How can I make the running process become a SYSTEM process (under NT) so it can't be terminated like the whole bunch of system processes for which XP reports that they are imporant system programs and as such can't be terminated?
Posted on 2002-11-07 17:35:31 by Milos
.NON CODE APPROCH
One thing you could do without coding, is to name your executable
to one of the following: services.exe, smss.exe, winlogon.exe, lsass.exe,
svchost.exe, etc.

These names are protected by the system because they are
'critical system processes'. This only works with Windows/NT systems.

.CODE APPROCH
When it comes down to coding such a program wich will happily reside
"un-kill'able" to programs such as the windows task-manager and
some other 3rd-party software(that uses poor code).

Then you want to make your program into a system service, and remove
the 'stop' function so that noone can stop it. But if you use api calls
like: TerminateProcess, you can kill it and any system process including
the 'critical system processes'.

http://spiff.tripnet.se/~iczelion/tutorials.html
Thats right! it's located on the homepage of iczelion.


Hope this helps,
:Natas:
Posted on 2002-11-07 18:20:30 by natas
Wow!!!!!! It actlally worked just by renaming the program! I'm so excited about this! I never thought this was possible!
Thanks man!
Posted on 2002-11-07 18:48:01 by Milos
it( change the app's name to system protected apps) won't work , my app is no title bar, no button on task bar .
Posted on 2002-11-10 21:29:32 by baumann

it( change the app's name to system protected apps) won't work , my app is no title bar, no button on task bar .
What good would that do? even if you removed the titlebar
and the button from the windows taskbar. The user could still
'terminate' your program with ease.

And by renaming the executable you'll get 'pseudo' protection from the
Windows/NT System, as mentioned above.

However, the best way to go is always creating a 'system service' (or make some 'special code' :grin: )
Posted on 2002-11-10 22:28:46 by natas
I wrote a service but i cant find a way to make it imortal. renaming to lsass.exe made it do what I wanted, and that is not to be CTRL+ALT+DEL wunerable . :alright:
Posted on 2002-11-11 15:17:08 by Milos
Immortality? If you make a system service, you must add it to the
service database. With the OpenSCManagerA, CreateServiceA,
api calls. Or you can just use the tool that is included with the
package from Cynical Pinnacle to install/start it.

When the service is started it is executed by: 'NT AUTHORITY \ SYSTEM'
And you'll recieve this message when you try to kill it in the taskmanager:
'Access Denied'

In order for you to make the service unstoppable from the system.


[CHANGE THIS]
.....
Sendstatus proc .....
.IF dwCurrentState == SERVICE_START_PENDING
mov sStatus.dwControlsAccepted, 0
.ELSE
mov sStatus.dwControlsAccepted, \
SERVICE_ACCEPT_STOP or \
SERVICE_ACCEPT_PAUSE_CONTINUE or \
SERVICE_ACCEPT_SHUTDOWN
.ENDIF
.....



[TO THIS]
.....
Sendstatus proc .....
mov sStatus.dwControlsAccepted, 0
.....
And in the 'CtrlHandler proc' you can just remove all code inside that proc.
Since you no longer need to process messages like: 'stop,pause,continue,end'.
Well that should do it, now the user/system cant stop the damn thing. And
a normal user can't 'kill' it from the taskmanager or stop it.
Posted on 2002-11-11 15:49:06 by natas
I created the service in the way you described and the only flay i put was to accept shutdown. In the message handling proc i just always return service running but i can still kill it by ctrl alt del
Posted on 2002-11-11 16:08:24 by Milos
Well you must have done something wrong. No matter if you
change the above or not. A service always remains unkillable
to the taskmanager.(Ie. always 'Access Denied')

Ofcourse, a service should never be executed without being
started as a service. When you have strarted the service, you
should see the status by going to: 'control panel->administrative tools->services'
In the 'status' coloumn you should see 'started' on your service.

If you still cant get it to work, then zip-up the code and post it here.
Posted on 2002-11-11 16:40:59 by natas
Here is the part of the code.... Where did I go wrong?
Posted on 2002-11-11 16:51:33 by Milos
What? to bad you didnt supply me with the whole code
so that I could test the service itself. As far as I can see
the code looks ok. But since I cant test the program itself
it's hard to tell what else could be wrong.
Posted on 2002-11-11 17:28:13 by natas
Well that is all of the code that concerns the service. I will try to cope with the thing a bit more. I would send the full source code buy I am not allowed to. :confused:
Posted on 2002-11-11 17:32:51 by Milos
Ofcourse you will not find any kind of error checking or such things.
[color=sienna]

.386
.model flat,stdcall
include windows.inc
include kernel32.inc
include advapi32.inc

includelib advapi32.lib
includelib kernel32.lib

LOAD MACRO dest, src
mov eax, src
mov dest, eax
ENDM

.data
SERVICE_NAME BYTE "Service",0
sTable SERVICE_TABLE_ENTRY < 0, 0 >

.code
START:
mov sTable.lpServiceProc, offset ServiceMain
LOAD sTable.lpServiceName, offset SERVICE_NAME
INVOKE StartServiceCtrlDispatcher, ADDR sTable
INVOKE ExitProcess, eax

Thread proc param:DWORD
lop:
INVOKE Sleep, 1000
jmp lop
xor eax, eax
ret
Thread endp

SendStatus proc dwCurrentState:DWORD, dwWin32ExitCode:DWORD,dwServiceSpecificExitCode:DWORD, dwCheckPoint:DWORD,dwWaitHint:DWORD
.data?
hStatus DWORD ?
sStatus SERVICE_STATUS <>
.code
mov sStatus.dwServiceType, SERVICE_WIN32_OWN_PROCESS
LOAD sStatus.dwCurrentState, dwCurrentState
mov sStatus.dwControlsAccepted, 0
.IF dwServiceSpecificExitCode == 0
LOAD sStatus.dwWin32ExitCode, dwWin32ExitCode
.ELSE
mov sStatus.dwWin32ExitCode, \
ERROR_SERVICE_SPECIFIC_ERROR
.ENDIF
LOAD sStatus.dwServiceSpecificExitCode, dwServiceSpecificExitCode
LOAD sStatus.dwCheckPoint, dwCheckPoint
LOAD sStatus.dwWaitHint, dwWaitHint
INVOKE SetServiceStatus, hStatus, ADDR sStatus
mov eax, 1
ret
SendStatus endp

SCHandler proc controlCode:DWORD
ret
SCHandler endp

ServiceMain proc
LOCAL hThreadID:DWORD
.data
hThread HANDLE NULL
.code
INVOKE RegisterServiceCtrlHandler, ADDR SERVICE_NAME,offset SCHandler
mov hStatus, eax

INVOKE SendStatus, SERVICE_START_PENDING, NO_ERROR, 0, 1, 5000
INVOKE SendStatus, SERVICE_START_PENDING, NO_ERROR, 0, 2, 1000
INVOKE SendStatus, SERVICE_START_PENDING, NO_ERROR, 0, 3, 5000

INVOKE CreateThread,0,0,ADDR Thread,0,0,ADDR hThreadID
mov hThread, eax

INVOKE SendStatus, SERVICE_RUNNING, NO_ERROR, 0, 0, 0
INVOKE WaitForSingleObject, hThread, INFINITE
ret
ServiceMain endp

END START
[/color]

The article written by Cynical Pinnacle is basically a conversion by the code found here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/writing_a_servicemain_function.asp

I think im gonna rewrite the service code abit, I think he missed out on some code.
Posted on 2002-11-11 17:40:01 by natas
After doing some reading up on system services. I decided to
convert a C code sample from the MSDN to assembly.
And even tho it was pretty easy to do, I learned alot from it. :)

This code works 100% on my Windows/2k machine. However if
you have any suggestions or error reports for me I would be
happy to read them. :alright:

NOTE:
The attached file is a 'skeleton' for creating a system service. And
it responds to stop, pause, continue, and shutdown events. What
the service does is just to create an annoying beep every 1.5sec.
Have phun! and play nice... :grin:

EDIT: The skeleton with a service installer tool can now be found here: http://www.asmcommunity.net/board/index.php?topic=8905
Posted on 2002-11-12 02:26:22 by natas
and from me

this is RadASM template for create Service Applications
:alright:
Posted on 2002-11-12 14:07:51 by Eviloid
Eviloid, That's pretty neat! I didnt know you could make custom templates
for RadASM. But then again im just a newbie..(Beware of my newbiality skills.. :grin: )

However, the tool I made to install services is made in pure assembler not
C like Cynnical Pinnacle(and it's about 1/5 in size || and has more functions) ;)

EDIT: Plus I think my template is better then the one from Cynnical Pinnacle. :alright:
Posted on 2002-11-12 14:14:26 by natas
hehe
I'm more newbie than You!! :grin:
and stool.exe in template is made by me in pure assembler too. :tongue:

i add "start" and "stop" functions - 4096b and pack with FSG - 2240 bytes
:)
Posted on 2002-11-12 15:56:29 by Eviloid

hehe
I'm more newbie than You!! :grin:
What? how can you be a more newbie then me? I recent that fact! :grin:
Noone has more 'newbiality' then me! haha..

Seriously tho: I started programming in assembly about 15 October
this year. And you registered on this forum: December 15th, 2001
So either your pulling my leg OR? :eek: :tongue:
Posted on 2002-11-12 23:50:05 by natas
Ok ok. You won!
he he
:alright:
Posted on 2002-11-13 09:49:48 by Eviloid