So, i was just thinking, what's the most stealth way of closing another process? creating a remote thread with a null pointer, window message flooding maybe?
A forum for reverse engineering, OS internals and malware analysis
"Stealthiest" in the meaning of what? Number of operations? What process? With GUI/CUI, without?
Ring0 - the source of inspiration
"Stealth" as in under the radar I assume. Always "within" the target process context, since this appears somewhat "normal" such as ExitProcess. This is my humble opinion of course ;)
creating a remote threadNo stealth there, very intrusive. Use a kernel driver and enter the context of the desired process to terminate.
Accept nothing less than STATUS_SUCCESS
"stealthiest" i mean, hard to detect, great, but i'd like to do the whole thing from ring3, ofc ring0 code can give us superpowers but i still think loading a driver is very "noisy" (at least the documented and undocumented methods i know)
taskkill /id from VBScript executed by ShellExecute.
Ring0 - the source of inspiration
there are several ways to close a process, you check this program, it's open source:
http://processhacker.sourceforge.net/
http://processhacker.sourceforge.net/
PH doing most of job from the driver, this is not *stealthiest*.
Don't know about "Stealthy" but here's a quick example I wrote using a job object, it's already described by this wj32 person in his process killing methods. It's not perfect but it's something perhaps you've not seen much? Anyhow, as with most methods for any such purpose, there are a few limitations such as the process already being assigned a job. See here http://msdn.microsoft.com/en-us/library ... 85%29.aspx
Brock
Code: Select all
Regards,function CreateJobObjectW(lpJobAttributes: PSECURITYATTRIBUTES;
lpName: PWChar): THandle; stdcall external 'kernel32.dll';
function AssignProcessToJobObject(hJob: THandle;
hProcess: THandle): BOOL; stdcall external 'kernel32.dll';
function TerminateJobObject(hJob: THandle;
uExitCode: UINT): BOOL; stdcall external 'kernel32.dll';
function TerminateProcessByJob(const dwProcessId: DWORD): BOOL;
var
hJobObject, hProcess: THandle;
begin
result := False;
hProcess := OpenProcess(MAXIMUM_ALLOWED, False, dwProcessId);
if (hProcess <> 0) then
begin
hJobObject := CreateJobObjectW(nil, nil);
if (hJobObject <> 0) then
begin
result := AssignProcessToJobObject(hJobObject, hProcess) and
TerminateJobObject(hJobObject, 0);
CloseHandle(hJobObject);
end;
CloseHandle(hProcess);
end;
end;
Brock
Accept nothing less than STATUS_SUCCESS
Mut4nt wrote:12 ways to terminate a processAll of them requires process/thread handle to be obtained by attacker or driver loading for EPROCESS/ETHREAD/VM manipulations. This is not stealth. Stealth is when you killing other app without any additional attention to your own module. So the best way here is to kill process by other hands. I think even some IPS should allow this unless creating child processes is not forbidden.
http://wj32.wordpress.com/2009/05/10/12 ... a-process/
Ring0 - the source of inspiration