You might be violating your company policies if you are trying any of these on your work PC. Please do not try it, this is only for educational purposes. Article only focuses on educating you to design your software for vulnerability. Read my blog disclaimer before continuing. disclaimer
Following diagram shows an example of typical monitoring software design. This "i will watch your back" model is typically designed for running as windows service.
Here Process A will open the process handle of B and, B will open a process handle of A. Both of the process will wait on the process handle with win32 API for waitforsingleobject or multipleobject. In case A is killed, B will come out the wait state, checks if the handle is valid, if not it will start A.
- If you kill them together, they might not have time to react.
- You can kill them as process tree, if they are designed as parent and child.
- In case you don't have permission to kill them - You can suspend them. Yes. you read it right.
Suspending a process
Suspending the process will leave the process handle valid. Suspending can be done in two ways
- Iterate through threads and suspend each of the threads
- Use NtSuspendProcess undocumented API
Easiest way of testing the process suspension is using Process Explorer tool from sysinternals.
Right click on the process and chose suspend. This will take the process to sleep mode. So, of the monitoring app is looking at it, it wont find a thing. More ever, permission required for suspending a process is much lesser to killing it. OpenProcess can be called with option PROCESS_SUSPEND_RESUME, with lesser access privilege.
Suspended process is a bigger threat.
For example, you cannot terminate Symantec anti virus. However, you can put it to sleep by suspending the process. Since it subscribes to some of the system events asynchronously for monitoring, suspended process will do no good here. Typical example is using Symantec
to block USB storage devices. Most of the enterprises use this to allowing only approved devices to connect from USB, and block any unauthorized thumb drives. If the process is suspended, USB insertion event will fall on to deaf ears and if the process just depends on the events and doesn't do any other checks like Symantec does, it will still allow USB to work even after resuming the process.
Suspending a this kind of monitoring service momentarily will go unnoticed during most of the checks. If you are monitoring remotely, or using a sibling process, use heartbeat based checks or some kind of time and salt based handshakes.
If you are testing a product, test the behavior for process suspension.
