I am making a security application for a policy. This app block unlisted/unwanted program from running (Admin/Guest Account).
Well, in this case it's neither secure nor is it the right approach. Sorry to say
I hook in ring3, right now I have not implemented my app as a service/ring0, it's just a normal
GUI app.
Well, write a driver. If you can live with the prerequisites of Windows XP SP2 or Windows 2000 SP4+SRP+FltMgr and higher, you can easily use one of the mini-filter samples from the WDK. Mini-filters are rather easy to implement, compared with classic FSFDs.
I use ESET in my pc, Eset's
GUI can be killed easily but eset's service is "self restarting" service.
Well, there is usually something like a failure action. But again, "self-restarting" and "invincible" processes suck!
So I just want to ask, is there any simple way to block End Task for
GUI app?
Nope.
On top of that, Windows comes with a Software Policy Kit which allows you to block unwanted Programs by name and Hash. Your program can't do it in an better way. Those policies even apply to administrative accounts, if wanted.
This should be Vista or higher, though?! The old approach was pretty unsecure and relied on particular means being used to execute a program. If a more subtle method was used one could circumvent the restriction. Done so myself as admin.
But otherwise I can recommend
TrustNoExe, though it may not work on x64 or Vista and higher (due to signing policies).
Small note concerning TrustNoExe: the guy used a SSDT hook to see when images get loaded. Whenever something that was not allowed was about to be loaded, he'd exchange the section (aka MMF)
handle with one of his own usermode executable. This way his executable could retrieve its "own" location (actually the one of the attempted execution) and display a nice message to the user. Simple but effective.