TONT 40603 应用程序和用户间的军备竞赛



There is a constant struggle between people who write programs and the people who actually use them. For example, you often see questions like, “How do I make my program so the user can’t kill it?”


Now, imagine if there were a way to do this. Ask yourself, “What would the world be like if this were possible?”


Well, then there would be some program, say, xyz.exe, that is unkillable. Now suppose you’re the user. There’s this program xyz.exe that has gone haywire, so you want to exit it. But it won’t let you exit. So you try to kill it, but you can’t kill it either.


This is just one of several arms races that you can imagine.


“I don’t want anybody to kill my process.” vs. “How do I kill this runaway process?”


“I want to shove this critical dialog in the user’s face.” vs. “How do I stop programs from stealing focus?”


“I don’t want anybody to delete this file.” vs. “How do I delete this file that refuses to be deleted?”


“How do I prevent this program from showing up in Task Manager?” vs. “How can I see all the programs that are running on my computer?”


Eventually you have to decide which side wins, and Windows has decided to keep users in control of their own programs and data, and keep administrators in control of their own computer. So users can kill any process they want (given sufficient privileges), they can stop any program from stealing focus, and they can delete any file they want (again, given sufficient privileges).


Programs can try to make themselves more difficult to kill (deny PROCESS_TERMINATE access, deny PROCESS_CREATE_THREAD access so people can’t CreateRemoteThread(EndProcess), deny PROCESS_VM_WRITE so people can’t scribble into your stack and make you doublefault, deny PROCESS_SUSPEND_RESUME so they can’t suspend you), but eventually you just can’t stop them from, say, elevating to Debug privilege, debugging your process, and moving EIP to “ExitProcess”.

应用程序们可以尝试让他们自己变得更难以被关掉(拒绝PROCESS_TERMINATE的权限,拒绝PROCESS_CREATE_THREAD的权限以使用户无法调用CreateRemoteThread(EndProcess),拒绝PROCESS_VM_WRITE的权限使用户无法到你的栈内存里乱搞、进而引发双重异常(double fault),拒绝PROCESS_SUSPEND_RESUME的权限使用户无法暂停你的进程),但说到底,你没有办法不让用户采取例如提权到调试模式,对你的进程开调试器,然后将EIP寄存器指向ExitProcess的做法。

Notice that you can kill CSRSS.EXE and WINLOGON.EXE if you like. Your computer will get very angry at you, but you can do it. (Save you work first!)


Another useful question to ask yourself: “What’s to prevent a virus from doing the same thing?” If there were a way to do these things, then a virus could take advantage of them and make itself invisible to Task Manager, undeletable, and unkillable. Clearly you don’t want that, do you?



电子邮件地址不会被公开。 必填项已用*标注

 剩余字数 ( Characters available )


Notice: please DO NOT add any links in your comment, otherwise it would be identified as SPAM automatically.