Inside the process of termination

Jfpan20000@sina.com (pjf)

If you have any questions about the process termination, let's briefly discuss this question (the discussion below is based on 2000, and other NT systems are similar ).
First, let's take a look at what an application wants to force the end of another process: first obtain the target process ID, and then use OpenProcess to obtain the Process Handle (ensure sufficient permissions ), finally, pass the handle to TerminateProcess to end the process.
1. OpenProcess enters the core State through the Local System Service Interface, and then calls ntoskrnl's NtOpenProcess. In service functions, the system uses SeSinglePrivilegeCheck to check whether the caller has the DEBUG permission (SeDebugPrivilege). If yes, modify the AccessState to obtain the handle that allows access by any process in subsequent operations. Finally, use ObOpenObjectByName or PsLookupProcess *** + ObOpenObjectByPointer to open the process (create and return the Process Handle ).
2. TerminateProcess enters the core State through the Local System Service Interface, and then calls NtTerminateProcess of ntoskrnl. The system first calls ObReferenceObjectByHandle to obtain the process execution body block. The DebugPort of the execution body block indicates whether the process is in the debugging status. If the input ExitStatus is DBG_TERMINATE_PROCESS, the system returns a failure to stop the process. Then the service function is transferred to the subject:
The system uses ThreadListHead to enumerate every thread of a process and uses PspTerminateThreadByPointer to end them. Note that not every thread system will faithfully execute your command: If the enumerated thread is a system thread, it will not continue to execute but will return STATUS_INVALID_PARAMETER. The method is to determine whether the thread's Teb is zero or the Teb's value is in the kernel address space. Why can't the csrss.exe process be killed in? It's easy to open IceSword and use "thread information" in the process bar to check whether there are threads with zero Teb? (Note that windows and XP are different. Another point is that other non-system threads in the csrss are easily killed. When trying to end the csrss, we can also see that the thread before the thread whose Teb is zero has been killed, only the operation stops at the thread where Teb is zero.) Check the system process again. IceSword does not provide the function to kill such processes, because it does not feel necessary. At the end of the last thread, the life of the process is also over, with PspExitProcess/ObKillProcess being extinct.
On the other hand, how does the thread end. PspTerminateThreadByPointer does not directly "kill" the specified thread. In essence, the thread is "suicide. The system simply inserts a core State APC call using KeInitializeApc/KeInsertQueueApc. If the user thread is used, the user State APC call will be inserted, the final thread uses PspExitThread (... => KeTerminateThread => KiSwapThread.
Some people ask why IceSword sometimes kills the three processes with system threads (two are csrss and system, while idle is a very strange and distinctive process. There is not much nonsense here) other processes. You can find the answer from the above discussion. This is often because, after a user-state thread of the target process enters the core State, some problems occur in the core State and the Apc routine cannot be returned. The reason why IceSword does not forcibly remove them is that the system may have some problems at the moment, and the Force delete operation is more likely to crash the system. However, many users require this function, so it may be added later (there are already a lot of complicated requirements, it is difficult to have time to upgrade the version ,~ _~).
In general, if you want to kill a process, you can do it with the Debug permission. If someone else has the protection, you have to make full use of your capabilities.

I think the above discussion has some inspiration for those who want to kill and protect the process.