Attack Method: Process Termination via TerminateProcess@kernel32.dll.

Description: The kernel32.dll library exports the TerminateProcess API function which is the most common process termination method as it is very simple to use, very effective, and purpose-built for the task. There is no way for a process to detect or counter this without using a driver-based solution similar to Process Guard and that is not easy to implement, which is why nearly all security programs can be terminated using this method.

Example: Terminating a process using the TerminateProcess API function is simple - just use Task Manager, right-click on any process and click on the End Process submenu:

In some cases you may get an Access Denied message, but you'll usually find that if you use our freeware DiamondCS TaskMan+ tool (which simply elevates Task Manager's privileges) you'll be able to terminate virtually any process - trojans can easily do this too.

The Attack: To terminate any process, a trojan would normally first acquire a special (but easy to obtain) privilege called SeDebugPrivilege (as the TaskMan+ tool does) - this is optional, but it allows it to terminate some processes that it otherwise wouldn't be able to. Then it simply calls the TerminateProcess function in the kernel32.dll file, instructing it to terminate the target process.

Attack Result: The target process is terminated. If the target process is a security program, any security offered by that program will typically be defeated.

Solution: DiamondCS Process Guard is easily able to protect against the TerminateProcess function by preventing Terminate access to the target process.

Related websites:
 MSDN: TerminateProcess
 MSDN: Terminating a Process
 MSDN: Processes and Threads