In message <1127449360.342691.303460 / z14g2000cwz.googlegroups.com>, 
Daniel Berger <djberg96 / gmail.com> writes
>gga wrote:
>> Is there a way to trap the killing of a ruby windows process killed
>> thru the TaskManager?
>> I've tried trap(INT), trap(ABRT) and trap(KILL) and none seem to
>> respond to kill process.
>
>You can't.  Using the "end process" button on the Task Manager calls
>the TerminateProcess() function, which can't be trapped.

You can. Just it is a bit more involved.

Method #1
A) Inject a DLL into task manager and any other process that you think 
may originate a TerminateProcess() call. Injecting a DLL is covered in 
many places. Use Google, Lookup CreateRemoteThread(). This requires that 
you have privileges to use CreateRemoteThread().

B) The injected DLL should hook TerminateProcess in Kernel32(). In the 
hook it identifies if the process to be killed is the one 
TerminateProcess has been asked to kill. If it is not that process then 
pass the call from the hook to the real TerminateProcess. If it is that 
process just return.

Method #2
TerminateProcess almost certainly ends up doing a Kernel transition 
inside ntdll.dll to execute the action. If you install a kernel driver 
you can then implement the equivalent of 1B above but your hook will 
work for all applications. Your hook should look for a special marker 
(say a named Mutex) so that it knows it should kill the process (this 
would allow you to not kill the process most of the time and kill it 
when you wanted to). The techniques described on www.rootkit.com can 
help you implement this.

Method #1 is straightforward to anyone with the appropriate background 
(most software tool developers will be familiar with this because of 
their need to hook functions all over the place - myself included). 
Method #2 requires someone familiar with the pitfalls of device driver 
development and hooking.

Stephen
-- 
Stephen Kellett
Object Media Limited    http://www.objmedia.demon.co.uk/software.html
Computer Consultancy, Software Development
Windows C++, Java, Assembler, Performance Analysis, Troubleshooting