Programming
FASM: Kill Process (TerminateProcess)
by admin on Sep.19, 2011, under Programming
The following example code demonstrates how to terminate a process in flat assembler.
The target process used in this sample code is calc.exe. Killing a process is not easy, because you’ve to step through all currently running applications rather than terminating it via a single API call.
format PE GUI 4.0 entry start include 'win32a.inc' ;================== code ===================== section '.code' code readable executable ;============================================= start: invoke GetCurrentProcess ; Retrieve a pseudo handle for current process invoke OpenProcessToken,eax,TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES,phToken ; Open access token associated with this process invoke LookupPrivilegeValue,0,Privilege ,pLocalId ; Retrieve the locally unique identifier (LUID) mov [PrivilegeCount],1 ; [PrivilegeCount] = 1 mov [Attributes],2 ; [Attributes] = 2 invoke AdjustTokenPrivileges,[phToken],0,PrivilegeCount ,0,0,0 ; Enable privileges on our token mov [prcs.dwSize],sizeof.PROCESSENTRY32 ; Store the required size of PROCESSENTRY32 in prcs.dwSize invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0 ; Take a snapshot of the specified processes (get all running processes) mov [hSnapshot], eax ; Save the snapshot handle invoke Process32First,[hSnapshot],prcs ; Retrieve information about the first process encountered in our system snapshot .loop: mov edi,PrcList ; EDI = filename of process we want to kill invoke StrStrI,prcs.szExeFile, edi ; Compare the current process name with the one we want to kill cmp eax,0 ; - || - je .next ; Jump = Not equal, continue with the next process call kill ; Else : Kill the process .next: invoke Process32Next,[hSnapshot],prcs ; Retrieve the next process in our snapshot cmp eax,0 ; Check if there are still processes we didn't check jne .loop ; Jump = Continue the loop with the current process invoke ExitProcess,0 ; Else : No more processes. Exit. kill: invoke OpenProcess,PROCESS_TERMINATE,0,[prcs.th32ProcessID] ; Open the process with terminate privileges invoke TerminateProcess,eax,0 ; Terminate it (Kill process) retn ; And return (= exit as well) ;=================== data ==================== section '.data' data readable writeable ;============================================= TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES =28h TH32CS_SNAPPROCESS = 2 struct PROCESSENTRY32 dwSize dd ? cntUsage dd ? th32ProcessID dd ? th32DefaultHeapID dd ? th32ModuleID dd ? cntThreads dd ? th32ParentProcessID dd ? pcPriClassBase dd ? dwFlags dd ? szExeFile db 260 dup(?) ends PrivilegeCount dd ? pLocalId dd ? Attributes dd ? phToken dd ? hSnapshot dd ? prcs PROCESSENTRY32 PrcList db 'calc.exe',0 Privilege db 'SeDebugPrivilege',0 ;============================================= section '.idata' import data readable ;============================================= library kernel32,'KERNEL32.DLL',\ advapi32,'ADVAPI32.DLL',\ shell32,'SHELL32.DLL' include 'API\kernel32.inc' include 'API\advapi32.inc' include 'API\shell32.inc'