如何防止进程在任务管理器中被杀死？ [英] How to prevent a process from being killed in task manager?

问题描述

我们正在尝试创建一个安全应用程序作为我们大学项目的一部分。



我们知道没有真正不可杀戮的流程。我们要创建的是一个无法从任务管理器中杀死的进程（或任何其他简单方法）。



例如，尝试杀死卡巴斯基的AVP流程。您将始终以无法终止进程和无法执行操作结束。



我尝试过：



几天来一直在网上搜索，并始终以不，你做不到的结果结束，不，你不应该这样做



并继续在这里结束无法确定的流程



我们想要的是什么



一些帮助确定我们需要解决的问题，或其他人使用的技巧，或链接或指针，以帮助我们处理这个问题。

We are trying to create a security application as a part of our college project.

We understand there is are no real unkillable processes. What we are trying to create is a process that can't be killed from task manager (or any other easy way).

For example, try killing Kaspersky's AVP process. You will always end up with "Unable to terminate process" and "Operation could not be performed".

What I have tried:

Been searching around the web for days and always kept ending at results like "No, you cannot do it", "No, you should not do it"

And keep on ending up here Unterminable process

What we would like

Some help on identifying the issues we need to address, or tricks others have used, or links or pointers to help us get a handle on this problem.

推荐答案

你绝对可以做到这一点，但这需要很多工作，需要非常的高水平专业知识。



1.）您需要创建一个签名 ELAM驱动程序 [ ^ ]。您可以将工作站放入测试模式 [ ^ ]并生成一个自签名的EKU证书。



2.）您需要创建一个以保护服务 [ ^ ]。



3.）从受保护的系统服务中，您可以启动将作为受保护进程运行的子进程。请注意，受保护的进程不能有任何GUI线程。



所涉及的所有DLL和可执行文件都需要使用相同的证书进行签名。您需要使用1.3.6.1.5.5.7.3.3（代码签名）和1.3.6.1.4.1.311.61.4.1（早期启动）EKU生成特殊证书。



这样的事情：

Hi,

You can absolutely do this but it is a lot of work and will require a very high level of expertise.

1.) You will need to create a signed ELAM driver[^]. You can put your workstation in Test Mode[^] and generate a self-signed EKU certificate.

2.) You will need to create a system service that runs as a protected service[^].

3.) From the protected system service you may launch child processes which will run as a protected process. Note that protected processes cannot have any GUI threads.

All of the DLL's and executables involved need to be signed by the same certificate. You will need to generate special certificates with the 1.3.6.1.5.5.7.3.3 (codesigning) and 1.3.6.1.4.1.311.61.4.1 (early-launch) EKUs.

Something like this:

makecert.exe -a SHA256 -r -pe -ss YourCertStore -n "CN=YourTestElam" -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 -sr localmachine YourTestElam.cer

祝你好运。这个简短的总结中有很多缺失的步骤。



祝福，

-David Delaune

Good luck. There are a lot of missing steps in this brief summary.

Best Wishes,
-David Delaune

这篇关于如何防止进程在任务管理器中被杀死？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！