View previous topic :: View next topic |
Author |
Message |
Traps Cheater Reputation: 0
Joined: 26 Mar 2007 Posts: 35
|
Posted: Sat Apr 28, 2007 10:47 pm Post subject: C#: unkillable process |
|
|
How can I make a process unkillable(like for example through taskmanager)
I thought about creating a couple seperate processes that monitor each other, and my main program. If my main program dies, one of the seperate process's will relaunch it, and if one of the serperate process's dies, the cooresponding sister process will relaunch it.
This is kinda lame in my opinion. Is there a way to hook the kernal level terminateprocess(). That would be the best route to go, but I have no clue how to do this in c#.
|
|
Back to top |
|
|
Poent Cheater Reputation: 0
Joined: 24 Apr 2007 Posts: 32
|
Posted: Mon Apr 30, 2007 8:30 pm Post subject: |
|
|
One of the ways I can think of to hide it would be to use a root-kit, I dont know too much about them, but I do know that many viruses use them to hide themselves and their files.
P.S.
.NET is the devil
|
|
Back to top |
|
|
appalsap Moderator Reputation: 0
Joined: 27 Apr 2006 Posts: 6753 Location: Pakistan
|
Posted: Mon Apr 30, 2007 8:47 pm Post subject: |
|
|
WRONG way: Enumerate the processes and restart if you find missing. This makes your process vulnerable to a suspend-kill attack.
RIGHT way: Use thread synchronization objects or a pipe to constantly verify that the sibling process is active and OK. This is not lame, and much more cleaner than hooking TerminateProcess (and there are many many ways to terminate a process, terminateprocess is just the easiest)
|
|
Back to top |
|
|
the_undead Expert Cheater Reputation: 1
Joined: 12 Nov 2006 Posts: 235 Location: Johannesburg, South Africa
|
Posted: Mon Apr 30, 2007 8:51 pm Post subject: |
|
|
And named pipes in .NET are incredibly simple. More so than in anything else.
_________________
|
|
Back to top |
|
|
appalsap Moderator Reputation: 0
Joined: 27 Apr 2006 Posts: 6753 Location: Pakistan
|
Posted: Mon Apr 30, 2007 8:56 pm Post subject: |
|
|
They can be anonymous (easier than named), if one process is to launch another, there are many ways they can share handles.
|
|
Back to top |
|
|
linden Master Cheater Reputation: 0
Joined: 10 Mar 2006 Posts: 319
|
Posted: Mon Apr 30, 2007 9:11 pm Post subject: |
|
|
Two process monitoring each other...too lame...
hooking terminateprocess is not good...one can still kill the process if he can open a process handle to it (i.e. inject buggy code to the victim process, nopping the code area, etc.).
The best way is still the rootkit technique... hook any one of these in the kernel: NtOpenProcess, PsLookupProcessByProcessId, ObOpenObjectByPointer, ObReferenceObjectByPointer; but can't be realized using c#
EDIT:
Ah! I came up with another idea! You really need a process?
If not, you might try implement everything into a DLL (a C# DLL?)
and then inject that DLL into winlogon.exe and run under the process context of winlogon.exe. Nobody would dare to terminate winlogon.exe, since terminating winlogon.exe means crashing windows
|
|
Back to top |
|
|
the_undead Expert Cheater Reputation: 1
Joined: 12 Nov 2006 Posts: 235 Location: Johannesburg, South Africa
|
Posted: Mon Apr 30, 2007 9:28 pm Post subject: |
|
|
Youre gonna have to write that DLL in something else :S
_________________
|
|
Back to top |
|
|
|