Jump to content
Tuts 4 You

Exit process without api


Recommended Posts

dont know if I understand u good, but instead of using apis maybe you can use retn instead, and it will "exit" the calling thread


depending on the app, maybe force a crash and depending on some things itll show the unhandled exception error, freeze completely, etc. this wouldnt be a clean exit

  • Like 1
Link to comment

a retn from the EP will return back into kernel32 and call ExitThread, which will also terminate the process.

  • Like 1
Link to comment

hold down power button of your PC for ~5 seconds or pull the power plug. :D


ok for real: by "without hardcoding" you mean sth like calculating or decrypting the used API function calls so they arent findable /breakpointable just until they are executed?  Thats indeed possible and I'v seen that various times

  • Like 1
Link to comment

thank you people from tuts4you!


i use a ret and it seems to work nicely :)



to cypher: no imports is used at all.

Link to comment
  • 3 weeks later...
Peter Ferrie

Just execute int3 without any exception handler present. Windows will forcibly terminate your application (but possibly trigger a popup and Watson report as a result).

  • Like 1
Link to comment

Is there a way to shutdown/exit a process/application without using a api and without hardcoding?

The clean way of performing this will be emulating proper syscall for exitprocess function . but it is a tiresome process to exactly make it universal considering the syscall value for each os is different .



Edited by Conquest
  • Like 1
Link to comment

So I think FastLife only want to know something about Windows systems & Exit and not on Linux etc right?


On the other hand if you don't like those postet possibilities by us etc then just use the ExitProcess API of the target itself which you want to exit if you need it.

Here the exit API is stored in Notepad.exe XP for exsample
$-608A 01001318 <>77C09E7E msvcrt.exit Lets say you want to patch your exit call at OEP (exsample)
$ ==> 0100739D <> E8 00000000 CALL 010073A2
$+5 010073A2 58 POP EAX
$+6 010073A3 6A 00 PUSH 0x0 ; ExitCode
$+8 010073A5 FF90 769FFFFF CALL DWORD PTR DS:[EAX+0xFFFF9F76] ; msvcrt.exit After the short call + pop into eax (or any other R32 register - not esp of course)
you have the address where the pop is into eax = 010073A2 in this case.Now check
where the exit API is stored in your file = address 01001318 and now just sub it...
010073A2 - 01001318 = 608A bytes = lenght from one address to the other and now just
create a call "call dword [eax-608A]" (as above) and that it.Now your target can run
with any base XY and the call will always point to exit "IF" you keep this patch at this
address (pop address) so if you change it then just re-calc the new lenght.

Or just make a little patch who read the PEB and find ExitProcess API via export table which you can use them.Just try a little and use what you like. :)



  • Like 2
Link to comment

thank you all tuts4you members, very usefulll to me :)


i want to exit without looping though exports and without crashing the program :)

Link to comment
  • 2 weeks later...
  • 2 weeks later...

@Cleiton Directly in pascal it is not possible.


@FastLife Without crashing the application and without calling an API, you have to return over the OEP. So you can save the stack at OEP in any way you want, then just restore it and make RETN when you want to close the program. It won't give any exception, and also closes all open handles.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...