I'm writing a program that will terminate any given process. Link to my code : Link
I expect it to terminate any process, bypassing any hooks. But security softwares can still block terminating (I've tested with sandboxie and processguard so far)?
I can't understand how they can do that. My program rewrites functions and I expect to remove hooks this way.
How can I bypass hooks? What do I miss in this code?
P.S : This program crashes in third ZwTerminateProcess call. Can someone help about this, please?
Thanks in advance.
Sometimes, AV and sandboxing software will end up modifying function pointer tables in the kernel. Short of writing a driver, there is no easy way to get around that, because the functionality may be disabled system-wide (what AV's do) or for a particular application (what sandboxes would do).
If you are actually able to open a handle to the process, you can still do a lot of things. Maybe you could try killing it indirectly. I would try to write directly to the process' memory and overwrite it with garbage (or calls to ExitProcess).