Trapping TaskManager's kill process on win32

[gga]

Is there a way to trap the killing of a ruby windows process killed
thru the TaskManager?
I've tried trap(INT), trap(ABRT) and trap(KILL) and none seem to
respond to kill process.

 

[Daniel Berger]

Is there a way to trap the killing of a ruby windows process killed
thru the TaskManager?
I've tried trap(INT), trap(ABRT) and trap(KILL) and none seem to
respond to kill process.

You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped. Read here for
more:

http://blogs.msdn.com/oldnewthing/archive/2004/07/22/191123.aspx

It's probably a good thing, too. Imagine if you did this:

trap("KILL"){ # Do nothing }

How would you kill the process short of rebooting?

Regards,

Dan

 

[Dido Sevilla]

You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped. Read here for
more:

http://blogs.msdn.com/oldnewthing/archive/2004/07/22/191123.aspx

It's probably a good thing, too. Imagine if you did this:

trap("KILL"){ # Do nothing }

How would you kill the process short of rebooting?

Gee, so there's only a SIGKILL on Windows, and no equivalent of a
SIGTERM? What if I want the process to try to do some cleanup before
dying? This is something I do fairly often with my programs on
GNU/Linux. Now if the cleanup is hosed, obviously I'd expect a kill -9
to still work of course...

 

[Ara.T.Howard]

You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped. Read here for
more:

http://blogs.msdn.com/oldnewthing/archive/2004/07/22/191123.aspx

It's probably a good thing, too. Imagine if you did this:

trap("KILL"){ # Do nothing }

How would you kill the process short of rebooting?

under *nix you can trap almost all signals - but not this one for that very
reason. that's why 'kill -9' is dang handy ;-)

-a
--
===============================================================================
| email :: ara [dot] t [dot] howard [at] noaa [dot] gov
| phone :: 303.497.6469
| Your life dwells amoung the causes of death
| Like a lamp standing in a strong breeze. --Nagarjuna
===============================================================================

 

[Daniel Berger]

Gee, so there's only a SIGKILL on Windows, and no equivalent of a
SIGTERM? What if I want the process to try to do some cleanup before
dying? This is something I do fairly often with my programs on
GNU/Linux. Now if the cleanup is hosed, obviously I'd expect a kill -9
to still work of course...

Well, drat, I *thought* the CreateRemoteThread + ExitProcess combo was
catchable, but I'm not so sure now. It may require a custom handler,
but I'd have to research further.

Also, take a look at this:

http://msdn.microsoft.com/library/d.../en-us/dllproc/base/terminating_a_process.asp

That article suggests a RegisterWindowMessage + BroadcastSystemMessage
approach, though I haven't tried it.

Regards,

Dan

 

[Stephen Kellett]

You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped.

You can. Just it is a bit more involved.

Method #1
A) Inject a DLL into task manager and any other process that you think
may originate a TerminateProcess() call. Injecting a DLL is covered in
many places. Use Google, Lookup CreateRemoteThread(). This requires that
you have privileges to use CreateRemoteThread().

B) The injected DLL should hook TerminateProcess in Kernel32(). In the
hook it identifies if the process to be killed is the one
TerminateProcess has been asked to kill. If it is not that process then
pass the call from the hook to the real TerminateProcess. If it is that
process just return.

Method #2
TerminateProcess almost certainly ends up doing a Kernel transition
inside ntdll.dll to execute the action. If you install a kernel driver
you can then implement the equivalent of 1B above but your hook will
work for all applications. Your hook should look for a special marker
(say a named Mutex) so that it knows it should kill the process (this
would allow you to not kill the process most of the time and kill it
when you wanted to). The techniques described on www.rootkit.com can
help you implement this.

Method #1 is straightforward to anyone with the appropriate background
(most software tool developers will be familiar with this because of
their need to hook functions all over the place - myself included).
Method #2 requires someone familiar with the pitfalls of device driver
development and hooking.

Stephen