Anyone maybe knows how to create an unstoppable services like the new viruses?
Would be very useful for everyone.
Thanks, tte.
Full Version: Creating An Unstoppable Service.
yeah, im also curious about that
i tryed having alook for some tutorials/reads couldnt find nothing.
apptoserver it can make a exe to system server
then this will not stop
then this will not stop
any app that runs as a service can be made unstoppable, you only have to modify one byte with a hex editor. can you guess which one?
which byte do u mean? the service name or what?
well I haer from a worm who was runnign (like every worm) but was also creating some small program that where looking at the running worm and if the task was close it was opening ti again so you couldn't stop it unless you knwo what file close first and wich one remove
i dont think that you only change 1 byte...
but thats the same with some anti virus tools
if you use pskill.exe or something like this you cant stop this service
or with rserver there is always a screen "permission denided"..
i think thats a special code, but who knows...
but in fact it is a really interesting question.
cya
but thats the same with some anti virus tools
if you use pskill.exe or something like this you cant stop this service
or with rserver there is always a screen "permission denided"..
i think thats a special code, but who knows...
but in fact it is a really interesting question.
cya
i dont think it is possible to create a COMPLETE unstoppable service
as SUPPERMAX said it is possible to have 2 services that supports each other.
I don't think it's possible to kill more than one service at the time so it seems to be it's unstoppable !
I think we had a hot toppic about it in this forum
I don't think it's possible to kill more than one service at the time so it seems to be it's unstoppable !
I think we had a hot toppic about it in this forum
You could try binding your exe file into a system file which is always running.. example winlogin.exe in xp.. dunno if its on other os.. but u will need something to stop the file protection warning.. I think there is a reg file for it somewhere... but I can't remember where on the board I seen it.
i posted about wfp, here's the file again...
yeah, thank me later lol
i didn't try the technique though, not saying it works, but this should help deffinitly if you want to try.
yeah, thank me later lol
i didn't try the technique though, not saying it works, but this should help deffinitly if you want to try.
Thanks for the tool m8y 
will give it a try out
will give it a try out
Well it should be possible because the Zonealarm service is also unstoppable.
But you can make a critical service depend on yours, so thats also a alternative i guess
But you can make a critical service depend on yours, so thats also a alternative i guess
nice tool...thanks
just disassemble the exe, find the second (usually) SetServiceStatus call and look a few instructions above it to where it pushes the value for the controls it accepts. change that to 0x04 and itll be unstopable. look at basic service example code and youll see what i mean.
or take a rootkit and hide the service.u can`t kill a service that u don`t see .it is very easy,instructions can be found at the board.
so long
.it is very easy,instructions can be found at the board.so long
thanks for the tool "tweakz20"
you can also make a bat file like this one i created:
if the service fails or crashes it will automatically restart, all you have to do is replace "service name" with the name of the service you are running that you want to be unstopable!
------------------------------------------------------------------------------------------------
echo REGEDIT4>temp.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\"service name"]>>temp.reg
echo "FailureActions& quot;=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,52,00,4f,00,01,00,00,0
0,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00>>temp.reg
regedit -s temp.reg
del temp.reg
you can also make a bat file like this one i created:
if the service fails or crashes it will automatically restart, all you have to do is replace "service name" with the name of the service you are running that you want to be unstopable!
------------------------------------------------------------------------------------------------
echo REGEDIT4>temp.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\"service name"]>>temp.reg
echo "FailureActions& quot;=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,52,00,4f,00,01,00,00,0
0,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00>>temp.reg
regedit -s temp.reg
del temp.reg
But you can disable Automatic restart in the advanced system properties
btw u can stop zonealarm just use process explorer © Sysinternals.com go to the .exe -> Proberties -> Threads than close all those than u can kill the app
just found that out yesterday <:
just found that out yesterday <:
if u name the exe like a windows system service u cant stop it from task manager (is the simplest way like he said g-ryder) but is simple to kil with a tool like pskill .. ill wait for more answers
greetz
greetz
thx for the tool i will test it
i will test it
n Windows 2000 / XP exist several (public known) methods to start a program automatically with windows.
One possibility is to use the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
is our example here below.
So, from where does windows know how to use this key? (good thought, he?)
I scanned several system files for the aforementioned key with no result.
After that i re-examined the system files that are loaded with windows and i stumbled over explorer.exe, that has indeed the key in it. It's just not that easy to find
In version 5.0.3700.6690 of explorer.exe (Windows 2000 / SP4) the key is located from offset: 0000b560h to 0000b5a0h
and looks like: "S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.R.u.n." in ascii.
The same in hex: "53 00 6F 00 66 00 74 00 77 00 61 00 72 00 65 00 5C 00 4D..." etc.
1. Turn windows file protection off (ask google if you don't know how to).
2. Kill the running explorer.exe
3. Open the file in binary mode and search for the above string.
4. Replace the string by:
"S.y.s.t.e.m.\.H.i.d.d.e.n.A.u.t.o.r.u.n.\.Y.o.u.r.A.p.p.\.P.a.r.a.m.e.t.e.r.s.\.s.r.u.n.s." or something like that.
4.1 The string has to be the same length as the above one.
5. Save the file and restart explorer.exe
The user will just notice a crash of the explorer, as it happens twice a day *scnr* and the ensuing restart of it.
From the next reboot on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" is useless but in exchange you have a new one at "HKEY_LOCAL_MACHINE\System\HiddenAutorun\YourApp\Parameters\sruns".
To stay undetected it is essential to load alls apps located in the old registry key. Otherwise a user my notice the change.
THANKS goes to nec, who first made his post available to the public at: http://www.rootkit.com
One possibility is to use the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
is our example here below.
So, from where does windows know how to use this key? (good thought, he?)
I scanned several system files for the aforementioned key with no result.
After that i re-examined the system files that are loaded with windows and i stumbled over explorer.exe, that has indeed the key in it. It's just not that easy to find
In version 5.0.3700.6690 of explorer.exe (Windows 2000 / SP4) the key is located from offset: 0000b560h to 0000b5a0h
and looks like: "S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.R.u.n." in ascii.
The same in hex: "53 00 6F 00 66 00 74 00 77 00 61 00 72 00 65 00 5C 00 4D..." etc.
1. Turn windows file protection off (ask google if you don't know how to).
2. Kill the running explorer.exe
3. Open the file in binary mode and search for the above string.
4. Replace the string by:
"S.y.s.t.e.m.\.H.i.d.d.e.n.A.u.t.o.r.u.n.\.Y.o.u.r.A.p.p.\.P.a.r.a.m.e.t.e.r.s.\.s.r.u.n.s." or something like that.
4.1 The string has to be the same length as the above one.
5. Save the file and restart explorer.exe
The user will just notice a crash of the explorer, as it happens twice a day *scnr* and the ensuing restart of it.
From the next reboot on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" is useless but in exchange you have a new one at "HKEY_LOCAL_MACHINE\System\HiddenAutorun\YourApp\Parameters\sruns".
To stay undetected it is essential to load alls apps located in the old registry key. Otherwise a user my notice the change.
THANKS goes to nec, who first made his post available to the public at: http://www.rootkit.com
in vb use this function:
Public Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessId As Long, ByVal dwType As Long) As Long
Public Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessId As Long, ByVal dwType As Long) As Long
thx for your ideas!
oh, one more question...
tried to disassamble servu... found the second SetServiceStatus... but above there are two push values... which one needs to be modified?
tried to disassamble servu... found the second SetServiceStatus... but above there are two push values... which one needs to be modified?
Heya brain, I think I need to chat with you about services in vb (and hiding them etc). If your gonna be about on IRC this weekend can we talk?
just write an own service and let the stop-procedure empty.
Right ... Ok at least I got something to google for now, cheers.
This is nice to know, i'll try this one out for sure at my network in order to see if it really works. If it does, i should make some processes unstoppable.
won't this crash the system if you edit winlogin whilst its running??
| QUOTE (iXNAY @ Apr 25 2004, 08:48 AM) |
| thanks for the tool "tweakz20" you can also make a bat file like this one i created: if the service fails or crashes it will automatically restart, all you have to do is replace "service name" with the name of the service you are running that you want to be unstopable! ------------------------------------------------------------------------------------------------ echo REGEDIT4>temp.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\"service name"]>>temp.reg echo "FailureActions& quot;=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,52,00,4f,00,01,00,00,0 0,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00>>temp.reg regedit -s temp.reg del temp.reg |
even if the process gets killed by pskill or the service gets stopped?
Ok im lining up for the most stupid question ever asked, here it comes !
Do I just use the full path and name of the exe as the service name ? How do I get the service to run my exe or am I looking at this all wrong, Im going off to search so you may find some info below (if i find some).
http://msdn.microsoft.com/library/default....pplications.asp
Property Setting
CanStop True to indicate that the service will accept requests to stop
running; false to prevent the service from being stopped.
Is this not a way to stop the service being ended ?
Do I just use the full path and name of the exe as the service name ? How do I get the service to run my exe or am I looking at this all wrong, Im going off to search so you may find some info below (if i find some).
http://msdn.microsoft.com/library/default....pplications.asp
Property Setting
CanStop True to indicate that the service will accept requests to stop
running; false to prevent the service from being stopped.
Is this not a way to stop the service being ended ?
yeah .. but i was talking bout through command line .. Ive known that trick of yours for a long time but now im searching a script/code to do that by cmd
Service objects just like files can have ACL restrictions imposed on them as well.
Deny users access and they can't do anything to the service.
Deny users access and they can't do anything to the service.
i looked around my pc a bit for services i couldnt stop. i came up first with deep freeze. a very annoying program which i installed in the hope to figure out how i could kill it (since they also use that at my school and i find that very annoying). i got into regedit and looked what things are all set there. in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DF5Serv\Enum i found a value called "0" with the data: Root\LEGACY_DF5SERV\0000. i tried making my own proces with a data like that. it gave some kind of bind error. i went on looking for services like that. i found the service "netbios". in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS\Enum i found nearly the exact data as in df5serv: "0" with: Root\LEGACY_NETBIOS\0000. could it be that these values in the register has something to do with making services unstoppable ?
ResetPeriod = INFINITE
| QUOTE (cranky @ Apr 25 2004, 07:37 AM) |
| just disassemble the exe, find the second (usually) SetServiceStatus call and look a few instructions above it to where it pushes the value for the controls it accepts. change that to 0x04 and itll be unstopable. look at basic service example code and youll see what i mean. |
how ? just hexedit or so ?
*edit* ok found it with hexeditting, but what value do to change ? :s
finally...
To make a process invincible on Windows Nt, 2000 and XP, we can intercept the system service- ZwTerminateProcess(), called each time an application or driver requests to terminate a process. Since we are doing this in Kernel Mode- the central part of the operating system, hooking ZwTerminateProcess() in ntoskrnl.exe will catch the call from any single application, dll or driver.
Upon modifying the correct pointer in the system service table for ZwTerminateProcess(), we’ll have changed it to the address of our hook procedure. Inside the new procedure we must do a bit of process checking- If indeed a process is trying to terminate ours we must return STATUS_ACCESS_DENIED; otherwise our hook function should make the call to the original ZwTerminateProcess() system service.
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
The problem is that once we’ve hooked ZwTerminateProcess(), we don't actually know the name of the process trying to being terminated- we are only given a HANDLE ProcessHandle to it in the first argument. Unlike in user-mode, we can't rely on the API functions provided by the PSAPI [.dlls aren't linked to drivers operating in Kernel Mode] such as GetModuleBaseName() in PSAPI.DLL to get the name of the process the HANDLE refers to. To overcome this, Kernel Support Routines [Functions provided by the Kernel] are used directly.
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
One Kernel support routine, ZwQueryInformationProcess() accepts a ProcessHandle and fills the fields of the passed in PROCESS_BASIC_INFORMATION structure.
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
We aren't there yet though; as you can see- there is no variable that holds the ImageFileName- only the ProcessID [UniqueProcessId]. This is no problem however, as we have PsLookupProcessByProcessId().
NTSYSAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId (
IN ULONG ProcessId,
OUT PEPROCESS *Process
);
This function takes the UniqueProcessId of a process [we obtained using ZwQueryInformationProcess()] and outputs the fields of a _EPROCESS structure- This structure is large and varies significantly between Major Windows Versions.
typedef struct _EPROCESS {
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
...
UCHAR ImageFileName[16];
...
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;
And there it is, UCHAR ImageFileName[16]- the start address in memory of the name of the process being terminated.
All we need to do now is perform a simple memory comparison- checking to see that it is indeed our application trying to be terminated. If so we simply return STATUS_ACCESS_DENIED.
if(0 == memcmp(&pEProcess->ImageFileName[0], "ExeName", 7))
{
return STATUS_ACCESS_DENIED;
}
To make a process invincible on Windows Nt, 2000 and XP, we can intercept the system service- ZwTerminateProcess(), called each time an application or driver requests to terminate a process. Since we are doing this in Kernel Mode- the central part of the operating system, hooking ZwTerminateProcess() in ntoskrnl.exe will catch the call from any single application, dll or driver.
Upon modifying the correct pointer in the system service table for ZwTerminateProcess(), we’ll have changed it to the address of our hook procedure. Inside the new procedure we must do a bit of process checking- If indeed a process is trying to terminate ours we must return STATUS_ACCESS_DENIED; otherwise our hook function should make the call to the original ZwTerminateProcess() system service.
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
The problem is that once we’ve hooked ZwTerminateProcess(), we don't actually know the name of the process trying to being terminated- we are only given a HANDLE ProcessHandle to it in the first argument. Unlike in user-mode, we can't rely on the API functions provided by the PSAPI [.dlls aren't linked to drivers operating in Kernel Mode] such as GetModuleBaseName() in PSAPI.DLL to get the name of the process the HANDLE refers to. To overcome this, Kernel Support Routines [Functions provided by the Kernel] are used directly.
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
One Kernel support routine, ZwQueryInformationProcess() accepts a ProcessHandle and fills the fields of the passed in PROCESS_BASIC_INFORMATION structure.
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
We aren't there yet though; as you can see- there is no variable that holds the ImageFileName- only the ProcessID [UniqueProcessId]. This is no problem however, as we have PsLookupProcessByProcessId().
NTSYSAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId (
IN ULONG ProcessId,
OUT PEPROCESS *Process
);
This function takes the UniqueProcessId of a process [we obtained using ZwQueryInformationProcess()] and outputs the fields of a _EPROCESS structure- This structure is large and varies significantly between Major Windows Versions.
typedef struct _EPROCESS {
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
...
UCHAR ImageFileName[16];
...
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;
And there it is, UCHAR ImageFileName[16]- the start address in memory of the name of the process being terminated.
All we need to do now is perform a simple memory comparison- checking to see that it is indeed our application trying to be terminated. If so we simply return STATUS_ACCESS_DENIED.
if(0 == memcmp(&pEProcess->ImageFileName[0], "ExeName", 7))
{
return STATUS_ACCESS_DENIED;
}
hi hottzo,
I just want to know how I can use NtQueryInformationProcess in kernel-mode!
because it seems that it needs a user-mode buffer for data!
thanks
I just want to know how I can use NtQueryInformationProcess in kernel-mode!
because it seems that it needs a user-mode buffer for data!
thanks
QUOTE(arman2 @ Oct 28 2004, 01:19 PM)
hi hottzo,
I just want to know how I can use NtQueryInformationProcess in kernel-mode!
because it seems that it needs a user-mode buffer for data!
thanks
I just want to know how I can use NtQueryInformationProcess in kernel-mode!
because it seems that it needs a user-mode buffer for data!
thanks
One way to make it difficult to stop is is lock the service database
of course this does prevent you from doing anything with any service
Look in to a resource kit utility called sc.exe
You can do lots of things to services like , for example, setting to start type to system.
the main goal should be to get your service configured like some of the default services that windows prevent you from stopping for example,
when you query rpcss (sc query rpcss)
you get...
CODE
SERVICE_NAME: rpcss
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
if i manually add "FailureActions" in registry to make service unstoppable , the service config is updated after a reboot . how can i add and force windows to read new service config without having to reboot ?
very good response hottzo. for those of you who are not up to writing kernel mode drivers, this can also be achieved by hooking the ntdll stub to ZwTerminateProcess...i.e. NtTerminateProcess.
This is a less neat solution, since you must inject a hooking dll into each process in usermode, and also hook NtCreateProcess to ensure that new processes are also hooked (much like a usermode rootkit does - you could modify an open source rootkit to achieve this quickly)
In the future Microsoft will put a stop to modifying the system service table, which will either stop kernel hooks, or make us think a bit harder about how it can be achieved.
This is a less neat solution, since you must inject a hooking dll into each process in usermode, and also hook NtCreateProcess to ensure that new processes are also hooked (much like a usermode rootkit does - you could modify an open source rootkit to achieve this quickly)
In the future Microsoft will put a stop to modifying the system service table, which will either stop kernel hooks, or make us think a bit harder about how it can be achieved.
QUOTE(hottzo @ Oct 2 2004, 05:43 PM)
finally...
To make a process invincible on Windows Nt, 2000 and XP, we can intercept the system service- ZwTerminateProcess(), called each time an application or driver requests to terminate a process. Since we are doing this in Kernel Mode- the central part of the operating system, hooking ZwTerminateProcess() in ntoskrnl.exe will catch the call from any single application, dll or driver.
Upon modifying the correct pointer in the system service table for ZwTerminateProcess(), we'll have changed it to the address of our hook procedure. Inside the new procedure we must do a bit of process checking- If indeed a process is trying to terminate ours we must return STATUS_ACCESS_DENIED; otherwise our hook function should make the call to the original ZwTerminateProcess() system service.
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
The problem is that once we've hooked ZwTerminateProcess(), we don't actually know the name of the process trying to being terminated- we are only given a HANDLE ProcessHandle to it in the first argument. Unlike in user-mode, we can't rely on the API functions provided by the PSAPI [.dlls aren't linked to drivers operating in Kernel Mode] such as GetModuleBaseName() in PSAPI.DLL to get the name of the process the HANDLE refers to. To overcome this, Kernel Support Routines [Functions provided by the Kernel] are used directly.
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
One Kernel support routine, ZwQueryInformationProcess() accepts a ProcessHandle and fills the fields of the passed in PROCESS_BASIC_INFORMATION structure.
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
We aren't there yet though; as you can see- there is no variable that holds the ImageFileName- only the ProcessID [UniqueProcessId]. This is no problem however, as we have PsLookupProcessByProcessId().
NTSYSAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId (
IN ULONG ProcessId,
OUT PEPROCESS *Process
);
This function takes the UniqueProcessId of a process [we obtained using ZwQueryInformationProcess()] and outputs the fields of a _EPROCESS structure- This structure is large and varies significantly between Major Windows Versions.
typedef struct _EPROCESS {
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
...
UCHAR ImageFileName[16];
...
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;
And there it is, UCHAR ImageFileName[16]- the start address in memory of the name of the process being terminated.
All we need to do now is perform a simple memory comparison- checking to see that it is indeed our application trying to be terminated. If so we simply return STATUS_ACCESS_DENIED.
if(0 == memcmp(&pEProcess->ImageFileName[0], "ExeName", 7))
{
return STATUS_ACCESS_DENIED;
}
To make a process invincible on Windows Nt, 2000 and XP, we can intercept the system service- ZwTerminateProcess(), called each time an application or driver requests to terminate a process. Since we are doing this in Kernel Mode- the central part of the operating system, hooking ZwTerminateProcess() in ntoskrnl.exe will catch the call from any single application, dll or driver.
Upon modifying the correct pointer in the system service table for ZwTerminateProcess(), we'll have changed it to the address of our hook procedure. Inside the new procedure we must do a bit of process checking- If indeed a process is trying to terminate ours we must return STATUS_ACCESS_DENIED; otherwise our hook function should make the call to the original ZwTerminateProcess() system service.
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
The problem is that once we've hooked ZwTerminateProcess(), we don't actually know the name of the process trying to being terminated- we are only given a HANDLE ProcessHandle to it in the first argument. Unlike in user-mode, we can't rely on the API functions provided by the PSAPI [.dlls aren't linked to drivers operating in Kernel Mode] such as GetModuleBaseName() in PSAPI.DLL to get the name of the process the HANDLE refers to. To overcome this, Kernel Support Routines [Functions provided by the Kernel] are used directly.
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
One Kernel support routine, ZwQueryInformationProcess() accepts a ProcessHandle and fills the fields of the passed in PROCESS_BASIC_INFORMATION structure.
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
We aren't there yet though; as you can see- there is no variable that holds the ImageFileName- only the ProcessID [UniqueProcessId]. This is no problem however, as we have PsLookupProcessByProcessId().
NTSYSAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId (
IN ULONG ProcessId,
OUT PEPROCESS *Process
);
This function takes the UniqueProcessId of a process [we obtained using ZwQueryInformationProcess()] and outputs the fields of a _EPROCESS structure- This structure is large and varies significantly between Major Windows Versions.
typedef struct _EPROCESS {
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
...
UCHAR ImageFileName[16];
...
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;
And there it is, UCHAR ImageFileName[16]- the start address in memory of the name of the process being terminated.
All we need to do now is perform a simple memory comparison- checking to see that it is indeed our application trying to be terminated. If so we simply return STATUS_ACCESS_DENIED.
if(0 == memcmp(&pEProcess->ImageFileName[0], "ExeName", 7))
{
return STATUS_ACCESS_DENIED;
}
Nice info thanks 
U guys are confusing me but ill think i got what u guys are saying
thax for the tips
thax for the tips
So after a long time still one question is remaining:
How can a service be made unstoppable?
Dont tell me the coding way, I cant code C. Does any of the other suggestions work?
How can a service be made unstoppable?
Dont tell me the coding way, I cant code C. Does any of the other suggestions work?
LOL passiw it s true 
ye thumbs up to hottzo ! very sweet reply !
one Q tho, those it has to be in kernelland of would userland be enough ?
:eidt: o nvm about the Q. Tibbar already answered it. thanx
one Q tho, those it has to be in kernelland of would userland be enough ?
:eidt: o nvm about the Q. Tibbar already answered it. thanx
The answer has been given in several ways....
Nice reply Hottzo (I didn't know u had it in you... I think I'm gonna contact u on IRC sometime )
Easiest way is to implent ur service into a systemservice like services.exe ....
problem is that if Windows gets updated in that part u will loose ur nice service....
So .... get ur way thru WFP .. edit the systemservice .... and get WFP back up.
Should be doable for ya.
Happy googling
Nice reply Hottzo (I didn't know u had it in you... I think I'm gonna contact u on IRC sometime
)Easiest way is to implent ur service into a systemservice like services.exe ....
problem is that if Windows gets updated in that part u will loose ur nice service....
So .... get ur way thru WFP .. edit the systemservice .... and get WFP back up.
Should be doable for ya.
Happy googling
QUOTE(_ET_ @ Jan 25 2005, 02:33 PM)
The answer has been given in several ways....
Nice reply Hottzo (I didn't know u had it in you... I think I'm gonna contact u on IRC sometime )
Easiest way is to implent ur service into a systemservice like services.exe ....
problem is that if Windows gets updated in that part u will loose ur nice service....
So .... get ur way thru WFP .. edit the systemservice .... and get WFP back up.
Should be doable for ya.
Happy googling
Nice reply Hottzo (I didn't know u had it in you... I think I'm gonna contact u on IRC sometime
)Easiest way is to implent ur service into a systemservice like services.exe ....
problem is that if Windows gets updated in that part u will loose ur nice service....
So .... get ur way thru WFP .. edit the systemservice .... and get WFP back up.
Should be doable for ya.
Happy googling
Nice info thanks
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
