A forum for reverse engineering, OS internals and malware analysis 

ObRegisterCallbacks, access rights

Forum for discussion about kernel-mode development.

Re: ObRegisterCallbacks, access rights

 #7713  by Alex
 Wed Jul 27, 2011 6:00 pm
You can for example try to hide your process or use some tricks like in this PoC (Sudami KillMe), but
User that has admin rights can use million + 1 ways to terminate your program.

Re: ObRegisterCallbacks, access rights

 #14700  by Xearinox
 Tue Jul 17, 2012 11:06 am
What is the sense in protecting from Kernel mode access? Absolutely no sense and wasting of time.
I can kill your process simple having only PEPROCESS.
Dear EP_X0FF, how to get "simple having only PEPROCESS" ? :?

Re: ObRegisterCallbacks, access rights

 #14706  by EP_X0FF
 Tue Jul 17, 2012 3:28 pm
Xearinox wrote:Dear EP_X0FF, how to get "simple having only PEPROCESS" ? :?
What? PsLookupProcessByProcessId then do whatever you want with process.

Re: ObRegisterCallbacks, access rights

 #14771  by EP_X0FF
 Fri Jul 20, 2012 11:27 am
Xearinox wrote:Och, I think, you know different method. :)
ObReferenceObjectByHandle, KeStackAttachProcess, write junk to UM, detach, dereference. I don't undestand your question if any.
 Return to “Kernel-Mode Development”