像防病毒一样处理自我防御
我为防御系统、防病毒防恶意软件等编写程序。并且我在通过品味管理器->杀死进程来防御进程被杀时遇到问题。我测试了一些防病毒软件,但它们不让我杀死他的进程。我只能在服务中阻止他们。我如何为我的程序创建这种防御。谢谢!
I write program for defence system, antivirus anti malware etc. And i have a problem with defensing process from killing thru tast manager->Kill Process. I test some antiviruses and they dont let me to kill his process. I only can stop them in services. How i can create this defence for my programm. Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
停止进程是通过调用 TerminateProcess (Win32 API) 来完成的。默认情况下,无法终止在与发出 TerminateProcess 调用的进程不同的安全上下文下运行的进程。
可以配置用户模式运行的服务(使用服务控制管理器),以便在有人终止该服务时它将重新启动。但是,如果您不希望从服务控制管理器界面或使用“net stop”命令停止服务,则可以在创建服务时适当设置 SERVICE_STATUS 结构的“dwControlsAccepted”字段。
还要考虑到,通过预先启用调试权限,可以结束任何进程,即使它是服务或系统进程。此权限分配给管理员并在访问令牌中禁用。虽然任务管理器不使用调试权限,但 KILL 实用程序(随 Windows 资源工具包提供)却使用调试权限。
Stopping a process is done with a call to TerminateProcess (Win32 API). By default, it is not possible to kill a process that is running under a security context different than the one of the process who issued the call to TerminateProcess.
A user mode running service can be configured (with Service control manager) such that it will be restarted if some one kills the service. However if you don't want the service to be stopped from service control manager interface or using "net stop " command, you can set the "dwControlsAccepted" field of SERVICE_STATUS structure appropriately when creating the service.
Also keep this in consideration that it is possible to end any process even though it is a service or a system process by previously enabling the debug privilege. This privilege is assigned to Administrators and is disabled in the access token. While Task Manager does not make use of the debug privilege, the KILL utility (provided with windows resource kit) does.
您所观察到的情况对于服务应用程序来说是常见的,即您需要为此提供服务。
防病毒软件通常使用多个内核模式驱动程序(网络过滤器、文件系统过滤器等),它们具有检查用户模式进程是否可用的附加功能,如果不可用,则重新启动它(它们还控制进程的执行状态)服务)。
服务还可以监视 UI 进程的存在并重新启动它。而UI进程又可以检查服务的状态。并行停止两个进程是相当棘手的(尽管可能),所以这个方案也可以工作。
我猜你会看到同样的架构。
但总的来说,Rootkit 会绕过所有这些技巧,并且 Rootkit 是对现代计算机构成最重大威胁的威胁。
What you observe is common for service applications, i.e. you need to have a service for this.
Antivirus software usually employs several kernel-mode drivers (network filters, file system filters etc.), which have an additional function of checking if user-mode process is available, and if no, they restart it (they also control execution state for the service).
Also a service can monitor presense of the UI process and restart it. And UI process in turn can check the state of the service. It's quite tricky (though possible) to stop both processes in parallel, so this scheme can also work.
I guess you will come to the same architecture.
But in general, rootkits bypass all those tricks, and rootkits are what possesses the most significant threat to modern computers.
如果你想阻止杀掉(它会蓝屏系统),你可以使用这段代码,但要确保你有自动启动功能。将此代码包含在系统中,并以与 yourForm_Load 相同的方式放入 dllimport 和其他内容,并在此处切换(运行此代码)在您的 Form1_Load 代码中执行)。关键1是反杀。临界0是无反杀。 @ https://pastebin.com/BpS79Sa0
关键(1)
关键(0)
c#
You can use this code if you want to prevent kill (it will bluescreen the system) but make sure you have auto startup.put this code include the system and put the dllimport and stuff in the same way as yourForm_Load and here switches (run this in your Form1_Load code, execute). critical 1 is anti kill. critical 0 is no anti kill. @ https://pastebin.com/BpS79Sa0
critical(1)
critical(0)
c#