如何阻止我的进程被杀死：SetSecurityInfo（） [英] How can I stop my Process from being killed : SetSecurityInfo()

问题描述

我需要尝试向尝试结束我的进程的任何用户提供访问被拒绝的消息。我制作了一个反病毒软件，它使用启发式方法来检测任何运行的恶意程序。这完美无缺，但现在我需要确保我的流程无法终止。今天的大多数反病毒程序都倾向于挂钩函数，例如：



ZwOpenProcess（），NtOpenProcess（），NtTerminateProcess（）甚至是NtQuerySystemInformation（），ZwQuerySystemInformation（）。



这些有时被认为是阻止用户终止它的过程的原始方式，不仅如此，而且所有Zw *（）函数都是内核级模式函数而我我是编程或颠覆内核的新手。这也是恶意软件或特洛伊木马也会采用相同的路径。我个人不想使用恶意软件和特洛伊木马做的事情，因为如果我挂起与其他反病毒相同的功能它可能导致BSOD（蓝屏死机）。我通过Google的许多页面查看了其他可以执行相同功能的方法，以阻止用户终止我的进程，我终于找到了一个名为''SetSecurityInfo（）''的函数。我很高兴我找到了这样一个能让我完全按照自己的意愿行事的功能。但我不知道如何使用该功能。有人可以给我一个简单的教程或代码片段，展示我如何安全地使用SetSecurityInfo（）。



我首先试图挂钩这些函数，但这导致我的软件被由AV（反病毒）检测到。



谢谢。

Hi,

I am in need of trying to give access denied message to any-users who try to end my processes. I have made a Anti-Virus which uses heuristics to detect any malicious programs running. This worked flawlessly but now I need to make sure my Process cannot be terminated. Most Anti-Viruses today tend to hook into functions such as:

ZwOpenProcess(), NtOpenProcess(), NtTerminateProcess() Or even NtQuerySystemInformation() , ZwQuerySystemInformation().

These is sometimes considered crude way of stopping user from terminating it''s process , Not only that but all Zw*() functions are kernel level mode functions and I am very new to programming or subverting into the kernel. This is also same path Malware or Trojans tend to do as well. I personally do not want to use what Malware & Trojans do since if I hook a same functions as a other Anti-Virus It can lead to BSOD (Blue Screen Of Death). I so looked through many pages of Google about other ways I can do the same function , to stop users form terminating my process, I finally found a function called ''SetSecurityInfo()''. I was happy that I found such a function which allows me to do exactly what I wish. But I do not know how to use the Function. Can somebody give me a simple tutorial or code snippet showing how I can use SetSecurityInfo() safely.

I first tried to hook such functions but this result in my software being detected by a AV (Anti-Virus).

Thanks.

推荐答案

一般来说，有几种方法可以防止流程表停止，以及绕过这些方式的其他方法。

您可以阻止用户使用Windows进程管理器来终止您的进程，但是您无法阻止用户以编程方式终止您的进程，例如，使用最低级别的TerminateProcess，因此没有其他用户级别的功能可以阻止它终止您的进程。还有其他方法：

例如，您可以创建另一个进程（甚至是NT服务），它将成为看门狗并不断验证您的服务是否正在运行。

您的建议也是一个不错的选择。你没有提到你没有实现它，但只提到你的应用程序现在被AV程序标记。这并不表示编程问题。有办法解决这个问题。每个AV公司都有一个错误标记的白名单应用程序（这种标志被称为误报）。你需要申请。解释你的AV做了什么，因为它是一个合法的应用程序，他们可能会解除这个障碍。另一件对您有帮助的事情就是获得代码签名证书（如AuthentiCode）。

Generally speaking, there are several ways prevent a process form being stopped, and other ways to bypass these ways.
You can prevent users from using the Windows process manager to terminate your process, but you can''t prevent users from terminating your process programatically, for example, using TerminateProcess, which is the lowest level, so no other user level function can prevent it from terminating your process. There are other ways around:
For example, you can create another process (or even an NT service) which will be a "Watch Dog" and constantly verify that your service is running.
Your suggestion is also a good choice. You didn''t mention that you failed to implement it, but only mentioned that your application is now flagged by AV programs. That doesn''t indicate a programming issue. There are ways to handle this. Each AV company has a procedure for white-listing applications that are mistakenly flagged (such flag is referred to as "False Positive"). You need to apply. Explain what your AV do and since it is a legitimate application, they will probably lift this block. Another thing that will most definitely help you, would be obtaining a Code Signing Certificate (like AuthentiCode).

这篇关于如何阻止我的进程被杀死：SetSecurityInfo（）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！