New APT v3: Kernel-mode termination added

Discussion in 'DCS Freeware' started by Wayne - DiamondCS, Feb 21, 2006.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    I've just uploaded Advanced Process Termination v3.0. We won't be officially releasing it until we've done a bit more testing with it and launched the new website so please consider it a beta, but it's stable enough now for public testing by anybody here who is interested. :)

    The main new addition to this build is a driver-based termination technique - APT's most powerful trick yet! APT drops a small driver in \system32\drivers\ which it invokes to call ZwTerminateProcess in ntoskrnl.exe - this all happens in kernel-mode, so any user-mode countermeasures such as hooks are essentially bypassed. (APT already had extensive anti-hook code for bypassing user-mode hooks but this adds a new dimension to that).

    Sound a bit daunting? Don't worry, it's actually very easy - APT makes it as easy as the click of a button. For example, to use the new kernel-mode termination method simply select the process from the list that you want to terminate, then click the Kernel Kill button.

    APT now has:
    10 user-mode termination techniques
    1 kernel-mode termination technique
    2 crash techniques
    2 suspension techniques

    Download (freeware, 56kb):
    http://www.diamondcs.com.au/downloads/apt.zip

    Screenshot (note the highlighted Kernel Kill button) ...
    http://www.diamondcs.com.au/temp/apt.gif
     
    Last edited: Feb 21, 2006
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Wayne,
    Thanks for the update, its a useful tool
    Is there any reason why the window still cannot be resized ?

    And as another poster mentioned here it would be a big improvement to show icons, process id's, program arguments and allow the list to be sorted to make the list a little easier to scan through quickly.

    As you might understand it is somewhat less than desirable to be seeing several svchost.exe processes with no PID and no command line parameters and having to guess which is which

    Thanks
     
    Last edited: Feb 21, 2006
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    gottadoit,
    Thanks for the feedback. :)

    Adding resizing code to any program is almost always a headache for programmers because it takes quite some time to write code that makes the interface look respectable regardless of its size, and because every program needs custom code written for it (because it has its own controls in its own locations and not all can be resized easily) the developer can't really recycle much code either so it all has to be written from scratch.

    In other words, yes I can add a window resizing capability to APT as I've done with some of my other programs, but considering that 1) it's only a process termination/crashing/suspension tool and not a tool that would be used too frequently, 2) it's free, so 3) I make no money from it so it costs me time and money working on it, and 4) I have many other important jobs on the To Do list, that adding resize capabilities to APT unfortunately must wait - I hope you understand? :)

    Granted it would be nice if APT provided more information about processes and provided icons etc, but these things take time to develop/integrate (I'm only one person and there's only 24 hours in one day), and APT is a process termination tool - it is not a process exploration tool as such. In other words its aim is not to provide a plethora of information about a target process but rather to offer you multiple ways of terminating, suspending, and even crashing the target process.

    It already provides the user with the full path\filename and process ID of each process which is sufficient to distinguish one process from another.

    You should only have a few instances of svchost.exe running, and you can easily see the PID of each simply by clicking on each one - APT will show you in its status bar display. I might change it in future though so that it shows the PID alongside the process path\filename ... :)

    It's interesting that you should say this because as far as I'm aware only DiamondCS tools reveal the command line parameters for any processes :)
    Yes this is something I can integrate into APT (afterall I created it!) and it would be useful so it's certainly not something we'll rule out, and certainly something we'll consider adding, however please keep in mind that our main focus for this Advanced Process Termination tool is process termination/crashing/suspension testing, not so much process exploration. :)

    Best regards,
    Wayne
     
    Last edited: Feb 21, 2006
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Wayne,
    Thanks for the reply, but I do find it a little suprising that you have never seen the Sysinternals Process Explorer tool as that has been around for many years and does show the command line parameters (there are of course a few others that do as well)

    As you have already anticipated I wasn't looking to use the tool for process exploration, but instead when I wish to kill something I want to be able to find it quickly. The existing implementation does allow the process to be found but not necessarily quickly. In any case thanks for considering it and if any of the features appear in a future release it will make the tool a little more user friendly I'm sure

    Regards
     
  5. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hey,

    thx for the update! :D

    Will there be an update for APM, too?

    EDIT: And where is the button "All"? Why is it gone? :(

    Btw. an ability to select many processes at once to kill, would be cool :p

    thx and best regards,

    iNsuRRecTiON
     
    Last edited: Feb 24, 2006
  6. EASTER.2010

    EASTER.2010 Guest

    Very Nice. Thanks for adding the extra kernel feature. Should prove very handy in testing some system drivers i have a time of stopping without reboot or other measures.
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Possibly, but not in the immediate future - I just have far too much on my To Do list at the moment, APM is very stable in its current build, and there really isn't too much more that could be added to it ... ? :)
     
  8. EASTER.2010

    EASTER.2010 Guest

    Agreed, seems fine enough on this end as it is. It's a great help locally in determining what the limits of termination are on various security apps that might need some extra watching over.

    Thanks Again.
     
  9. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hey,

    maybe a new GUI or details as suggested here for APT..

    APM is the only one which can unload DLLs, beside of Unlocker..(but Unlocker isn't created to unload a DLL from an certain process..)

    And the unload DLL feature isn't that safe yet, can you improve it or isn't there a safer/proper way to do this?

    thx and best regards,

    iNsuRRecTiON
     
  10. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    Thanks for the update, I love it .. Hey it may be small but it's certainly got some power, keep up the great work :)
     
  11. LeeH

    LeeH Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    25
    Location:
    West London, UK
    Please would somebody very kindly send me a copy of APT version 3.0 , as I wish to compare versions 3 and 4.

    lee_hudson @ talktalk.net

    I have already searched almost the whole net, including the DiamondCS site, so thanks for any help with the file.

    If anyone has a link instead, then that would be great also.


    Thanks very much.

    Best regards,
    Lee.
     
    Last edited by a moderator: Aug 7, 2006
  12. LeeH

    LeeH Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    25
    Location:
    West London, UK
    Hi,

    Thanks so much for sending me the file!

    I am very, very grateful for that. :)



    Have a nice day.



    Best regards,
    Lee.
     
  13. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hey,

    good and what is your conclusion of that comparison?

    Share it with us, thx ;-)

    best regards,

    iNsuRRecTiON
     
Thread Status:
Not open for further replies.