JKornev/hidden

protect pid not work

SearchGuardBy opened this issue · 7 comments

os : windows 10 x64 and windows 7 sp1 x64
the driver load successfuly.

image

when i execute "HiddlenCli /protect pid 9948" ,it returned "Error, target 'pid' isn't allowed", and the pid 9948 is taskmgr.exe

image

so what is the problem? thank you.

Hi,

Thanks for the report, I pushed a fix a780193 please check

Hi,

Thanks for the report, I pushed a fix a780193 please check

i got successfuly returned , but when i terminate it in the taskmgr, it can be killed. I tested it on windows 10 x64.

supply: it worked on windows 7 sp1 x64, not worked on windows 10 x64

Please explain what did you do step by step

1、the first i run a notepad.exe and find the pid use tasklist
image

image

2、then run "HiddenCLI.exe /protect pid 2488“”
Command 'protect' successful

image

3、and I opened the taskmgr, and terminate the notepad.exe

image

and the notepad.exe got killed.

above is tested on windows 10 x 64, it's not worked. while it worked on windows 7 x 64.

So I have dug few bugs and prepared two fixes (commits: 0e9e814 and 7ad8dca). Both are related to Process Protection mechanism.

Now driver is able to drop TERMINATE rights from handles to protected processes and threads as it expected. But task manager is still able to terminate an application. You should understand that a process can be terminated in different ways, for instance by ZwTerminateProcess, ZwTerminateThread system calls or by sending WM_QUIT, WM_DESTROY, WM_CLOSE messages to main process's window and so on. A Hidden.sys is able only to protect process\thread handles, it doesn't cover tricks with window messages. That's why I guess Task Manager is able to kill any process avoiding Hidden's protection on Windows 10. Possibly when you push "End task" it sends WM_DESTROY to main window for UI applications or the same message to console window for console applications, as result an application closes itself.

Currently Hidden doesn't have any feature that can prevent process termination by window messages.

In any case thanks for your report, I'm going to check what trick Task Manager uses in any case when I find a time for it.