So, i was just thinking, what's the most stealth way of closing another process? creating a remote thread with a null pointer, window message flooding maybe?
					
										
																										
            A forum for reverse engineering, OS internals and malware analysis
creating a remote threadNo stealth there, very intrusive. Use a kernel driver and enter the context of the desired process to terminate.
function CreateJobObjectW(lpJobAttributes: PSECURITYATTRIBUTES;
                                   lpName: PWChar): THandle; stdcall external 'kernel32.dll';
function AssignProcessToJobObject(hJob: THandle;
                              hProcess: THandle): BOOL; stdcall external 'kernel32.dll';
function TerminateJobObject(hJob: THandle;
                       uExitCode: UINT): BOOL; stdcall external 'kernel32.dll';
function TerminateProcessByJob(const dwProcessId: DWORD): BOOL;
var
   hJobObject, hProcess: THandle;
begin
   result := False;
   hProcess := OpenProcess(MAXIMUM_ALLOWED, False, dwProcessId);
   if (hProcess <> 0) then
   begin
   hJobObject := CreateJobObjectW(nil, nil);
   if (hJobObject <> 0) then
   begin
   result := AssignProcessToJobObject(hJobObject, hProcess) and
   TerminateJobObject(hJobObject, 0);
   CloseHandle(hJobObject);
   end;
   CloseHandle(hProcess);
   end;
end;
Mut4nt wrote:12 ways to terminate a processAll of them requires process/thread handle to be obtained by attacker or driver loading for EPROCESS/ETHREAD/VM manipulations. This is not stealth. Stealth is when you killing other app without any additional attention to your own module. So the best way here is to kill process by other hands. I think even some IPS should allow this unless creating child processes is not forbidden.
http://wj32.wordpress.com/2009/05/10/12 ... a-process/
