1 minute read

Just start playing with Windows kernel, maybe what I’m writing is foolish, IDK, but found kernel side very interesting.

It’s not tutorial, neither trustworthy post, just note for me, maybe full of mistakes, …that’s the only way to improve.

NOTE: I'm using Windows 10 x64 Version 1709 Build 16299.125

Let’s start from PsTerminateProcess function:

It calls PspTerminateProcess .

PspTerminateProcess calls PspTerminateThreads , which traverses all threads and calls PspTerminateThreadByPointer for each thread:

PspTerminateThreadByPointer calls KeRequestTerminationThread :

KeRequestTerminationThread checks 15th bit of 0x74th ( *(v2+116) & 0x4000 ) field of _KTHREAD and if it set it inserts a kernel mode APC into the APC queue of a thread to kill the thread:

Seems like if thread is not APC queueable ( 15th bit of 0x74 field is not set ) it’s impossible to kill a thread (at least this way).

_KTHREAD structure’s 0x74th field is union, the 15th bit is for ApcQueueable flag (Terminus Project - _KTHREAD), what if we set this bit to 0?

We can use WinDbg or write our driver, driver code is very simple, it receives thread IDs from userland and disables APCQueueable flag:

DEMO:

YT link