how procexp kill handle of other process?

#11701 by R00tKit
Mon Feb 20, 2012 11:04 am

hi
it use

KeStackAttachProcess -> ZwClose -> KeUnstackDetachProcess

method??

in my first speedy check it dont close handle in user mode with DUPLICATE_CLOSE_SOURCE

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: how procexp kill handle of other process?

#11712 by everdox
Tue Feb 21, 2012 5:28 am

you should not be doing that. use NtDuplicateObject.

Username

everdox

Posts

30

Joined

Mon Dec 26, 2011 4:07 am

Re: how procexp kill handle of other process?

#11713 by EP_X0FF
Tue Feb 21, 2012 6:39 am

geek1982 wrote:hi
it use
KeStackAttachProcess -> ZwClose -> KeUnstackDetachProcess
method??

in my first speedy check it dont close handle in user mode with DUPLICATE_CLOSE_SOURCE

PsLookupProcessByProcessId
KeAttachProcess
ObReferenceObjectByHandle
NtClose
ObfDereferenceObject
KeDetachProcess
ObDereferenceObject

There is function called from it dispatch routine, for v15 it's at 0x10002030.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: how procexp kill handle of other process?

#11715 by R00tKit
Tue Feb 21, 2012 7:54 am

so my guess is true :)
thanks :)

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact