable process

What we would like

Some help on identifying the issues we need to address, or tricks others have used, or links or pointers to help us get a handle on this problem.
Posted
Updated 6-Jul-17 10:13am
v2
Comments
Afzaal Ahmad Zeeshan 30-Jun-17 5:05am
   
You cannot do that. Why would you even want to do that?

If you want Windows to automatically start the process, why not consider Windows Services?
T.s. Arun 4-Jul-17 1:42am
   
planning on developing a security suite. what good would it be worth, if it is going to killed easily by any rookie malware out there?

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

Hi,

You can absolutely do this but it is a lot of work and will require a very high level of expertise.

1.) You will need to create a signed ELAM driver[^]. You can put your workstation in Test Mode[^] and generate a self-signed EKU certificate.

2.) You will need to create a system service that runs as a protected service[^].

3.) From the protected system service you may launch child processes which will run as a protected process. Note that protected processes cannot have any GUI threads.

All of the DLL's and executables involved need to be signed by the same certificate. You will need to generate special certificates with the 1.3.6.1.5.5.7.3.3 (codesigning) and 1.3.6.1.4.1.311.61.4.1 (early-launch) EKUs.

Something like this:
makecert.exe -a SHA256 -r -pe -ss YourCertStore -n "CN=YourTestElam" -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 -sr localmachine YourTestElam.cer


Good luck. There are a lot of missing steps in this brief summary.

Best Wishes,
-David Delaune
   
v2
Comments
T.s. Arun 4-Jul-17 1:45am
   
But windows protected service are up from windows 8.1. But we are primarily developing for XP and Vista. Read something about its backward compatibility with vista. But what about XP?
Randor 4-Jul-17 9:38am
   
First: There are two ways to kill a process on Microsoft Windows.

1.) Nicely with a WM_CLOSE message.
2.) Forcefully with a TerminateProcess which kills and destroys the process potentially leaving much of the processes handles and objects remaining in the kernel. In other words this one can cause a resource leak.

To handle the NICE method: For Windows XP you simply need to handle/intercept the WM_CLOSE window message in a GUI app or the CTRL_CLOSE_EVENT on a console application to prevent 'End Task' from the Windows XP Task manager.

Task manager on Windows XP calls the EndTask function to kill a process.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms633492(v=vs.85).aspx

The forceful method to kill a process: To prevent your process from the forced termination on Windows XP you can hook NtTerminateProcess from a kernel-mode device driver and filter by process id (PID).

You are encouraged to not do these things... the method I gave in my original answer is how anti-virus and security products protect their usermode process. My original answer is the only Microsoft sanctioned method for protecting a process from usermode termination.

Best Wishes,
-David Delaune
T.s. Arun 6-Jul-17 6:34am
   
Sorry for my ignorance.
Are you suggesting as to develop different product implementation for different OS?

It is legit to go with Windows Protected Service. But what shall we do about XP computers?
And Does windows protected service even compatible with Windows 7 and Vistas?

Should we develop a separate EXE for XP that hooks itself with NtTerminateProcess?
Randor 6-Jul-17 17:21pm
   
There is no such thing as a stupid question. Everyone has to start somewhere.

Yes, if you plan on supporting outdated operating systems such as Windows XP and a modern OS then you will most likely need to implement multiple techniques.

I believe protected processes are only supported on Vista and above. There are additional requirements for Windows 10... it's a moving target.

In the old XP days it was common for nearly all commercial security vendors to implement SSDT hook of NtTerminateProcess and NtCreateProcess via device driver to both protect the anti-malware process and filter process creation/termination. Today these techniques are frowned upon and completely unsupported. You cannot do this on Vista+ operating systems due to KPP/PatchGuard.

Again, the only Microsoft sanctioned technique for protecting a process is the Microsoft ELAM program outlined in my solution above.
T.s. Arun 7-Jul-17 2:05am
   
Thank you for your patience.

Since Microsoft has dropped its support for Windows XP, I understand that's why they are not extending Protected Service to XP.

Can you elaborate a bit about how to register one product as windows protected service? Is it only available for anti - malwares? How about a security suite that provides USB management, Data Protection and similar stuffs? Does Windows protected service can be extended to Security suites like that?
Randor 7-Jul-17 8:31am
   
You should refer to the Microsoft documentation for Early Launch Anti-Malware and have a look at the code sample:

https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam

The instructions for installing as a system service is there.

I do not have an answer for the second part of your question; You are asking me to define what 'Anti-Malware' covers.

Keep in mind that there is a difference between 'University Research Projects' and commercial product development. If your team intends to release a commercial product there are many prerequisites:

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-prerequisites

Best Wishes,
-David Delaune
[no name] 6-Jul-17 20:21pm
   
An interesting and useful answer about something new to me. As for the voting??

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100