A forum for reverse engineering, OS internals and malware analysis 

ZwTerminateProcess - catch all killing attempts?

Forum for discussion about kernel-mode development.

ZwTerminateProcess - catch all killing attempts?

 #21670  by Xearinox
 Fri Dec 13, 2013 5:49 am
Hello.
If I hook ZwTerminateProcess, is possible kill my process without this function?
I have in the mind, if I kill all threads of the process, process is useless, but how this internally work ? Is safe assumed hooking ZwTerminateProcess is 'bulletproof' ? Thanks.

Re: ZwTerminateProcess - catch all killing attempts?

 #21675  by Xearinox
 Fri Dec 13, 2013 6:45 pm
Re: ZwTerminateProcess - catch all killing attempts?

Post by TETYYSs » Fri Dec 13, 2013 10:26 am

Xearinox wrote:Hello.
If I hook ZwTerminateProcess, is possible kill my process without this function?
I have in the mind, if I kill all threads of the process, process is useless, but how this internally work ? Is safe assumed hooking ZwTerminateProcess is 'bulletproof' ? Thanks.


http://wj32.org/wp/2009/05/10/12-ways-t ... a-process/
This I know ;) , maybe my question is bad formated.

Simply: Killing all threads call Nt/ZwTerminateProcess or not ?

Re: ZwTerminateProcess - catch all killing attempts?

 #21683  by rinn
 Sat Dec 14, 2013 1:44 pm
Hello.
Xearinox wrote:Simply: Killing all threads call Nt/ZwTerminateProcess or not ?
NtTerminateProcess terminates all running threads of the given process in a cycle. If there are no other working threads process is deleted. If you need complete details see WRK. If you only intercept NtTerminateProcess there will be other ways to end it work.

Best Regards,
-rin

Re: ZwTerminateProcess - catch all killing attempts?

 #21684  by Vrtule
 Sat Dec 14, 2013 8:47 pm
Simply: Killing all threads call Nt/ZwTerminateProcess or not ?
If you are asking whether the NtTerminateProcess is called when all threads of a given process are terminated (i.e. by NtTerminateThread), I think the repsponse is NO. In such situation, the system would not use handle to identify the (empty) process, it would prefer pointer to the process object instead (since it already knows it).
 Return to “Kernel-Mode Development”