Comments on: You cannot make your application undestroyable. http://blog.delphi-jedi.net/2008/03/17/you-cant-make-your-application-undestroyable/ Joint Endeavor of Delphi Innovators of Windows Programming Thu, 24 Nov 2011 17:58:16 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Oliver http://blog.delphi-jedi.net/2008/03/17/you-cant-make-your-application-undestroyable/comment-page-1/#comment-153 Oliver Sun, 20 Apr 2008 17:15:25 +0000 http://blog.delphi-jedi.net/2008/03/17/you-cant-make-your-application-undestroyable/#comment-153 Right, but this requires at least to have the rights to inject into any process and it doesn't matter. How about me just calling something like <tt>ExitProcess()</tt> via <tt>CreateRemoteThread()</tt>? Or how about me injecting faulty code, that will make the process fault and end with an exception? How about the half a dozen other functions that are able to cause the same thing? The situation is similar to that of rootkits. Rootkits can only use known methods to hide and defenders can only use known vectors to find rootkits. Not in all cases those sets of know-how match, so that one may be ahead of the other, but the problem remains ultimately unsolvable. // Oliver Right, but this requires at least to have the rights to inject into any process and it doesn’t matter. How about me just calling something like ExitProcess() via CreateRemoteThread()? Or how about me injecting faulty code, that will make the process fault and end with an exception? How about the half a dozen other functions that are able to cause the same thing?

The situation is similar to that of rootkits. Rootkits can only use known methods to hide and defenders can only use known vectors to find rootkits. Not in all cases those sets of know-how match, so that one may be ahead of the other, but the problem remains ultimately unsolvable.

// Oliver

]]> By: parmaster http://blog.delphi-jedi.net/2008/03/17/you-cant-make-your-application-undestroyable/comment-page-1/#comment-120 parmaster Tue, 15 Apr 2008 08:33:40 +0000 http://blog.delphi-jedi.net/2008/03/17/you-cant-make-your-application-undestroyable/#comment-120 You could actually inject a thread into process system wide hooking the TerminateProcess API. When a program on the system tries to call the API it can be intercepted and canceled if it matches your unstoppable file. You could actually inject a thread into process system wide hooking the TerminateProcess API. When a program on the system tries to call the API it can be intercepted and canceled if it matches your unstoppable file.

]]>