Process Protection-CrossThreadFlags flag, threadschedflags
Principle:
1. Set the CrossThreadFlags flag of all threads of the process to Terminated or System.
Effect: the task manager, WSYSCheck, and ICESWORD cannot end the process ..
However, PCHUnter can end a protected process. However, PCHunter cannot end a protected thread by using a common method. It must end the thread by force ..
Code:
VOID SetThreadFlagToTerminatedByThreadID(ULONG dwThreadID){ULONG ulFlagOffset;NTSTATUS status = STATUS_UNSUCCESSFUL;PULONG pFlag;PETHREAD eThead;HANDLE threadHandle;__try{threadHandle = (HANDLE)dwThreadID;ulFlagOffset = GetCrossThreadFlagOffset();//dprintf("[ProtectProcess]GetCrossThreadFlagOffset: 0X%08X\r\n", ulFlagOffset);status = PsLookupThreadByThreadId(threadHandle, &eThead);if(!NT_SUCCESS(status)){dprintf("PsLookupThreadByThreadId ERRORid:0X%08X, TID: 0X%08X\r\n", status, dwThreadID);return status;}//dprintf("ETHREAD:0X%08X\n", eThead);pFlag = (ULONG*)((PUCHAR)eThead + ulFlagOffset);//dprintf("ulFlag address:0X%08X value:0x%08X\n", pFlag, *pFlag);*pFlag |= PS_CROSS_THREAD_FLAGS_TERMINATED;dprintf("new ulFlag address:0X%08X value:0x%08X\n", pFlag, *pFlag);}__except(EXCEPTION_EXECUTE_HANDLER){dprintf("EXCEPTION ON set thread cross flags!");return status;}}
Ring3 program and ring0 program:
Http://download.csdn.net/detail/xiaocaiju/8192897