There is a question about the end of the letter to ask questions. Here is a simple discussion on this issue (the discussion below is based on 2000, other NT systems is also similar).
First look at an application wants to force the other process to do: First get the target process ID, then use the OpenProcess to get the process handle (ensure sufficient permissions), and finally pass the handle to TerminateProcess. That process.
1. OpenProcess enters the core state through the unit system service interface, then calls Ntoskrnl NTOPENPROCESS. In the service function, the system uses the SSINGLEPRIVILECHECK to check if the caller has DebugPrivilege. If there is, modify AccessState allows you to get the handle that allows any process access operation in later operations. Finally, open the process (created and returned) by ObopenObjectByname or PSlookupProcess *** ObopenObjectBypointer.
2, TerminateProcess enters the core state through the system service interface, then call NTOSKRNL NTTERMINATEPROCESS. The system first calls the ObreferenceObjectByHandle Get Process Performing block, the demugport of the execution body block indicates whether the process is in debug status, if the debug state is in the debug state, and the incoming EXITSTATUS returns a failure to end the process. Subsequent service function transfer to the topic:
The system uses the ThreadListhead enumeration process to end them with PSPTERMINATTHREADBYPOINTER. Note Not for each thread system will perform your commands faithfully: If the enumerated thread is the system thread, it will not continue to execute but return Status_INVALID_PARAMETER. The method of judging is that the TEB of the thread is zero or the value of TEB is in the kernel address space. Someone asked 2000 why the csrss.exe process kills, very simple, open ICESWORD, use the "thread information" of the right-click menu to see how the TEB is zero thread? (Note that it is different for Windows2000, XP. Another point is that the thread of other non-system threads in CSRSS is very easy to kill. When you try to end CSRSS, you can also see the thread in front of the thread of the teb zero has been killed. , Just operate the thread of TEB is zero here) here) and then look at the System process, huh, huh. ICESWORD has not provided function of killing this process because there is no need. At the end of the last thread, the life of the process is also over, and the pspexitprocess / ObkillProcess is flying to smoke.
On the other hand, how the thread ends. PSPTERMINATTHREADBYPOINTER is not directly "killing" specified thread, and the thread is "suicide", huh. The system is simple to use KeinitializeAPC / KeinsertQueUEAPC into a core state APC call. The tragic is broken.
Some people ask why Icesword sometimes kills the three-system threads (two are CSRSS, System, and idle is a very strange existence, different, not more nonsense here), other processes. Answers can be found from the discussion from above. This situation is often a user-state thread of the target process. After entering the core state, some problems are hanging in the core state and cannot return to the implementation APC routine. ICESWORD does not force them to consider that there may already have some problems at this moment. Forced deletion, it is more likely to make the system crash, but there are many users who require this feature, so there will be space in the future (there is a big big It is difficult to have time to upgrade the version, ~ _ ~). In general, you have to kill a process, you can have Debug permissions, if someone has protection, it is necessary to play your ability.
I want to have some inspiration for people who want to kill the process and protect the process.
