Ruslan Ulanov’s Codeshack

The developer’s notebook

18 Ways to Kill Your Process

2 comments

Advanced Process Termination utility from Diamond Computer Systems Pty. Ltd. provides 18 unique process attacks:

  • 2 kernel-mode termination techniques
  • 12 user-mode process termination techniques
  • 2 suspension techniques
  • 2 fatal crash techniques

This arsenal makes APT ideal for testing the resistance of software to termination attacks, testing the configuration of your own security programs, as well as allowing you to terminate stubborn software that simply refuses to die.

Kernel Kill #1 – Attempts to terminate the process from a driver using the kernel-level ZwTerminateThread function against every thread in the target process.
Main functions: ZwTerminateThread (ntoskrnl.exe)

Kernel Kill #2 – Attempts to terminate the process from a driver using the kernel-level ZwTerminateProcess function against the target process.
Main functions: ZwTerminateProcess (ntoskrnl.exe)

Kill #1 – Attempts to terminate the process using the TerminateProcess function. This is the same as the End Process function in Windows Task Manager, but as APT aquires SeDebugPrivilege before calling TerminateProcess it is typically able to terminate more processes than Task Manager can. This is the most common method of forceful process termination.
Main functions: OpenProcess, TerminateProcess (kernel32.dll)

Kill #2 – Attempts to terminate the process by sending Close messages (called WM_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn’t handle the WM_CLOSE message (many programs don’t).
Main functions: SendMessage WM_CLOSE (user32.dll)

Kill #3 – Attempts to terminate the process by sending Close messages (called WM_QUIT) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn’t handle the WM_QUIT message (many programs don’t).
Main functions: SendMessage WM_QUIT (user32.dll)

Kill #4 – Attempts to terminate the process in the same manner as Kill #7, but sends SC_CLOSE system messages rather than WM_CLOSE window messages. Again, this method only works if 1) the target process has at least one window, and 2) the target process doesn’t handle the SC_CLOSE message (most programs usually don’t).
Main functions: SendMessage SC_CLOSE (user32.dll)

Kill #5 – Attempts to terminate the process by terminating every individual thread in the target process by using the TerminateThread function. When the last active thread is terminated the process is also terminated.
Main functions: OpenThread, TerminateThread (kernel32.dll)

Kill #6 – Attempts to terminate the process by creating a new thread in the context of the target process, which has a starting address (stored in the EIP register) which is the address of the ExitProcess function in kernel32.dll.
Main functions: CreateRemoteThread, ExitProcess (kernel32.dll)

Kill #7 – Attempts to terminate the process by using the EndTask function in user32.dll. This is the same as the End Task function in Windows Task Manager.
Main functions: EndTask (user32.dll)

Kill #8 – Attempts to terminate the process by attaching to it as a debugger, using the DebugActiveProcess function in kernel32.dll. To terminate the target process, the debugger process simply needs to terminate itself, at which point the process being debugged (the target process) is also terminated.
Main functions: DebugActiveProcess (kernel32.dll)

Kill #9 – Attempts to terminate the process by modifying the EIP register of all existing threads so that they all point to the ExitProcess function in kernel32.dll. This is similar to Kill #3, but doesn’t involve the creation of any new thread. Instead, existing threads are used.
Main functions: SetThreadContext (kernel32.dll)

Kill #10 – Attempts to terminate the process using the completely undocumented WinStationTerminateProcess function. This method only works if the Terminal Services service is enabled.
Main functions: WinStationTerminateProcess (winsta.dll)

Kill #11 – Attempts to terminate the process using the CreateRemoteThread DLL injection method. This method is very similar to Kill #6, but the call to ExitProcess is made by an injected DLL.
Main functions: CreateRemoteThread, LoadLibrary, ExitProcess (kernel32.dll)

Kill #12 – Attempts to terminate the process by using an accomplice process to do the termination. APT injects ‘kill code’ into a newly allocated temporary area of memory within an accomplice process, which then executes a call to TerminateProcess on the target process within the context of the accomplice process.
Main functions: CreateRemoteThread, WriteProcessMemory, TerminateProcess (kernel32.dll)

Crash #1 – Attempts to fatally crash the target process by setting the access level for the targets memory region to PAGE_NOACCESS, effectively preventing all read/write/execute operations. This quickly forces the process to crash due to inability to execute code.
Main functions: VirtualProtectEx (kernel32.dll)

Crash #2 – Attempts to fatally crash the target process by overwriting the targets memory region, effectively eliminating all program code which crashes the target process due to it attempting to execute invalid code.
Main functions: WriteProcessMemory (kernel32.dll)

Suspend #1 – Attempts to suspend each thread in the target process individually using the SuspendThread function in kernel32.dll. Resume capability also available with this method.
Main functions: OpenThread, SuspendThread, ResumeThread (kernel32.dll)

Suspend #2 – Attempts to suspend the process using the NtSuspendProcess function in ntdll.dll. Resume capability also available with this method.
Main functions: NtSuspendProcess, NtResumeProcess (ntdll.dll).

Written by Ruslan Ulanov

July 31st, 2008 at 7:28 pm

Posted in C/C++

Tagged with