To make a process invincible on Windows Nt, 2000 and XP, we can intercept the system service- ZwTerminateProcess(), called each time an application or driver requests to terminate a process. Since we are doing this in Kernel Mode- the central part of the operating system, hooking ZwTerminateProcess() in ntoskrnl.exe will catch the call from any single application, dll or driver.
Upon modifying the correct pointer in the system service table for ZwTerminateProcess(), we’ll have changed it to the address of our hook procedure. Inside the new procedure we must do a bit of process checking- If indeed a process is trying to terminate ours we must return STATUS_ACCESS_DENIED; otherwise our hook function should make the call to the original ZwTerminateProcess() system service.
Code: Select all
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
Code: Select all
NTSTATUS
ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
Code: Select all
typedef struct _EPROCESS {
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
...
UCHAR ImageFileName[16];
...
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;
All we need to do now is perform a simple memory comparison- checking to see that it is indeed our application trying to be terminated. If so we simply return STATUS_ACCESS_DENIED.
Code: Select all
if(0 == memcmp(&pEProcess->ImageFileName[0], ExeName, sizeof(ExeName)))
{
return STATUS_ACCESS_DENIED;
}