process kill demo

Discussion in 'ProcessGuard' started by the mul, Mar 27, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Can u tell me what exactly happens when u run this demo in pg.


    The mul
     
  2. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, the mul

    When you run the kill demo, it will try and kill the items in the list,[Also shows them in the log] if it kills any it means they have not been protected, so make sure you add them to your protection list.

    I hope this is of some help
    TheQuest :cool:
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi The Mul,
    Here are the descriptions of the various termination methods used, taken from the DCS website: In addition there is the Keyhook test utility available here: http://www.diamondcs.com.au/processguard/keyhook.exe

    DiamondCS Advanced Process Termination provides seven different process termination methods, as well as a Suspend/Resume capability.

    Suspend/Resume - All active threads in the target process are suspended or resumed, essentially providing you with the capability to freeze and unfreeze processes at will.

    Kill Method #1 - Terminates the process using the TerminateProcess function. This is the same as the End Process function in Windows Task Manager, but as APT aquires SeDebugPrivilege it's typically able to terminate more processes than Task Manager can.

    Kill Method #2 - Terminates the process by terminating every individual thread in the target process by using the TerminateThread function. When the last active thread is terminated the process is also terminated.

    Kill Method #3 - Terminates the process by creating a new thread in the context of the target process, which has a starting address (stored in the EIP register) which is the address of the ExitProcess function in kernel32.dll.

    Kill Method #4 - Terminates the process by modifying the EIP register of all existing threads so that they all point to the ExitProcess function in kernel32.dll. This is similar to Kill Method #3, but doesn't involve the creation of any new thread. Instead, existing threads are used.

    Kill Method #5 - Terminates the process by attaching to it as a debugger, using the DebugActiveProcess function in kernel32.dll. To terminate the target process, the debugger process simply needs to terminate itself, at which point the process being debugged (the target process) is also terminated.

    Kill Method #6 - Terminates the process by using the EndTask function in user32.dll. This is the same as the End Task function in Windows Task Manager.

    Kill Method #7 - Terminates the process by sending Close messages (called WM_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_CLOSE message (most programs usually don't).
     
Thread Status:
Not open for further replies.