Process Kill Methods

Ring 0

Terminate processes using various kernel-level methods to bypass protection.

Use With Caution

Kernel-level process termination bypasses normal protections. Terminating critical system processes can cause BSOD or data loss.

Overview

DioProcess provides multiple process termination methods, escalating from usermode APIs to kernel-level termination that can kill protected processes.

Kill Methods

Method	Level	Bypasses
TerminateProcess	Ring 3	Nothing (standard)
NtTerminateProcess	Ring 3	TerminateProcess hooks
Kernel Kill	Ring 0	Handle access restrictions, EDR
HV Kill	Ring -1	PPL, kernel callbacks, everything

Kernel Kill Implementation

Algorithm

NTSTATUS KernelTerminateProcess(ULONG ProcessId) {
    PEPROCESS Process;
    
    // 1. Get EPROCESS pointer
    NTSTATUS Status = PsLookupProcessByProcessId(
        (HANDLE)ProcessId,
        &Process
    );
    if (!NT_SUCCESS(Status)) return Status;
    
    // 2. Method 1: ZwTerminateProcess (uses kernel handle)
    HANDLE ProcessHandle;
    Status = ObOpenObjectByPointer(
        Process,
        OBJ_KERNEL_HANDLE,
        NULL,
        PROCESS_TERMINATE,
        *PsProcessType,
        KernelMode,
        &ProcessHandle
    );
    
    if (NT_SUCCESS(Status)) {
        // Bypasses usermode access checks
        Status = ZwTerminateProcess(ProcessHandle, 0);
        ZwClose(ProcessHandle);
    }
    
    ObDereferenceObject(Process);
    return Status;
}

// Alternative: Direct thread termination
NTSTATUS KernelTerminateProcessAlt(ULONG ProcessId) {
    // For each thread in process:
    //   PsLookupThreadByThreadId(ThreadId, &Thread);
    //   PsTerminateSystemThread(STATUS_SUCCESS);
    // This terminates all threads, killing the process
}

Hypervisor Kill

The most powerful termination method operates from Ring -1:

HV Kill Algorithm

NTSTATUS HvTerminateProcess(ULONG ProcessId) {
    // 1. From hypervisor, directly manipulate EPROCESS
    PEPROCESS Process = GetEprocessFromPid(ProcessId);
    
    // 2. Set process exit flags
    Process->Flags |= PS_PROCESS_FLAGS_PROCESS_DELETE;
    Process->ExitStatus = STATUS_SUCCESS;
    
    // 3. Terminate all threads by clearing their context
    for (each thread in process) {
        Thread->Terminated = TRUE;
        // Clear thread context, causing exception on resume
    }
    
    // 4. Signal process termination
    KeSetEvent(&Process->ExitEvent);
}

IOCTLs

IOCTL	Code	Description
KERNEL_TERMINATE	0x00222060	Ring 0 termination
HV_TERMINATE	0x880	Ring -1 termination

UI Access

Multiple ways to terminate processes:

• Delete key — Standard termination (default)
• Right-click → Terminate — Shows method selector
• Terminate dropdown — Choose specific method

Kernel and HV methods are only available when the driver is loaded.

What Each Method Kills

Process Type	Ring 3	Ring 0	Ring -1
Normal processes	✓	✓	✓
EDR-protected	✗	✓	✓
PPL (Protected)	✗	~	✓
System (PID 4)	✗	✗	~BSOD

✓ = Works, ✗ = Blocked, ~ = May work with side effects

Use Cases

• Kill stubborn processes that refuse to terminate
• Terminate EDR/AV processes for testing
• Kill processes protected by ObRegisterCallbacks
• Security research on process protection mechanisms