beta.blog

Programming

FASM: Kill Process (TerminateProcess)

by on Sep.19, 2011, under Programming

The following example code demonstrates how to terminate a process in flat assembler.
The target process used in this sample code is calc.exe. Killing a process is not easy, because you’ve to step through all currently running applications rather than terminating it via a single API call.

format PE GUI 4.0
entry start

include 'win32a.inc'

;================== code =====================
section '.code' code readable executable
;=============================================

start:
        invoke GetCurrentProcess                                                ; Retrieve a pseudo handle for current process
        invoke OpenProcessToken,eax,TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES,phToken ; Open access token associated with this process
        invoke LookupPrivilegeValue,0,Privilege ,pLocalId                       ; Retrieve the locally unique identifier (LUID)
        mov    [PrivilegeCount],1                                               ; [PrivilegeCount] = 1
        mov    [Attributes],2                                                   ; [Attributes]     = 2
        invoke AdjustTokenPrivileges,[phToken],0,PrivilegeCount ,0,0,0          ; Enable privileges on our token

        mov    [prcs.dwSize],sizeof.PROCESSENTRY32                              ; Store the required size of PROCESSENTRY32 in prcs.dwSize
        invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0                  ; Take a snapshot of the specified processes (get all running processes)
        mov    [hSnapshot], eax                                                 ; Save the snapshot handle
        invoke Process32First,[hSnapshot],prcs                                  ; Retrieve information about the first process encountered in our system snapshot
.loop:
        mov    edi,PrcList                                                      ; EDI = filename of process we want to kill
        invoke StrStrI,prcs.szExeFile, edi                                      ; Compare the current process name with the one we want to kill
        cmp    eax,0                                                            ; - || -
        je     .next                                                            ; Jump = Not equal, continue with the next process
        call   kill                                                             ; Else : Kill the process
.next:
        invoke Process32Next,[hSnapshot],prcs                                   ; Retrieve the next process in our snapshot
        cmp    eax,0                                                            ; Check if there are still processes we didn't check
        jne    .loop                                                            ; Jump = Continue the loop with the current process
        invoke ExitProcess,0                                                    ; Else : No more processes. Exit.
kill:
        invoke OpenProcess,PROCESS_TERMINATE,0,[prcs.th32ProcessID]             ; Open the process with terminate privileges
        invoke TerminateProcess,eax,0                                           ; Terminate it (Kill process)
        retn                                                                    ; And return (= exit as well)

;=================== data ====================
section '.data' data readable writeable
;=============================================

TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES =28h
TH32CS_SNAPPROCESS = 2

struct PROCESSENTRY32
        dwSize dd ?
        cntUsage dd ?
        th32ProcessID dd ?
        th32DefaultHeapID dd ?
        th32ModuleID dd ?
        cntThreads dd ?
        th32ParentProcessID dd ?
        pcPriClassBase dd ?
        dwFlags dd ?
        szExeFile db 260 dup(?)
ends

PrivilegeCount dd ?
pLocalId       dd ?
Attributes     dd ?
phToken        dd ?
hSnapshot      dd ?
prcs           PROCESSENTRY32

PrcList        db 'calc.exe',0
Privilege      db 'SeDebugPrivilege',0

;=============================================
section '.idata' import data readable
;=============================================

library         kernel32,'KERNEL32.DLL',\
                advapi32,'ADVAPI32.DLL',\
                shell32,'SHELL32.DLL'

include 'API\kernel32.inc'
include 'API\advapi32.inc'
include 'API\shell32.inc'
1 Comment more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!