flat assembler
Message board for the users of flat assembler.

Index > Windows > Disable kill my process

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
lilljocke



Joined: 28 Dec 2004
Posts: 34
Location: Sweden
lilljocke 25 Jun 2006, 19:22
Hi


I coding a "Internet Cafe' Program" and i want to hide/disable my process so the users in the internet cafe' cant kill my process or see it and unlimited time in the internet cafe'. So i have read about NT services but i have not find out if it is not going to kill. I have also thought about install a hook with CreateRemotThread on winlogon.exe but i don't think it is going to work Sad
Mabye i can create some dll and let windows load it somhow??

Please help me to hide this program.
Post 25 Jun 2006, 19:22
View user's profile Send private message Visit poster's website Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 25 Jun 2006, 22:14
There is plenty of opensource user and kernel-mode rootkits which are good for learning. google / rootkit.com
Post 25 Jun 2006, 22:14
View user's profile Send private message MSN Messenger Reply with quote
lilljocke



Joined: 28 Dec 2004
Posts: 34
Location: Sweden
lilljocke 26 Jun 2006, 02:20
What is rootkit??
can you show me a sample?
Post 26 Jun 2006, 02:20
View user's profile Send private message Visit poster's website Reply with quote
RedGhost



Joined: 18 May 2005
Posts: 443
Location: BC, Canada
RedGhost 26 Jun 2006, 06:43
executing ring0 code from ring3
http://www.codeproject.com/system/soviet_kernel_hack.asp


code made by a german coder friend of mine to remove your PE exe from the ring0 EPROCESS list (even kernel level debuggers wont see it)
http://www.cheat-network.net/board/thread.php?threadid=814

_________________
redghost.ca
Post 26 Jun 2006, 06:43
View user's profile Send private message AIM Address MSN Messenger Reply with quote
lilljocke



Joined: 28 Dec 2004
Posts: 34
Location: Sweden
lilljocke 26 Jun 2006, 17:56
What should i do when iam in Ring0 does that makes my process unkillble?
Post 26 Jun 2006, 17:56
View user's profile Send private message Visit poster's website Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 26 Jun 2006, 21:12
lilljocke wrote:
What should i do when iam in Ring0 does that makes my process unkillble?



Many things can be done, one would be to hook certain functions from SDT to hide it or just prevent killing it, and another thing that could be done is DKOM, which is more advanced technique described in "ROOTKITS, Subverting the Windows Kernel" book

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 26 Jun 2006, 21:12
View user's profile Send private message MSN Messenger Reply with quote
lilljocke



Joined: 28 Dec 2004
Posts: 34
Location: Sweden
lilljocke 26 Jun 2006, 22:27
I don't know what SDT is Sad
i just want to do this simple so i don't havve to rewrite the program i have coded so far.
Post 26 Jun 2006, 22:27
View user's profile Send private message Visit poster's website Reply with quote
blacky



Joined: 06 Apr 2006
Posts: 32
Location: JA
blacky 18 Jul 2006, 04:17
THen you must read more about the subject at hand.
Post 18 Jul 2006, 04:17
View user's profile Send private message MSN Messenger Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 18 Jul 2006, 11:04
You don't need rootkits or kernelmode code - just make sure the user accounts run non-privileged and your control application runs privileged, and they won't be able to kill it.

Also, replacing shell=explorer.exe with something else adds a (tiny) bit of security.
Post 18 Jul 2006, 11:04
View user's profile Send private message Visit poster's website Reply with quote
RedGhost



Joined: 18 May 2005
Posts: 443
Location: BC, Canada
RedGhost 20 Jul 2006, 00:19
f0dder wrote:
You don't need rootkits or kernelmode code - just make sure the user accounts run non-privileged and your control application runs privileged, and they won't be able to kill it.

Also, replacing shell=explorer.exe with something else adds a (tiny) bit of security.


but the legit ways are no fun Cool

_________________
redghost.ca
Post 20 Jul 2006, 00:19
View user's profile Send private message AIM Address MSN Messenger Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 20 Jul 2006, 10:12
RedGhost wrote:
f0dder wrote:
You don't need rootkits or kernelmode code - just make sure the user accounts run non-privileged and your control application runs privileged, and they won't be able to kill it.

Also, replacing shell=explorer.exe with something else adds a (tiny) bit of security.


but the legit ways are no fun Cool


They work, though, and won't trigger antivirus scanners or people's suspicion...

_________________
Image - carpe noctem
Post 20 Jul 2006, 10:12
View user's profile Send private message Visit poster's website Reply with quote
Basic2



Joined: 10 Aug 2006
Posts: 6
Basic2 10 Aug 2006, 03:24
Search for Process called taskmgr.exe, If found kill it Smile
Post 10 Aug 2006, 03:24
View user's profile Send private message Reply with quote
jbojarczuk



Joined: 21 Jun 2006
Posts: 27
jbojarczuk 09 Sep 2006, 01:36
Turn your application into a service.

Your entry point changes just a little bit, but the rest of the application is pretty much the same. There was an article on it on DDJ (Dr. Dobbs Journal).

Check out http://msdn.microsoft.com/library/en-us/dllproc/base/services.asp

Have fun.
Post 09 Sep 2006, 01:36
View user's profile Send private message Reply with quote
AsmER



Joined: 25 Mar 2006
Posts: 64
Location: England
AsmER 15 Sep 2006, 21:11
Hi,

You can use 'RegisterServiceProcess' system`s procedure. With this you can register process which will not appear on 'Ctrl+Alt+Del' list (where usualy you can see almost all running processes). I just hope nobody is going to use it for bad things... Anyway this proc. is definied like follows:

proc RegisterServiceProcess, ProcessID:DWORD, RegType:DWORD
...
endp

ProcessID - ID of process to be registered
RegType - RSP_SIMPLE_SERVICE - If you want to register a process
- RSP_UNREGISTER_SERVICE - when you want to unregister the process

And I think that should do.

Regards, AsmER

_________________
;\\ http://theasmer.spaces.live.com \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Post 15 Sep 2006, 21:11
View user's profile Send private message Reply with quote
AsmER



Joined: 25 Mar 2006
Posts: 64
Location: England
AsmER 15 Sep 2006, 21:16
...
I forgot. You can not use this function just like MessageBox.
You must load 'kernel32.dll' first and then call 'GetProcAddress' with first parameter equal to result of 'LoadLibrary' proc and the second one must be pointer to 'RegisterServiceProcess' string.

Have a good fun ( Twisted Evil ) Exclamation

AsmER

_________________
;\\ http://theasmer.spaces.live.com \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Post 15 Sep 2006, 21:16
View user's profile Send private message Reply with quote
eskizo



Joined: 22 Nov 2005
Posts: 59
eskizo 21 Sep 2006, 15:35
I saw somewhere this function does not work on NT systems, is it true ?
Post 21 Sep 2006, 15:35
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 21 Sep 2006, 15:52
Quote:
I forgot. You can not use this function just like MessageBox.
You must load 'kernel32.dll' first and then call 'GetProcAddress' with first parameter equal to result of 'LoadLibrary' proc and the second one must be pointer to 'RegisterServiceProcess' string.

you say i have to load it manually... why? loader does exactly the same what you decribed if it finds it in imports...
Post 21 Sep 2006, 15:52
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 21 Sep 2006, 21:49
Iirc RegisterServiceProcess is only available on 9x, so if there isnt' a dummy stub on NT, your app will fail if you bind statically.

RegisterServiceProcess is a bit stupid anyway, and (from what I've seen) mostly used by malicious idiots.
Post 21 Sep 2006, 21:49
View user's profile Send private message Visit poster's website Reply with quote
AsmER



Joined: 25 Mar 2006
Posts: 64
Location: England
AsmER 22 Sep 2006, 11:30
f0dder wrote:
Iirc RegisterServiceProcess is only available on 9x, so if there isnt' a dummy stub on NT, your app will fail if you bind statically.

RegisterServiceProcess is a bit stupid anyway, and (from what I've seen) mostly used by malicious idiots.


Actually he didn't say he wants to use it on NT. And the reply you send is not the nicest i have seen (I have never used it before & I hope I wont have to) but if you want to call somebody an idiot then you should start from the source, WHO WROTE IT ???

_________________
;\\ http://theasmer.spaces.live.com \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Post 22 Sep 2006, 11:30
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 22 Sep 2006, 11:37
When in doubt, don't make assumptions about the operating system (this would lock out 9x as well as NT specific code). However, the original poster did write So i have read about NT services but i have not find out if it is not going to kill. which would imply he's on NT.

As for the use of the word "idiot", sorry if you took it personal - are you coding malicious shit? Wink
Post 22 Sep 2006, 11:37
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.