[sainfoin]

Hi,
some malware using message flood attack to terminated my process,
is there any way I could protect my process.

Thanks.

[EP_X0FF]

Hello,

hook some services in shadow table.

i.e. NtUserMessageCall, NtUserPostMessage

Regards.

[sainfoin]

Thanks for you reply.
I find some materials,NtUserQueryWindow ..............

[EP_X0FF]

It is impossible to hide window totally, so you can spare your time. Take a look on that file.

[sainfoin]

thank you very much.

I also googled,and find some skills to kill process:

/* Window Attacking */

PostMessage(SendMessage) WM_CLOSE/WM_QUIT/WM_DESTORY/WM_NCDESTORY

SetParent->DestoryWindow

EndTask // Will make a direct call to the Win32 subsystem

PostMessage(SendMessage) 0x19 // by MJ0011, for MFC Application

for (int i=0; i<65536; i++)
{
PostMessage(HWND, i, 0, 0); // Message Flood
}

SetWindowLong(HWND, GWL_WNDPROC, (WNDPROC)YourDeadLock_Or_Crash_Function);


Is there a best way to protect process?

Thanks

[EP_X0FF]

PostMessage, SetParent see attached file.

For EndTask you need to intercept NtTerminateProcess. Once it will be done, this API will be unable to kill window/app (see IceSword as example).

[sainfoin]

Thanks.

[xqrzd]

Is it possible to do this from user-mode with SetWindowsHookEx with CallWndProc(for 64-bit)?

[EP_X0FF]

Not sure this will work for all kind of GUI based attacks. The best solution here - two processes. One running as service second as application for current user. If application terminated by unusual way service spawn another copy. Service itself must be protected from stopping/disabling/terminating (for example by action failure list). You can protect service registry by documented way - using Configuration Manager Registry Callback API. Such solution will work everywhere starting from Windows XP up to Windows 7 x64. No hacks, PatchGuard - OK, everything legal. Additionally you can use Object Callbacks starting from Windows Vista SP1, they will successfully protect your application from unauthorized access/termination. And of course for complete self-protection you need file system filter driver.
Don't forget - all this will protect you ONLY from user mode attacks. There is nothing to do with kernel mode ;)

ObRegisterCallbacks
CmRegisterCallback
CmRegisterCallbackEx

[xqrzd]

Not sure this will work for all kind of GUI based attacks.

You are right, I just tried this with Process Hacker, intercepting the messages worked for Process Hacker's WM_DESTROY, but it failed with WM_QUIT. When Process Hacker sent over WM_QUIT, my app intercepted and blocked WM_DESTROY and WM_NCDESTROY (and also 0x90, not sure what the name for this is) but my app still closed.

Don't forget - all this will protect you ONLY from user mode attacks. There is nothing to do with kernel mode ;)

:cry: