[Brock]

I think stealthy isn't quite properly defined for the masses, including myself. EP_X0FF recommended "indirection" to terminate a process, in this case taskkill with PID of the target process, meaning having launched another program to do its termination bidding. Another person might argue that if the target process is GUI with window(s) then flood them with wm_close/quit/destroy messages etc. since no thread or process object need be opened directly by the caller process. Regardless, I think this subject from usermode is rather in the eye of the beholder unless more information is presented...

Regards,
Brock

[Mut4nt]

the trouble is that using the EP_X0FF method, it's so weak with it can not even finish the process of any AV

[EP_X0FF]

The trouble with all your posted methods is that they are not stealth even on 0.0001%

[Mut4nt]

the trouble is that using the EP_X0FF method, it's so weak with it can not even finish the process of any AV

Most people in this field don't make kill solutions, most of them cause segfaults anyway without ordered patching of all the NDIS and DKOM mods most AVs do today. Unless you're talking about garbage AVs by marketing companies that do ~3 old documented patches and userland stuff, you can kill those from a dropper under low-right ACLs as long as they are FUD..

EDIT:AVs are for noobs, that why everyone here can reverse them and circumvent them(sarcasm). SONAR has almost 28 NDIS patches in just one driver..

Well, for that reason I like working kernel mode and all us, because we do what we want :D