问题
I'm making a security software that is a parental control monitoring system and I don't want any user / administrator or a program to kill my process.
I have tried using SetSecurityInfo() but that didn't work. Then SetKernelObjectSecurity but that also didn't do what I wanted.
How would I do this?
I would also love to have a clear explanation of any code provided.
EDIT: If so, how do antivirus programs do it ??? Can you please help me. Im new to WINAPI I would like to know about something which is simple... Sorry to trouble you guys but at least you can show me the code for some 'watch dog' process or something . . .
回答1:
This is not controlled by the process itself, and certainly not by its calling a magic API function. If it were, all malicious software would set itself up as "unkillable" and totally pwn your system. Rather, it is a security attribute of the executable file—specifically, the "Terminate" permission.
You can explore this for yourself by downloading Process Explorer:
- Open the properties for your process
- Switch to the "Security" tab
- Click the "Permissions" button
- Click the "Advanced" button
- Select the desired user or group
- Change the setting of the "Terminate" permission.
System processes have the "Terminate" permission denied to all users except the SYSTEM user. This is why even administrators receive the "Access Denied" message, because they lack the "Terminate" permission for system processes.
Of course, even setting this attribute correctly does not make the process "unkillable". It just makes it more difficult. There is plenty of software available online for a free download that allows users to kill such processes, and anyone with basic knowledge of the Windows security model can work around it without even requiring special software.
And none of this makes much sense for parental control software. You should be using the Windows security model to your advantage, not trying to work against it. Install the software as an administrator (i.e., the parent's account), and then set the child(ren) up with a limited user account. Limited user accounts won't be able to kill your process because they don't have the requisite permissions. If an administrator wants to kill your process, then you should let them, not give them some spurious "ACCESS DENIED" headache.
回答2:
No it's not possible. No matter what you do, I can always turn the machine off.
回答3:
First of all, lets make it clear it is impossible. But, you can make it harder.
Besides, what "Code Gray" wrote I'm adding:
- You can use another process to be a watchdog, and your process watches the watchdog as well (cyclic watchdog), so if one of you is being terminate, it re-runs the other one. You can bypass that by killing your process and the watchdog before any of them get the chance to start the other one.
1a. An attacker can freeze the process instead of terminating it, therefore (1) wouldn't work, so you can "ping" each other every N seconds, and if a ping is missing, something is wrong (not sure how to recover this, depends on the product).
If you are a service, you can set windows to recover your service once its down.
Just an idea, I would not do that in a product. You can API-hook an important function in an important process (a function that is being called quite a lot). Everytime the function is being called, check if your process is up, if not, REBOOT! :-P.
Another wild idea (That I wouldn't do in a product!!!), write a driver and look for a terminate event for your process. If it someone terminates your process, cause a blue screen! That will show 'em! 8-P
Good Luck!
回答4:
Hooking NtTerminateProcess in kernel mode may helps you. PS: Hook also NtTerminateThread, because I remember one version of NOD32 antivirus with dumb bug, when killing process was denied, but killing all threads was possible. :-)
来源:https://stackoverflow.com/questions/17484784/how-do-i-make-a-completely-access-denied-process-on-windows