How do I protect my process or thread from being suspended/paused or terminated?
The CBFS Filter toolkit's CBProcess component provides two events called ProcessHandleOperation and ThreadHandleOperation, which fire anytime some (other) process opens a handle to a process or thread.
To protect a process from suspension and/or termination, implement the ProcessHandleOperation and handle it by removing the PROCESS_SUSPEND_RESUME and PROCESS_TERMINATE flags from the DesiredAccess event parameter. This will prevent the newly-created handle from being used to suspend or terminate the process. A similar approach can be employed using the ThreadHandleOperation event to prevent a thread from being suspended or terminated.
The Process Monitor demo included with CBFS Filter includes code that shows how to perform these operations.
NOTE: The CBProcess component and the sample perform exactly one function ï¿½ they remote permissions from the handle, this way forbidding the handle owner from performing a Terminate or Suspend operation on the handle. However, neither the component nor the sample deal with mechanisms that let one gracefully close a window or an application, e.g. sending WM_CLOSE to the window or WM_QUIT by calling the PostQuitMessage() Windows API function. This is what Task Manager does when you use the "End Task" command in the "Processes list" tab. Handling of these mechanisms is easier doable inside of the application (if you want to protect your own application from termination) or using different techniques such as DLL injection and message hooking. At the same time, these techniques donï¿½t belong to the driver space in which Callback Technologies, Inc. specializes.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at firstname.lastname@example.org.