protect pid not work
SearchGuardBy opened this issue · 7 comments
Hi,
Thanks for the report, I pushed a fix a780193 please check
i got successfuly returned , but when i terminate it in the taskmgr, it can be killed. I tested it on windows 10 x64.
supply: it worked on windows 7 sp1 x64, not worked on windows 10 x64
Please explain what did you do step by step
1、the first i run a notepad.exe and find the pid use tasklist
2、then run "HiddenCLI.exe /protect pid 2488“”
Command 'protect' successful
3、and I opened the taskmgr, and terminate the notepad.exe
and the notepad.exe got killed.
above is tested on windows 10 x 64, it's not worked. while it worked on windows 7 x 64.
So I have dug few bugs and prepared two fixes (commits: 0e9e814 and 7ad8dca). Both are related to Process Protection mechanism.
Now driver is able to drop TERMINATE rights from handles to protected processes and threads as it expected. But task manager is still able to terminate an application. You should understand that a process can be terminated in different ways, for instance by ZwTerminateProcess, ZwTerminateThread system calls or by sending WM_QUIT, WM_DESTROY, WM_CLOSE messages to main process's window and so on. A Hidden.sys is able only to protect process\thread handles, it doesn't cover tricks with window messages. That's why I guess Task Manager is able to kill any process avoiding Hidden's protection on Windows 10. Possibly when you push "End task" it sends WM_DESTROY to main window for UI applications or the same message to console window for console applications, as result an application closes itself.
Currently Hidden doesn't have any feature that can prevent process termination by window messages.
In any case thanks for your report, I'm going to check what trick Task Manager uses in any case when I find a time for it.