make a process unkillable?!1 minute read
Just start playing with Windows kernel, maybe what I’m writing is foolish, IDK, but found kernel side very interesting.
It’s not tutorial, neither trustworthy post, just note for me, maybe full of mistakes, …that’s the only way to improve.
NOTE: I'm using Windows 10 x64 Version 1709 Build 16299.125
Let’s start from
PspTerminateThreads, which traverses all threads and calls
PspTerminateThreadByPointer for each thread:
KeRequestTerminationThread checks 15th bit of 0x74th (
*(v2+116) & 0x4000) field of
_KTHREAD and if it set it inserts a kernel mode APC into the APC queue of a thread to kill the thread:
Seems like if thread is not APC queueable (
15th bit of 0x74 field is not set) it’s impossible to kill a thread (at least this way).
_KTHREAD structure’s 0x74th field is union, the 15th bit is for
ApcQueueable flag (Terminus Project - _KTHREAD), what if we set this bit to 0?
We can use
WinDbg or write our driver, driver code is very simple, it receives thread IDs from userland and disables