To make a process invincible on Windows Nt, 2000 and XP, we can intercept the system service- ZwTerminateProcess(), called each time an application or driver requests to terminate a process. Since we are doing this in Kernel Mode- the central part of the operating system, hooking ZwTerminateProcess() in ntoskrnl.exe will catch the call from any single application, dll or driver.

Upon modifying the correct pointer in the system service table for ZwTerminateProcess(), we’ll have changed it to the address of our hook procedure. Inside the new procedure we must do a bit of process checking- If indeed a process is trying to terminate ours we must return STATUS_ACCESS_DENIED; otherwise our hook function should make the call to the original ZwTerminateProcess() system service.


NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
    IN HANDLE   ProcessHandle OPTIONAL,
    IN NTSTATUS ExitStatus
);


The problem is that once we’ve hooked ZwTerminateProcess(), we don't actually know the name of the process trying to being terminated- we are only given a HANDLE ProcessHandle to it in the first argument. Unlike in user-mode, we can't rely on the API functions provided by the PSAPI [.dlls aren't linked to drivers operating in Kernel Mode] such as GetModuleBaseName() in PSAPI.DLL to get the name of the process the HANDLE refers to. To overcome this, Kernel Support Routines [Functions provided by the Kernel] are used directly.


NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
    IN HANDLE           ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID           ProcessInformation,
    IN ULONG            ProcessInformationLength,
    OUT PULONG          ReturnLength OPTIONAL
);


One Kernel support routine, ZwQueryInformationProcess() accepts a ProcessHandle and fills the fields of the passed in PROCESS_BASIC_INFORMATION structure.


typedef struct _PROCESS_BASIC_INFORMATION {
    NTSTATUS            ExitStatus;
    PPEB                PebBaseAddress;
    KAFFINITY           AffinityMask;
    KPRIORITY           BasePriority;
    ULONG               UniqueProcessId;
    ULONG               InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;


We aren't there yet though; as you can see- there is no variable that holds the ImageFileName- only the ProcessID [UniqueProcessId]. This is no problem however, as we have PsLookupProcessByProcessId().


NTSYSAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId (
    IN ULONG        ProcessId,
    OUT PEPROCESS       *Process
);


This function takes the UniqueProcessId of a process [we obtained using ZwQueryInformationProcess()] and outputs the fields of a _EPROCESS structure- This structure is large and varies significantly between Major Windows Versions.


typedef struct _EPROCESS {
    KPROCESS            Pcb;
    EX_PUSH_LOCK        ProcessLock;
    ...

    UCHAR               ImageFileName[16];
    ...

    UCHAR               PriorityClass;
    BOOLEAN             WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;


And there it is, UCHAR ImageFileName[16]- the start address in memory of the name of the process being terminated.

All we need to do now is perform a simple memory comparison- checking to see that it is indeed our application trying to be terminated. If so we simply return STATUS_ACCESS_DENIED.


if(0 == memcmp(&pEProcess->ImageFileName[0], "ExeName", 7))
{
    return STATUS_ACCESS_DENIED;
}


Have fun ;)

read comments (7) / write comment

recent comments:

simpler	akcom	18.Jun:15:01
Thanks	metro_mystery	16.Jun:05:37
Shorter method?	fuzen_op	15.Jun:16:00
ZwQueryInformationProcess failure?	dsei	14.Jun:16:45

printer-friendly version