как завершить процес(delphi)
Пользователи, просматривающие топик: none
|
Зашли как: Guest
|
Имя  |
| Сообщение |
<< Старые топики Новые топики >> |
|
|
как завершить процес(delphi) - 2010-01-03 19:24:18.840000
|
|
|
boss_hackerov
Сообщений: 17
Оценки: 0
Присоединился: 2010-01-03 10:57:06.150000
|
как завершить процес из delphi?
заранее спасибо!!!!
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-03 19:34:26.206666
|
|
|
Flint_ta
Сообщений: 3720
Оценки: 1120
Присоединился: 2007-01-26 15:49:18.323333
|
Выбирай
KERNEL-MODE TERMINATION METHODS
Kernel-mode termination methods are the most powerful in APT's arsenal. A kernel-mode system driver is saved to \Windows\system32\drivers\apt.sys which essentially performs the termination operations at the operating system level (rather than at the higher user level like user-mode termination methods). Another advantage of kernel-mode termination is that they generally bypass any attempted user-mode API hooks.. Kernel Kill 1 - Attempts to terminate the target process by terminating each thread in the target process using the kernel-mode version of TerminateThread - ZwTerminateThread.
Main functions: ZwTerminateThread (ntoskrnl.exe) Kernel Kill 2 - Attempts to terminate the target process by calling the kernel-mode version of TerminateProcess - ZwTerminateProcess.
Main functions: ZwTerminateProcess (ntoskrnl.exe)
USER-MODE TERMINATION METHODS
These are the more conventional termination methods. Processes are for the most part user-mode objects which is why there is such a large variety of attacks. Kill #1 - Attempts to terminate the target process using the TerminateProcess function. This is the same as the End Process function in Windows Task Manager, but as APT aquires SeDebugPrivilege before calling TerminateProcess it is typically able to terminate more processes than Task Manager can. This is the most common method of forceful process termination.
Main functions: TerminateProcess (kernel32.dll) Kill #2 - Attempts to terminate the target process by sending Close messages (called WM_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_CLOSE message (most programs usually don't).
Main functions: SendMessage & PostMessage (WM_CLOSE) (user32.dll) Kill #3 - Attempts to terminate the target process by sending Quit messages (called WM_QUIT) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_QUIT message (most programs usually don't).
Main functions: SendMessage & PostMessage (WM_QUIT) (user32.dll) Kill #4 - Attempts to terminate the target process by sending system Close messages (called SC_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the SC_CLOSE message (most programs usually don't).
Main functions: SendMessage & PostMessage (SC_CLOSE) (user32.dll) Kill #5 - Attempts to terminate the target process by terminating every individual thread in the target process by using the TerminateThread function. When the last active thread is terminated the target process is also terminated.
Main functions: TerminateThread (kernel32.dll) Kill #6 - Attempts to terminate the target process by creating a new thread in the context of the target process, which has a starting address (stored in the EIP register) which is the address of the ExitProcess function in kernel32.dll.
Main functions: CreateRemoteThread, ExitProcess (kernel32.dll) Kill #7 - Attempts to terminate the target process by using the EndTask function in user32.dll. This is the same as the End Task function in Windows Task Manager.
Main functions: EndTask (user32.dll) Kill #8 - Attempts to terminate the target process by attaching to it as a debugger, using the DebugActiveProcess function in kernel32.dll. To terminate the target process, the debugger process simply needs to terminate itself, at which point the process being debugged (the target process) is also terminated.
Main functions: DebugActiveProcess (kernel32.dll) Kill #9 - Attempts to terminate the target process by modifying the EIP register of all existing threads so that they all point to the ExitProcess function in kernel32.dll. This is similar to Kill #3, but doesn't involve the creation of any new thread. Instead, existing threads are used.
Main functions: SetThreadContext (kernel32.dll) Kill #10 - Attempts to terminate the target process using the undocumented WinStationKillProcess function. This method only works if the Terminal Services service is enabled.
Main functions: WinStationKillProcess (winsta.dll) Kill #11 - Attempts to terminate the target process by loading a DLL into the process. As soon as the DLL is loaded it calls ExitProcess.
Main functions: CreateRemoteThread, LoadLibrary, ExitProcess (kernel32.dll) Kill #12 - Unlike the other kill methods Kill #12 actually gets another process to do the termination instead of it's own apt.exe process. (You can even use the target process as the accomplice process). When this kill method is used APT will ask you for a process ID to use as the accomplice. APT will then temporarily inject a small payload into the accomplice process and create a remote thread there. The payload is simply a short segment of code which calls TerminateProcess, so it's essentially the same as Kill #1 but with the termination being performed by the process of your choice instead of apt.exe. The payload is then removed from the accomplice process.
Main functions: WriteProcessMemory, CreateRemoteThread, TerminateProcess (kernel32.dll)
CRASH METHODS
Fatally crashing a process has the same outcome as terminating it (albeit not quite as gracefully!) so it's equally important for security software to be protected against crash attacks. Crash #1 - Attempts to fatally crash the target process by setting each page of its virtual memory to PAGE_NOACCESS.
Main functions: VirtualProtectEx (kernel32.dll) Crash #2 - Attempts to fatally crash the target process by overwriting each page of its virtual memory with null characters (code 0).
Main functions: VirtualProtectEx, WriteProcessMemory (kernel32.dll) SUSPENSION METHODS
Suspending a process doesn't have the same fatal outcome as terminating or crashing it, but it does render the process technically useless while it is suspended. One reason why a trojan might suspend a process rather than terminate it is so that it still looks (to the user) like the process is running - there are no visual indications that the process is suspended (except for frozen windows and controls, but they generally won't be noticed on minimized windows or system tray applications). Suspend #1 - Attempts to freeze the target process by individually suspending all of its threads.
Main functions: OpenThread, SuspendThread (kernel32.dll) Suspend #1 - Attempts to freeze the target process by directly calling NtSuspendProcess in ntdll.dll.
Main functions: NtSuspendProcess (ntdll.dll)
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-03 20:03:40.596666
|
|
|
I.G.O.R.
Сообщений: 72
Оценки: 0
Присоединился: 2009-10-20 15:18:36.626666
|
Эта функция закрывает приложения, соответствующие заданному имени .exe:
uses
Tlhelp32, Windows, SysUtils;
........
function KillTask(ExeFileName: string): integer;
const
PROCESS_TERMINATE=$0001;
var
ContinueLoop: BOOL;
FSnapshotHandle: THandle;
FProcessEntry32: TProcessEntry32;
begin
result := 0;
FSnapshotHandle := CreateToolhelp32Snapshot
(TH32CS_SNAPPROCESS, 0);
FProcessEntry32.dwSize := Sizeof(FProcessEntry32);
ContinueLoop := Process32First(FSnapshotHandle,
FProcessEntry32);
while integer(ContinueLoop) <> 0 do
begin
if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) =
UpperCase(ExeFileName))
or (UpperCase(FProcessEntry32.szExeFile) =
UpperCase(ExeFileName))) then
Result := Integer(TerminateProcess(OpenProcess(
PROCESS_TERMINATE, BOOL(0),
FProcessEntry32.th32ProcessID), 0));
ContinueLoop := Process32Next(FSnapshotHandle,
FProcessEntry32);
end;
CloseHandle(FSnapshotHandle);
end; Пример использования:
KillTask('notepad.exe');
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-04 01:46:14.486666
|
|
|
_SaZ_
Сообщений: 4329
Оценки: 398
Присоединился: 2008-01-30 02:18:05.553333
|
ShellExecute +
taskkill /f /im <имя_процесса.exe>
:)
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-06 20:07:35.576666
|
|
|
boss_hackerov
Сообщений: 17
Оценки: 0
Присоединился: 2010-01-03 10:57:06.150000
|
а как сделать так чтобы программа в процесах распознавалась и была "Невидимкой" но выполнялась?
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-06 21:51:19.806666
|
|
|
nub Nik
Сообщений: 263
Оценки: 0
Присоединился: 2009-11-18 10:53:00.250000
|
boss_hackerov
Ты хочешь что бы проге не было видно в процессах?? если да, то забудь про это
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-07 00:00:15.453333
|
|
|
_ruzmaz_
Сообщений: 105
Оценки: 0
Присоединился: 2009-08-22 18:26:07.173333
|
quote:
а как сделать так чтобы программа в процесах распознавалась и была "Невидимкой" но выполнялась?
http://www.wasm.ru/article.php?article=hidingnt
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-07 00:15:50.330000
|
|
|
SkaYneT
Сообщений: 43
Оценки: 0
Присоединился: 2007-07-27 13:11:06.706666
|
quote:
ORIGINAL: boss_hackerov
а как сделать так чтобы программа в процесах распознавалась и была "Невидимкой" но выполнялась?
перхватывать ZwQuerySystemInformation, вот тебе драйвер, после загрузки которго начнет скрывать все процессы начинающиеся со слов boss_hackerov, http://dump.ru/file/4090329
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-07 21:35:29.043333
|
|
|
Zmaster
Сообщений: 930
Оценки: 0
Присоединился: 2007-02-09 19:02:43.500000
|
Если надо, то могу скинуть книгу про написание руткитов для Windows.
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-12 16:37:55.033333
|
|
|
boss_hackerov
Сообщений: 17
Оценки: 0
Присоединился: 2010-01-03 10:57:06.150000
|
quote:
ORIGINAL: Zmaster
Если надо, то могу скинуть книгу про написание руткитов для Windows.
скинь на neoanton56@gmail.ru
|
|
|
|
|
RE: как завершить процес(delphi) - 2010-01-12 18:42:35.710000
|
|
|
_SaZ_
Сообщений: 4329
Оценки: 398
Присоединился: 2008-01-30 02:18:05.553333
|
Не поможет :), читаем соседний топик про браузеры.
|
|
|
|
|
|
