Bypassing ZwTerminateProcess hooks

StackOverflow https://stackoverflow.com/questions/17976354

Question

I'm writing a program that will terminate any given process. Link to my code : Link

I expect it to terminate any process, bypassing any hooks. But security softwares can still block terminating (I've tested with sandboxie and processguard so far)?

I can't understand how they can do that. My program rewrites functions and I expect to remove hooks this way.

How can I bypass hooks? What do I miss in this code?

P.S : This program crashes in third ZwTerminateProcess call. Can someone help about this, please?

Thanks in advance.

Était-ce utile?

La solution

Sometimes, AV and sandboxing software will end up modifying function pointer tables in the kernel. Short of writing a driver, there is no easy way to get around that, because the functionality may be disabled system-wide (what AV's do) or for a particular application (what sandboxes would do).

If you are actually able to open a handle to the process, you can still do a lot of things. Maybe you could try killing it indirectly. I would try to write directly to the process' memory and overwrite it with garbage (or calls to ExitProcess).

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top