Flint_ta
Сообщений: 3720
Оценки: 1120
Присоединился: 2007-01-26 15:49:18.323333
|
FLIER, здается мне ты чето злое пишешь на Delphi :)
Есть тулза "Advanced Process Termination v4.2 - DiamondCS" позволяет убить процесс 12 способами из юзер мода, 2 способами из кернел мода, либо еще двумя обрушить :)
См:
Features KERNEL-MODE TERMINATION METHODS
Kernel-mode termination methods are the most powerful in APT's arsenal. A kernel-mode system driver is saved to \Windows\system32\drivers\apt.sys which essentially performs the termination operations at the operating system level (rather than at the higher user level like user-mode termination methods). Another advantage of kernel-mode termination is that they generally bypass any attempted user-mode API hooks.. Kernel Kill 1 - Attempts to terminate the target process by terminating each thread in the target process using the kernel-mode version of TerminateThread - ZwTerminateThread.
Main functions: ZwTerminateThread (ntoskrnl.exe) Kernel Kill 2 - Attempts to terminate the target process by calling the kernel-mode version of TerminateProcess - ZwTerminateProcess.
Main functions: ZwTerminateProcess (ntoskrnl.exe)
USER-MODE TERMINATION METHODS
These are the more conventional termination methods. Processes are for the most part user-mode objects which is why there is such a large variety of attacks. Kill #1 - Attempts to terminate the target process using the TerminateProcess function. This is the same as the End Process function in Windows Task Manager, but as APT aquires SeDebugPrivilege before calling TerminateProcess it is typically able to terminate more processes than Task Manager can. This is the most common method of forceful process termination.
Main functions: TerminateProcess (kernel32.dll) Kill #2 - Attempts to terminate the target process by sending Close messages (called WM_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_CLOSE message (most programs usually don't).
Main functions: SendMessage & PostMessage (WM_CLOSE) (user32.dll) Kill #3 - Attempts to terminate the target process by sending Quit messages (called WM_QUIT) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_QUIT message (most programs usually don't).
Main functions: SendMessage & PostMessage (WM_QUIT) (user32.dll) Kill #4 - Attempts to terminate the target process by sending system Close messages (called SC_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the SC_CLOSE message (most programs usually don't).
Main functions: SendMessage & PostMessage (SC_CLOSE) (user32.dll) Kill #5 - Attempts to terminate the target process by terminating every individual thread in the target process by using the TerminateThread function. When the last active thread is terminated the target process is also terminated.
Main functions: TerminateThread (kernel32.dll) Kill #6 - Attempts to terminate the target process by creating a new thread in the context of the target process, which has a starting address (stored in the EIP register) which is the address of the ExitProcess function in kernel32.dll.
Main functions: CreateRemoteThread, ExitProcess (kernel32.dll) Kill #7 - Attempts to terminate the target process by using the EndTask function in user32.dll. This is the same as the End Task function in Windows Task Manager.
Main functions: EndTask (user32.dll) Kill #8 - Attempts to terminate the target process by attaching to it as a debugger, using the DebugActiveProcess function in kernel32.dll. To terminate the target process, the debugger process simply needs to terminate itself, at which point the process being debugged (the target process) is also terminated.
Main functions: DebugActiveProcess (kernel32.dll) Kill #9 - Attempts to terminate the target process by modifying the EIP register of all existing threads so that they all point to the ExitProcess function in kernel32.dll. This is similar to Kill #3, but doesn't involve the creation of any new thread. Instead, existing threads are used.
Main functions: SetThreadContext (kernel32.dll) Kill #10 - Attempts to terminate the target process using the undocumented WinStationKillProcess function. This method only works if the Terminal Services service is enabled.
Main functions: WinStationKillProcess (winsta.dll) Kill #11 - Attempts to terminate the target process by loading a DLL into the process. As soon as the DLL is loaded it calls ExitProcess.
Main functions: CreateRemoteThread, LoadLibrary, ExitProcess (kernel32.dll) Kill #12 - Unlike the other kill methods Kill #12 actually gets another process to do the termination instead of it's own apt.exe process. (You can even use the target process as the accomplice process). When this kill method is used APT will ask you for a process ID to use as the accomplice. APT will then temporarily inject a small payload into the accomplice process and create a remote thread there. The payload is simply a short segment of code which calls TerminateProcess, so it's essentially the same as Kill #1 but with the termination being performed by the process of your choice instead of apt.exe. The payload is then removed from the accomplice process.
Main functions: WriteProcessMemory, CreateRemoteThread, TerminateProcess (kernel32.dll)
CRASH METHODS
Fatally crashing a process has the same outcome as terminating it (albeit not quite as gracefully!) so it's equally important for security software to be protected against crash attacks. Crash #1 - Attempts to fatally crash the target process by setting each page of its virtual memory to PAGE_NOACCESS.
Main functions: VirtualProtectEx (kernel32.dll) Crash #2 - Attempts to fatally crash the target process by overwriting each page of its virtual memory with null characters (code 0).
Main functions: VirtualProtectEx, WriteProcessMemory (kernel32.dll)
|
Закрытие приложение без формы - 
