Is there a way to trap the killing of a ruby windows process killed
thru the TaskManager?
I've tried trap(INT), trap(ABRT) and trap(KILL) and none seem to
respond to kill process.
gga wrote:
Is there a way to trap the killing of a ruby windows process killed
thru the TaskManager?
I've tried trap(INT), trap(ABRT) and trap(KILL) and none seem to
respond to kill process.
You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped. Read here for
more:
http://blogs.msdn.com/oldnewthing/archive/2004/07/22/191123.aspx
It's probably a good thing, too. Imagine if you did this:
trap("KILL"){ # Do nothing }
How would you kill the process short of rebooting?
Regards,
Dan
Gee, so there's only a SIGKILL on Windows, and no equivalent of a
SIGTERM? What if I want the process to try to do some cleanup before
dying? This is something I do fairly often with my programs on
GNU/Linux. Now if the cleanup is hosed, obviously I'd expect a kill -9
to still work of course...
···
On 9/23/05, Daniel Berger <djberg96@gmail.com> wrote:
You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped. Read here for
more:http://blogs.msdn.com/oldnewthing/archive/2004/07/22/191123.aspx
It's probably a good thing, too. Imagine if you did this:
trap("KILL"){ # Do nothing }
How would you kill the process short of rebooting?
under *nix you can trap almost all signals - but not this one for that very
reason. that's why 'kill -9' is dang handy
-a
···
On Fri, 23 Sep 2005, Daniel Berger wrote:
gga wrote:
Is there a way to trap the killing of a ruby windows process killed
thru the TaskManager?
I've tried trap(INT), trap(ABRT) and trap(KILL) and none seem to
respond to kill process.You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped. Read here for
more:http://blogs.msdn.com/oldnewthing/archive/2004/07/22/191123.aspx
It's probably a good thing, too. Imagine if you did this:
trap("KILL"){ # Do nothing }
How would you kill the process short of rebooting?
--
email :: ara [dot] t [dot] howard [at] noaa [dot] gov
phone :: 303.497.6469
Your life dwells amoung the causes of death
Like a lamp standing in a strong breeze. --Nagarjuna
===============================================================================
You can. Just it is a bit more involved.
Method #1
A) Inject a DLL into task manager and any other process that you think may originate a TerminateProcess() call. Injecting a DLL is covered in many places. Use Google, Lookup CreateRemoteThread(). This requires that you have privileges to use CreateRemoteThread().
B) The injected DLL should hook TerminateProcess in Kernel32(). In the hook it identifies if the process to be killed is the one TerminateProcess has been asked to kill. If it is not that process then pass the call from the hook to the real TerminateProcess. If it is that process just return.
Method #2
TerminateProcess almost certainly ends up doing a Kernel transition inside ntdll.dll to execute the action. If you install a kernel driver you can then implement the equivalent of 1B above but your hook will work for all applications. Your hook should look for a special marker (say a named Mutex) so that it knows it should kill the process (this would allow you to not kill the process most of the time and kill it when you wanted to). The techniques described on www.rootkit.com can help you implement this.
Method #1 is straightforward to anyone with the appropriate background (most software tool developers will be familiar with this because of their need to hook functions all over the place - myself included). Method #2 requires someone familiar with the pitfalls of device driver development and hooking.
Stephen
···
In message <1127449360.342691.303460@z14g2000cwz.googlegroups.com>, Daniel Berger <djberg96@gmail.com> writes
gga wrote:
Is there a way to trap the killing of a ruby windows process killed
thru the TaskManager?
I've tried trap(INT), trap(ABRT) and trap(KILL) and none seem to
respond to kill process.You can't. Using the "end process" button on the Task Manager calls
the TerminateProcess() function, which can't be trapped.
--
Stephen Kellett
Object Media Limited http://www.objmedia.demon.co.uk/software.html
Computer Consultancy, Software Development
Windows C++, Java, Assembler, Performance Analysis, Troubleshooting
Dido Sevilla wrote:
> You can't. Using the "end process" button on the Task Manager calls
> the TerminateProcess() function, which can't be trapped. Read here for
> more:
>
> http://blogs.msdn.com/oldnewthing/archive/2004/07/22/191123.aspx
>
> It's probably a good thing, too. Imagine if you did this:
>
> trap("KILL"){ # Do nothing }
>
> How would you kill the process short of rebooting?Gee, so there's only a SIGKILL on Windows, and no equivalent of a
SIGTERM? What if I want the process to try to do some cleanup before
dying? This is something I do fairly often with my programs on
GNU/Linux. Now if the cleanup is hosed, obviously I'd expect a kill -9
to still work of course...
Well, drat, I *thought* the CreateRemoteThread + ExitProcess combo was
catchable, but I'm not so sure now. It may require a custom handler,
but I'd have to research further.
Also, take a look at this:
That article suggests a RegisterWindowMessage + BroadcastSystemMessage
approach, though I haven't tried it.
Regards,
Dan
···
On 9/23/05, Daniel Berger <djberg96@gmail.com> wrote: