FASM: Kill Process (TerminateProcess)
by admin on Sep.19, 2011, under Programming
The following example code demonstrates how to terminate a process in flat assembler.
The target process used in this sample code is calc.exe. Killing a process is not easy, because you’ve to step through all currently running applications rather than terminating it via a single API call.
format PE GUI 4.0
entry start
include 'win32a.inc'
;================== code =====================
section '.code' code readable executable
;=============================================
start:
invoke GetCurrentProcess ; Retrieve a pseudo handle for current process
invoke OpenProcessToken,eax,TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES,phToken ; Open access token associated with this process
invoke LookupPrivilegeValue,0,Privilege ,pLocalId ; Retrieve the locally unique identifier (LUID)
mov [PrivilegeCount],1 ; [PrivilegeCount] = 1
mov [Attributes],2 ; [Attributes] = 2
invoke AdjustTokenPrivileges,[phToken],0,PrivilegeCount ,0,0,0 ; Enable privileges on our token
mov [prcs.dwSize],sizeof.PROCESSENTRY32 ; Store the required size of PROCESSENTRY32 in prcs.dwSize
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0 ; Take a snapshot of the specified processes (get all running processes)
mov [hSnapshot], eax ; Save the snapshot handle
invoke Process32First,[hSnapshot],prcs ; Retrieve information about the first process encountered in our system snapshot
.loop:
mov edi,PrcList ; EDI = filename of process we want to kill
invoke StrStrI,prcs.szExeFile, edi ; Compare the current process name with the one we want to kill
cmp eax,0 ; - || -
je .next ; Jump = Not equal, continue with the next process
call kill ; Else : Kill the process
.next:
invoke Process32Next,[hSnapshot],prcs ; Retrieve the next process in our snapshot
cmp eax,0 ; Check if there are still processes we didn't check
jne .loop ; Jump = Continue the loop with the current process
invoke ExitProcess,0 ; Else : No more processes. Exit.
kill:
invoke OpenProcess,PROCESS_TERMINATE,0,[prcs.th32ProcessID] ; Open the process with terminate privileges
invoke TerminateProcess,eax,0 ; Terminate it (Kill process)
retn ; And return (= exit as well)
;=================== data ====================
section '.data' data readable writeable
;=============================================
TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES =28h
TH32CS_SNAPPROCESS = 2
struct PROCESSENTRY32
dwSize dd ?
cntUsage dd ?
th32ProcessID dd ?
th32DefaultHeapID dd ?
th32ModuleID dd ?
cntThreads dd ?
th32ParentProcessID dd ?
pcPriClassBase dd ?
dwFlags dd ?
szExeFile db 260 dup(?)
ends
PrivilegeCount dd ?
pLocalId dd ?
Attributes dd ?
phToken dd ?
hSnapshot dd ?
prcs PROCESSENTRY32
PrcList db 'calc.exe',0
Privilege db 'SeDebugPrivilege',0
;=============================================
section '.idata' import data readable
;=============================================
library kernel32,'KERNEL32.DLL',\
advapi32,'ADVAPI32.DLL',\
shell32,'SHELL32.DLL'
include 'API\kernel32.inc'
include 'API\advapi32.inc'
include 'API\shell32.inc'
1 Comment for this entry
Leave a Reply
-
Welcome
This blog was designed to be filled with articles related to some of our more recent projects, macOS and linux guides (particularly Debian), coding and plenty of other topics.
Navigator:
August 29th, 2014 on 02:54
yes sometimes windows task-manager can’t do the job
hope this one works, now i know how to kill a process with FASM thank you