In message said:
You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped.
You can. Just it is a bit more involved.
Method #1
A) Inject a DLL into task manager and any other process that you think
may originate a TerminateProcess() call. Injecting a DLL is covered in
many places. Use Google, Lookup CreateRemoteThread(). This requires that
you have privileges to use CreateRemoteThread().
B) The injected DLL should hook TerminateProcess in Kernel32(). In the
hook it identifies if the process to be killed is the one
TerminateProcess has been asked to kill. If it is not that process then
pass the call from the hook to the real TerminateProcess. If it is that
process just return.
Method #2
TerminateProcess almost certainly ends up doing a Kernel transition
inside ntdll.dll to execute the action. If you install a kernel driver
you can then implement the equivalent of 1B above but your hook will
work for all applications. Your hook should look for a special marker
(say a named Mutex) so that it knows it should kill the process (this
would allow you to not kill the process most of the time and kill it
when you wanted to). The techniques described on
www.rootkit.com can
help you implement this.
Method #1 is straightforward to anyone with the appropriate background
(most software tool developers will be familiar with this because of
their need to hook functions all over the place - myself included).
Method #2 requires someone familiar with the pitfalls of device driver
development and hooking.
Stephen