RtlSetProcessIsCritical 介绍
来源:互联网 发布:网络推广行业前景 编辑:程序博客网 时间:2024/06/05 16:52
Introduction
RtlSetProcessIsCritical
is yet another undocumented function hidden in the Windows kernel. It is one of the few which do not have a kernel32 equivalent. However, Microsoft has a good reason to not document this function - it should not be used in any application for any purpose whatsoever. I simply cannot imagine a circumstance where this function would actually come in useful. Thus:
Disclaimer: I am not responsible for any side-effects of calling this function on your computer. It may cause extreme system instability. The example is only presented as "proof-of-concept".
Background
What RtlSetProcessIsCritical
does is set your process to a system critical status. This means that the process is now "critical" to the running of Windows, which also means that on termination of your process, Windows itself terminates as well. When a system critical process ends/terminates, the stop code is CRITICAL_PROCESS_DIED
(0xEF) for process exiting, and CRITICAL_OBJECT_TERMINATION
(0xF4) if the process was abnormally terminated. Although this can, technically, be used to "protect" a process against people terminating it, I recommend you find other methods of doing so, because if a user terminates the critical process by accident or the process crashes when it is critical, the system will crash instantly as well. This would be highly annoying to users.
This type of behavior can also be seen in processes such as winlogon.exe, csrss.exe, services.exe, smss.exe, and lsass.exe. All of these processes are known to call RtlSetProcessIsCritical
.
Whether a process is critical or not can be obtained using a call to ZwQueryProcessInformation
with class ProcessBreakOnTermination
(0x1D). Also, this function is only available in NTDLL versions 5.1 and higher.
Using the code
The function definition for RtlSetProcessIsCritical
is as follows:
NTSTATUS RtlSetProcessIsCritical ( BOOLEAN bNew,// new setting for process BOOLEAN *pbOld,// pointer which receives old setting (can be null) BOOLEAN bNeedScb);// need system critical breaks
This means that calling RtlSetProcessIsCritical(TRUE, NULL, FALSE)
would make a process critical, while another call to RtlSetProcessIsCritical(FALSE, NULL, FALSE)
would return the process to normal. When critical status is set, termination or ending of the process in any way will usually cause either a BSOD (if BSOD-ing is enabled) or will cause the system to reboot itself.
Obtaining this function from the kernel is simple. First, we define a prototype of the function:
typedef VOID ( _stdcall *RtlSetProcessIsCritical ) (IN BOOLEANbNew, OUT BOOLEAN*pbOld, IN BOOLEANbNeedScb );
Then, we obtain an open handle to NTDLL.DLL in order to obtain the function using GetProcAddress
:
HANDLE ntdll = LoadLibrary("ntdll.dll");RtlSetProcessIsCritical SetCriticalProcess;SetCriticalProcess = (RtlSetProcessIsCritical)GetProcAddress((HINSTANCE)ntdll, "RtlSetProcessIsCritical");
After this, we can simply call SetCriticalProcess
with the appropriate parameters.
A more detailed and commented example is in the Example.zip download.
Note: The use of this function requires the SE_DEBUG_NAME
privilege in the calling process. This can easily be obtained using AdjustTokenPrivileges
, and an example of this can be seen in the example source code.
Points of Interest
I'm not sure about other compilers, but on my rather old MSVC++ 6.0 compiler, I get an error stating "The value of ESP was not properly saved across a function call..." and the program also crashes before exiting under the default Release mode. If you change the optimizations to Disable (Debug), these problems go away. I'm guessing some of VC++ 6.0's optimizations don't work properly.
History
I probably won't be updating this, unless there is a critical flaw anywhere in the code.
- v1.0 - October 30th, 2009.
License
This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)
- RtlSetProcessIsCritical 介绍
- RtlSetProcessIsCritical将进程设置为系统严重状态(防止进程被结束)
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 介绍
- 项目中编译后的jsp文件放置的位置
- Indexing Service simple sample
- SQLServer 2000 y 2005 con Dinamica....
- Mysql注入详解
- Java访问权限修饰符friendly----同一个包内其它类可以访问(钦波总结大全)(转http://huiqinbo.javaeye.com/blog/577956)
- RtlSetProcessIsCritical 介绍
- Android开发之旅:应用程序基础及组件
- opencv中通道的理解
- vb activeX控件利用Inet控件发送HTTP请求
- strlen("汉字")的值是多少
- 好消息和大家一起分享啊!!
- TFS2010 源码管理错误
- 读完spring源码深入后浅出系列之什么是ioc
- 系统集成软件