Discussion in 'ProcessGuard' started by the mul, Mar 27, 2004.
Can u tell me what exactly happens when u run this demo in pg.
Hi, the mul
When you run the kill demo, it will try and kill the items in the list,[Also shows them in the log] if it kills any it means they have not been protected, so make sure you add them to your protection list.
I hope this is of some help
Hi The Mul,
Here are the descriptions of the various termination methods used, taken from the DCS website: In addition there is the Keyhook test utility available here: http://www.diamondcs.com.au/processguard/keyhook.exe
DiamondCS Advanced Process Termination provides seven different process termination methods, as well as a Suspend/Resume capability.
Suspend/Resume - All active threads in the target process are suspended or resumed, essentially providing you with the capability to freeze and unfreeze processes at will.
Kill Method #1 - Terminates the process using the TerminateProcess function. This is the same as the End Process function in Windows Task Manager, but as APT aquires SeDebugPrivilege it's typically able to terminate more processes than Task Manager can.
Kill Method #2 - Terminates the process by terminating every individual thread in the target process by using the TerminateThread function. When the last active thread is terminated the process is also terminated.
Kill Method #3 - Terminates the process by creating a new thread in the context of the target process, which has a starting address (stored in the EIP register) which is the address of the ExitProcess function in kernel32.dll.
Kill Method #4 - Terminates the process by modifying the EIP register of all existing threads so that they all point to the ExitProcess function in kernel32.dll. This is similar to Kill Method #3, but doesn't involve the creation of any new thread. Instead, existing threads are used.
Kill Method #5 - Terminates the process by attaching to it as a debugger, using the DebugActiveProcess function in kernel32.dll. To terminate the target process, the debugger process simply needs to terminate itself, at which point the process being debugged (the target process) is also terminated.
Kill Method #6 - Terminates the process by using the EndTask function in user32.dll. This is the same as the End Task function in Windows Task Manager.
Kill Method #7 - Terminates the process by sending Close messages (called WM_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_CLOSE message (most programs usually don't).
Separate names with a comma.