Jump to content

Process protection?


Recommended Posts

I've seen some anti-viruses programs that has some kind of process protection where to task manager will returns "Access is denied!" when it's trying to end the process..

Well , i'm making a sort of protection program that monitor the bandwidth , i wanted to prevent it from closing .

Is that possible in autoit ?

Link to comment
Share on other sites

I've seen some anti-viruses programs that has some kind of process protection where to task manager will returns "Access is denied!" when it's trying to end the process..

Well , i'm making a sort of protection program that monitor the bandwidth , i wanted to prevent it from closing .

Is that possible in autoit ?

I would be interested in seeing what you come up with. I have a process that we created to keep our employees from closing certain apps. The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it.

Example:

Opt("TrayIconHide", 1)

$on = 1

While $on = 1
    
    Sleep(1000)
    
; Check to see if the mrcc.exe file is running. If not then it starts it.
    If ProcessExists("mrcc.exe") Then
        $procmon = 1
    Else
        run("mrcc.exe")
    EndIf
    
WEnd

The main executable mrcc.exe then monitors for this script and keeps it running.

Link to comment
Share on other sites

I would be interested in seeing what you come up with. I have a process that we created to keep our employees from closing certain apps. The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it.

Example:

Opt("TrayIconHide", 1)

$on = 1

While $on = 1
    
    Sleep(1000)
    
; Check to see if the mrcc.exe file is running. If not then it starts it.
    If ProcessExists("mrcc.exe") Then
        $procmon = 1
    Else
        run("mrcc.exe")
    EndIf
    
WEnd

The main executable mrcc.exe then monitors for this script and keeps it running.

This is an option but if I close this script, and then mrcc.exe?

Must be a better method. :mellow:

When the words fail... music speaks.

Link to comment
Share on other sites

The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it.

That seems to be a pretty good method to use even though it's still not foolproof but it would still block users to kill it from task manager.
Link to comment
Share on other sites

That seems to be a pretty good method to use even though it's still not foolproof but it would still block users to kill it from task manager.

With the scripts monitoring each other they can't close it. I've tried to close them quickly and they start back up way to fast. The only way I can kill the process is to use a tool like Procexp.exe from sysinternals to pause the programs and then terminate.

Link to comment
Share on other sites

What's the command name ? At least i need that to find it .

i think my friend Volly messed with you, he don't know how it works or maybe don't want to share in public :mellow:

processes use drivers to disallow access for them to be opened, although I am pretty sure RKU and IceSword use some other method method of disallowing process open. (I am going by that claim with the results that are retuned from ProcessExplorer 10 of how it returns like Invalid Params just trying to open it, which make me wonder how the the hell that works.

Actaully check this out. This is what the RKU driver imports:

DbgPrint
ExAllocatePool
ExAllocatePoolWithTag
ExFreePool
IoBuildAsynchronousFsdRequest
IoCreateDevice
IoDeleteDevice
IoDeviceObjectType
IoDriverObjectType
IoFileObjectType
IoFreeIrp
IoFreeMdl
IoGetCurrentProcess
IoThreadToProcess
IofCallDriver
IofCompleteRequest
KeAcquireSpinLock
KeAddSystemServiceTable
KeAttachProcess
KeBugCheckEx
KeDelayExecutionThread
KeDetachProcess
KeInitializeApc
KeInitializeEvent
KeInitializeSpinLock
KeInsertQueueApc
KeReleaseSpinLock
KeSetEvent
KeSetSystemAffinityThread
KeWaitForSingleObject
KiDispatchInterrupt
MmGetPhysicalAddress
MmGetSystemRoutineAddress
MmGetVirtualForPhysical
MmIsAddressValid
MmSectionObjectType
MmSystemRangeStart
MmUnlockPages
NtBuildNumber
NtDuplicateObject
NtOpenProcess
ObOpenObjectByPointer
ObQueryNameString
ObReferenceObjectByHandle
ObfDereferenceObject
PsCreateSystemThread
PsGetCurrentProcessId
PsGetCurrentThreadId
PsLookupProcessByProcessId
PsLookupThreadByThreadId
PsProcessType
PsSetCreateProcessNotifyRoutine
PsTerminateSystemThread
PsThreadType
RtlInitUnicodeString
RtlUnwind
RtlVolumeDeviceToDosName
ZwClose
ZwCreateFile
ZwDeleteFile
ZwOpenDirectoryObject
ZwOpenKey
ZwOpenProcess
ZwQuerySystemInformation
ZwTerminateProcess
Interesting.... but no PspTerminateProcess, unless it is listed in the exe itself which is packed

Anti-rootkits can protect their processes at the kernel level and programs (most) at the user level will be unable to bypass that protection.

Depending on how Anti-rootkit drivers are coded, they can unhook kernel level hooks by other programs or malware, and create their own hooks to intercept process termination requests.

i am trying myself to do it, if i succeed than i will post the code to let you know about it. currently trying to write a code for it... Edited by Cw2K1
Enjoy the complexity.Feel the power of simplicity.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...