Announcement

Collapse

Forum Guidelines

This forum is for finished source code that is working properly. If you have questions about this or any other source code, please post it in one of the Discussion Forums, not here.
See more
See less

4 ways to kill/terminate processes

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • 4 ways to kill/terminate processes

    Code:
    #COMPILE EXE
    #INCLUDE "Win32Api.Inc"
    #INCLUDE "tlhelp32.inc"
     
    '## METHOD 1 - Common, <U>recommended</U> method ([email protected])
    SUB KillByTerminate (BYVAL ProcID AS LONG)
     LOCAL hProc AS LONG
     hProc = OpenProcess(BYVAL %PROCESS_TERMINATE, BYVAL 0, BYVAL ProcID)
     IF hProc <> %NULL THEN TerminateProcess BYVAL hProc, BYVAL %NULL
     CloseHandle hProc
    END SUB
     
    '## All other methods listed below are considered experimental and are
    '## here for demonstrative purposes only. They shouldn't actually be
    '## used in your programs, especially as the above method works fine.
    '## But it does show there's more than one way to skin a goose    [img]http://www.powerbasic.com/support/forums/smile.gif[/img]
     
    '## METHOD 2 - Terminate all threads in the target process ([email protected])
    SUB KillByThreads (BYVAL dwPID AS DWORD)
    DIM hSnapShot AS DWORD, lResult AS DWORD, TE32 AS THREADENTRY32, hThread AS DWORD
    hSnapshot = CreateToolHelp32SnapShot (%TH32CS_SNAPTHREAD OR %TH32CS_SNAPMODULE, BYVAL dwPID)
    IF hSnapshot <> %INVALID_HANDLE_VALUE THEN
        TE32.dwSize = SIZEOF(TE32)
        lresult = Thread32First (hSnapshot,TE32)
        WHILE ISTRUE lResult
            IF TE32.th32OwnerProcessID = dwPID THEN
                hThread = OpenThread(BYVAL %THREAD_TERMINATE, BYVAL %FALSE, BYVAL TE32.th32ThreadID)
                IF hThread <> 0 THEN
                    TerminateThread BYVAL hThread, BYVAL 0
                    CloseHandle hThread
                END IF
            END IF
            lResult = Thread32Next (hSnapShot, TE32)
        WEND
        CloseHandle hSnapShot
    END IF
    END SUB
     
    '## METHOD 3 - Create a remote thread at ExitProcess (CreateRemoteThread)
    SUB KillByRemoteThread (BYVAL dwPID AS DWORD)
    DIM hKern AS DWORD, hExitProc AS DWORD, hProc AS DWORD, lpThreadAttributes AS SECURITY_ATTRIBUTES, lpThreadId AS DWORD
    hKern = GetModuleHandle("kernel32.dll")
    hExitProc = GetProcAddress(hKern, "ExitProcess")
    hProc = OpenProcess(BYVAL %PROCESS_QUERY_INFORMATION OR %PROCESS_CREATE_THREAD OR %PROCESS_VM_OPERATION OR %PROCESS_VM_WRITE OR %PROCESS_VM_READ, 0, dwPID)
    W& = WaitForSingleObject(Z&, %INFINITE)
    IF hProc <> 0 THEN
       CreateRemoteThread BYVAL hProc, lpThreadAttributes, BYVAL 0, hExitProc, BYVAL 0, BYVAL 0, lpThreadId
       CloseHandle hProc
    END IF
    END SUB
     
    '## METHOD 4 - Thread EIP modification (similar to a combination of methods 2 and 3, but no remote thread is created)
    SUB KillByEIP (BYVAL dwPID AS DWORD)
    DIM hSnapShot AS DWORD, lResult AS DWORD, TE32 AS THREADENTRY32, hThread AS DWORD, hKern AS DWORD, hExitProc AS DWORD, lpContext AS CONTEXT
    hKern = GetModuleHandle("kernel32.dll")
    hExitProc = GetProcAddress(hKern, "ExitProcess")
    hSnapshot = CreateToolHelp32SnapShot (%TH32CS_SNAPTHREAD OR %TH32CS_SNAPMODULE, BYVAL dwPID)
    IF hSnapshot <> %INVALID_HANDLE_VALUE THEN
        TE32.dwSize = SIZEOF(TE32)
        lresult = Thread32First (hSnapshot,TE32)
        WHILE ISTRUE lResult
            IF TE32.th32OwnerProcessID = dwPID THEN
                hThread = OpenThread(BYVAL %THREAD_SUSPEND_RESUME OR %THREAD_SET_CONTEXT OR %THREAD_GET_CONTEXT, BYVAL %FALSE, BYVAL TE32.th32ThreadID)
                IF hThread <> 0 THEN
                    SuspendThread BYVAL hThread
                    lpContext.ContextFlags = %CONTEXT_CONTROL
                    GetThreadContext BYVAL hThread, lpContext
                    lpContext.regEIP = hExitProc
                    SetThreadContext BYVAL hThread, lpContext
                    ResumeThread BYVAL hThread
                    CloseHandle hThread
                END IF
            END IF
            lResult = Thread32Next (hSnapShot, TE32)
        WEND
        CloseHandle hSnapShot
    END IF
    END SUB
      
    FUNCTION PBMAIN() AS LONG
    DIM dwProcToKill AS DWORD
    dwProcToKill = 2376 '<--- change this to the process ID to terminate.
    'KillByTerminate BYVAL dwProcToKill
    'KillByThreads BYVAL dwProcToKill
    'KillByRemoteThread BYVAL dwProcToKill
    'KillByEIP BYVAL dwProcToKill
    END FUNCTION

    ------------------
    The PowerBASIC Crypto Archives - My Email - What's mine is yours...


    [This message has been edited by Wayne Diamond (edited October 02, 2003).]
    -

  • #2
    Nice timing - just one day after I post the above source, an NTBugtraq post appears that demonstrates another method of process termination, this time by sending WM_QUIT with PostThreadMessage, see http://www.ntbugtraq.com/default.asp...&F=P&S=&P=2465

    This isn't actually as effective as the four methods posted above because the target process MUST have a message queue. Also, WM_QUIT messages can be ignored by the target process so they should be able to protect themselves from this type of attack.

    There was some C source code at the URL above that demonstrates everything, but really all there is to it is sending the WM_QUIT message to the message queue of the target process. All other code is simply there to find that message queue, by hunting for windows.

    Code:
    #COMPILE EXE
    #INCLUDE "win32api.inc"
     
    GLOBAL ProcID AS DWORD, MainWnd AS DWORD, MainThread AS DWORD
     
    SUB EnumerateChildren(hWndParent AS LONG)
    DIM hWndChild AS LONG, dwProc AS DWORD, hThread AS DWORD
    hThread = GetWindowThreadProcessId(hWndParent,dwProc)
    IF hThread <> 0 THEN
       IF dwProc = ProcID THEN
          MainWnd = hWndParent
          MainThread = hThread
          EXIT SUB
       END IF
    END IF
    hWndChild = GetWindow(hWndParent, %GW_CHILD OR %GW_HWNDFIRST)
    DO WHILE hWndChild <> 0
     EnumerateChildren hWndChild
     hWndChild = GetWindow(hWndChild, %GW_HWNDNEXT)
    LOOP
    END SUB
     
    FUNCTION PBMAIN() AS LONG
    ProcID = 2036  '<-- target PID to kill. Calc.exe works fine
    EnumerateChildren GetDesktopWindow
    IF MainWnd <> 0 THEN
       STDOUT "Found main window @ 0x" & HEX$(MainWnd,8)
       IF PostThreadMessage(BYVAL MainThread, BYVAL %WM_QUIT, BYVAL 0, BYVAL 0) <> 0 THEN
        STDOUT "Sent WM_QUIT."
       ELSE
        STDOUT "Failed to send WM_QUIT."
       END IF
    END IF
    WAITKEY$
    END FUNCTION

    ------------------
    The PowerBASIC Crypto Archives - My Email - What's mine is yours...
    -

    Comment

    Working...
    X