Research on Process Kill Problem
[Summary]
The process can kill through the Windows Task Manager in the operating state. Under the Windows 9x system, by setting the program to the system program, it can make it the process not displayed in the task manager, thereby avoiding the user directly; in WindowsNT Under / 2000 / XP operating system, the process running in the system cannot be hidden in the task manager. This article is discussed, which is under the operating system of the NT core (WindowsNT / 2000 / XP / 2003), how to prevent the process from being killed by the user The problem.
[Keyword] Process Protection Windows Service Security Object Windows Privilege
1 ??????? Prevent the basic principle of the termination process of the task manager
1.1 ????? Mission Manager termination process principle
Task Manager is not directly terminated, which opens a process object via the OpenProcess function, and then call the TerminateProcess function to send a message to the target process, thereby achieving the purpose of the Target process.
So, to prevent the task manager from closing a process, we can consider going to start from three key links: time when OpenProcess; when sending the TerminateProcess message, there is a self-protection mechanism through the process itself, the following summary.
1.2 ????? OpenProcess
Task Manager opens the target process object through OpenProcess. If the task manager does not have permissions to open this process object, the OpenProcess will fail and return an error code error_access_denied (5).
One actual example is that when the user tries to terminate a Windows service program through the task manager, in general, the task manager will not be able to open the target process object using OpenProcess, and the operation of the process will be canceled.
There are two ways to achieve this effect, one is to register the application into a Windows service, and the other is to modify the access security level of the process. However, they have their own defects.
1.3 ????? Self-protection mechanism
The process can also achieve self-protection by detecting its own status, achieving the effect that the user cannot turn off.
There are three ways to achieve this effect.
The first is a duplex system, which is to run two processes simultaneously, one sleep in a backstage at the front desk, when a process is terminated, and the other is put into use, and restarts the processed process, set to the background sleep state ;
The second is multithreaded self-monitoring, such as the process running three threads, a main thread, a monitoring thread, an embedded other process, three threads supervise each other, prevent being shut down by the user;
The third is to use hook techniques, that is, by setting a global API hook, once it is found to be sent from other processes, cancel this message immediately, so that the protector is not closed.
The above three methods have an example of using an example.
2 ??????? Using access control technology
2.1 ????? Register the application as a service
In general, the user is not a way to terminate a service from the task manager. Therefore, the application can be made into a Windows service (Service) to prevent the purpose of preventing illegal shutdown.
Registering a new service can be done by the following code, in order to facilitate expression, all of the error is omitted here.
Code List 1
/ / Open service database
SCHSCMANAGER = OpenScManager (lphostname, null, sc_manager_all_access);
// Create a service
SCHSERVICE = CREATSERVICE (SchscManager, "Client", "Client", service_all_access, ??? ???????????????????? SERVICE_WIN32_OWN_PROCESS, service_AUTO_START, ??????? ????????????????????????????????????? SERVICE_ERROR_IGNORE, "Client.exe", NULL, NULL, NULL, NULL, NULL); Note that the process of creating a service must use system administrator level permissions.
The service may be stopped by the user, here we can create a thread in the process, every time you always have a service database, change your custom mode to automatic execution, if you find that the service is stopped, restart. Examples are as follows:
Code List 2
Const int ?? max_size ?? = 256;
Const DWORD SLEP_TIME = 500;
While (1) // Process Every 500 MilliseConds to Ensure Service Config
{
/ / Establish a connection with this service management database
// ** There is no prior query service database to be locked, you must add it when integrated
// ** The parent process must have to have system administrator privileges or sufficient privilege levels
Schscmanager = OpenScManager (NULL, NULL, SC_MANAGER_ALL_ACCESS);
CString strsvrname;
strsvrName.Format ("Messenger");
SCHSERVICE = OpenService (SchscManager, strsvrname, service_all_access);
// The following settings service startup mode
ChangeServiceConfig
??????? SCHSERVICE,? // handle of service
??????? service_no_change, // service type: no change
??????? service_auto_start, ?? // Change Service Start Type
??????? service_no_change, ?? // error Control: no corre
??????? NULL, ???????????????? // binary path: no change
??????? null, ????????????????????????????????????????????????????????????????????????????
??????? null, ??????????????????? tag id: no change
??????? null, ????????????????? // dependencies: no change
??????? NULL, ???????????????? // account name: no change
??????? null, ?????????????????????????????????????
??????? null) ?????????????????????????????????
// The following detection and maintenance service operation
Service_status stusvrstatus;
QueryServiceStatus (SCHSERVICE, & Stusvrstatus))
IF (service_start_pending! = stusvrstatus.dwcurrentState &&
??????? service_running ???????! = Stusvrstatus.dwcurrentState) // Service Has Been Shut Down
{
??????? // restart service
??????? if (! startservice (SCHSERVICE, 0, NULL) ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
??????? {
??????????????? dwerr = getLastError ();
??????????????? f (error_service_already_running == dwerr)
??????????????? {
??????????????????????? Sleep (Sleep_Time);
???????????????????????
????????????????}
??????????????? printf ("StartService failed! Code =% D / N", DWERR);
??????????????? CloseServiceHandle (SCHSERVICE);
??????????????? CloseServiceHandle (SCHSCMANAGER);
??????????????? Return;
???????}
}
?
ClosESERVICEHANDE (SCHSERVICE);
ClosESERVICEHANDE (SCHSCMANAGER);
Sleep (Sleep_Time);
} // End while
Similarly, I omitted all the error detection code.
summary:
The advantage of using the service is that the service can start running before the user logs in and is not affected by the user. However, the status of the news service status and restarting will consume more resources. At the same time, if the malicious user frequently stops service, the time will lead to frequent restarts, and the program will always be initialized without working properly.
Under Windows2000, the system administrator does not terminate the service without using specific permissions, but under WindowsXP / 2003, the system administrator is able to terminate the service directly from the task manager. So the use of services does not perfectly reach the purpose of preventing the process from being killed.
2.2 ????? Using security objects
Principles and defects:
When any process is accessed, the system will check the security settings for the target process. If the security settings do not allow the master process to access this process, this access request will be rejected. Set the process to a secure object to prevent unauthorized users from killing processes.
When the user gets certain privileges, the access to the process object will be performed directly, so security settings cannot guarantee that privileged users shut down the process by exercising privileges. Of course, it is more difficult to let the task manager get system privileges, and ordinary people can hardly do it.
In addition, due to Microsoft's reasons for their own protection, there is a small introduction to security object technology, so I have a lot of not understanding of this technology, and it is not mature.
Introduction:
Process objects belong to a Windows kernel object, each with its own access security flag, called SecurityDescriptor (SD).
The SD contains all kernel object access information, including groups, owners, and more, where access security control is Access_Control List (ACL). Two ACLs are included in the SD, one is any ACL (DACL), and the other is the system ACL, ie SACL. DACL specifies which users and that kind of user can perform or not perform those types of access to specified kernel objects, SACL specifies which access to kernel objects, this monitoring process is called auditing, it will be A log file is generated, and the access specified in SACL is recorded. ACL contains an ACL header structure and a set of Access Entry (AE), and AE can have multiple, or there is no one.
AE consists of an AE head structure and the AE content body. Head declares the type of AE, the content body contains a trustee and a set of operating masks (Access Mask_code), according to the head structure, the system will allow or refuse to delegate the access operations described by the delegate to perform an operation mask. .
The SID structure is used to represent trustee, SID is an abbreviation for Security Identifier, which can be used to mark a user or a group, in network programming, it can also represent one or a group login user.
The above figure demonstrates the process of DACL.
The specific application code for SD is as follows:
Code list 3
// Initialize SECDESCRIPTOR
InitializeSecurityDescriptor (psecdescriptor, security_descriptor_revision))
?
// Set ACL
?
PSID PSIDGROUP;
Psidgroup = & SIDGROUP;
?
// Initialize ACL
IF (! InitializeaCl (Psecconfig, 1000, ACL_REVISION))
?
/ / Add an access_denied_ace to the ACL
AddaccessDeniedace (Psecconfig, ACL_REVISION,
??????? specific_rights_all | standard_rights_all, psidgroup)
{
??????? dwerr = getLastError ();
??????? printf ("AddaccessDeniedAce Failed! Code =% D / N", DWERR);
??????? Return False;
}
?
// Set DACL
SetSecurityDescriptOracl (Psecdescriptor, true, psecconfig, false)
IF (! isvalidacl (psecconfig))
{
??????? printf ("CREATE ACL FAILED! / NNOT a Valid ACL / N");
??????? Return False;
}
?
// Set access security settings
Psecatt-> binherithandle = false;
Psecatt-> LPSecurityDescriptor = psecdescriptor;
Psecatt-> NLENGTH = SIZEOF (* psecatt);
summary:
Using secure object protection technology, you can have the ability to have the process itself from killing the task manager under normal conditions. If the user has the technical level of improving the privilege of the task manager, it is estimated that such a master is also preventive. Therefore, this technology is the most valueful value.
3 ??????? Other technology
The technique of this segmentation is complicated and there is no specific implementation.
3.1 ????? Multithreaded self-protection
Three threads:
This technology has seen in the "Chinese hacker" virus, the principle is to create a thread and embed this thread into the important thread in the system (such as Winlogon), and then each thread is mutually monitored, and the one is turned off. I will restart it again. This technique is actually a self-monitoring mechanism. Process regeneration:
This technique is applied to Mei Ping anti-yellow software, the principle is to use a process self-replication approach to prevent being killed. Copyed the program code and process kernel objects.
3.2 ????? Use a hook (hook)
With the Windows Global API hook, once there is an external process to try to terminate the process with the TerminateProcess function, intercept the process, so that this operation cannot be performed, and the EXITPROCESS function is used inside the process, and the process can still be terminated.
In addition, for core services like Winlogon, the Windows Task Manager will directly reject the user's shutdown. This is the task manager to automatically reject when the service name is initialized by ListControl, and there is no relationship with the service. Prove that I can use Visualc. Debuger turns off Winlogon, of course, the result is a crash on the spot system.