flat assembler
Message board for the users of flat assembler.
Index
> Windows > Disable kill my process Goto page 1, 2 Next |
Author |
|
okasvi 25 Jun 2006, 22:14
There is plenty of opensource user and kernel-mode rootkits which are good for learning. google / rootkit.com
|
|||
25 Jun 2006, 22:14 |
|
lilljocke 26 Jun 2006, 02:20
What is rootkit??
can you show me a sample? |
|||
26 Jun 2006, 02:20 |
|
RedGhost 26 Jun 2006, 06:43
executing ring0 code from ring3
http://www.codeproject.com/system/soviet_kernel_hack.asp code made by a german coder friend of mine to remove your PE exe from the ring0 EPROCESS list (even kernel level debuggers wont see it) http://www.cheat-network.net/board/thread.php?threadid=814 _________________ redghost.ca |
|||
26 Jun 2006, 06:43 |
|
lilljocke 26 Jun 2006, 17:56
What should i do when iam in Ring0 does that makes my process unkillble?
|
|||
26 Jun 2006, 17:56 |
|
okasvi 26 Jun 2006, 21:12
lilljocke wrote: What should i do when iam in Ring0 does that makes my process unkillble? Many things can be done, one would be to hook certain functions from SDT to hide it or just prevent killing it, and another thing that could be done is DKOM, which is more advanced technique described in "ROOTKITS, Subverting the Windows Kernel" book _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
26 Jun 2006, 21:12 |
|
lilljocke 26 Jun 2006, 22:27
I don't know what SDT is
i just want to do this simple so i don't havve to rewrite the program i have coded so far. |
|||
26 Jun 2006, 22:27 |
|
blacky 18 Jul 2006, 04:17
THen you must read more about the subject at hand.
|
|||
18 Jul 2006, 04:17 |
|
f0dder 18 Jul 2006, 11:04
You don't need rootkits or kernelmode code - just make sure the user accounts run non-privileged and your control application runs privileged, and they won't be able to kill it.
Also, replacing shell=explorer.exe with something else adds a (tiny) bit of security. |
|||
18 Jul 2006, 11:04 |
|
RedGhost 20 Jul 2006, 00:19
f0dder wrote: You don't need rootkits or kernelmode code - just make sure the user accounts run non-privileged and your control application runs privileged, and they won't be able to kill it. but the legit ways are no fun _________________ redghost.ca |
|||
20 Jul 2006, 00:19 |
|
f0dder 20 Jul 2006, 10:12
RedGhost wrote:
They work, though, and won't trigger antivirus scanners or people's suspicion... _________________ - carpe noctem |
|||
20 Jul 2006, 10:12 |
|
Basic2 10 Aug 2006, 03:24
Search for Process called taskmgr.exe, If found kill it
|
|||
10 Aug 2006, 03:24 |
|
jbojarczuk 09 Sep 2006, 01:36
Turn your application into a service.
Your entry point changes just a little bit, but the rest of the application is pretty much the same. There was an article on it on DDJ (Dr. Dobbs Journal). Check out http://msdn.microsoft.com/library/en-us/dllproc/base/services.asp Have fun. |
|||
09 Sep 2006, 01:36 |
|
AsmER 15 Sep 2006, 21:11
Hi,
You can use 'RegisterServiceProcess' system`s procedure. With this you can register process which will not appear on 'Ctrl+Alt+Del' list (where usualy you can see almost all running processes). I just hope nobody is going to use it for bad things... Anyway this proc. is definied like follows: proc RegisterServiceProcess, ProcessID:DWORD, RegType:DWORD ... endp ProcessID - ID of process to be registered RegType - RSP_SIMPLE_SERVICE - If you want to register a process - RSP_UNREGISTER_SERVICE - when you want to unregister the process And I think that should do. Regards, AsmER |
|||
15 Sep 2006, 21:11 |
|
AsmER 15 Sep 2006, 21:16
...
I forgot. You can not use this function just like MessageBox. You must load 'kernel32.dll' first and then call 'GetProcAddress' with first parameter equal to result of 'LoadLibrary' proc and the second one must be pointer to 'RegisterServiceProcess' string. Have a good fun ( ) AsmER |
|||
15 Sep 2006, 21:16 |
|
eskizo 21 Sep 2006, 15:35
I saw somewhere this function does not work on NT systems, is it true ?
|
|||
21 Sep 2006, 15:35 |
|
vid 21 Sep 2006, 15:52
Quote: I forgot. You can not use this function just like MessageBox. you say i have to load it manually... why? loader does exactly the same what you decribed if it finds it in imports... |
|||
21 Sep 2006, 15:52 |
|
f0dder 21 Sep 2006, 21:49
Iirc RegisterServiceProcess is only available on 9x, so if there isnt' a dummy stub on NT, your app will fail if you bind statically.
RegisterServiceProcess is a bit stupid anyway, and (from what I've seen) mostly used by malicious idiots. |
|||
21 Sep 2006, 21:49 |
|
AsmER 22 Sep 2006, 11:30
f0dder wrote: Iirc RegisterServiceProcess is only available on 9x, so if there isnt' a dummy stub on NT, your app will fail if you bind statically. Actually he didn't say he wants to use it on NT. And the reply you send is not the nicest i have seen (I have never used it before & I hope I wont have to) but if you want to call somebody an idiot then you should start from the source, WHO WROTE IT ??? |
|||
22 Sep 2006, 11:30 |
|
f0dder 22 Sep 2006, 11:37
When in doubt, don't make assumptions about the operating system (this would lock out 9x as well as NT specific code). However, the original poster did write So i have read about NT services but i have not find out if it is not going to kill. which would imply he's on NT.
As for the use of the word "idiot", sorry if you took it personal - are you coding malicious shit? |
|||
22 Sep 2006, 11:37 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.