|
[求助]win7 64下NtOpenThread返回0xC0000005?
把代码放在内核线程中就可以了, 原来放在派遣函数就不行, 不知道是为什么 |
|
[求助]被system进程占用的文件怎么删除?
再顶一下, 不要沉了呀 |
|
[求助]被system进程占用的文件怎么删除?
自己顶一下 |
|
[求助]被system进程占用的文件怎么删除?
[QUOTE=GeekCheng;1386401]附件是两个驱动,MappingSys是驱动内存映射文件占用CC.txt,注意测试的时候CC.txt要写点东西,如果问文件大小是0的话会映射失败,然后加载DeleteFile.sys就可以删除了,用WDK7600命令行编译。 DeleteFile.7z[/QUOTE] 谢谢GeekCheng提供的驱动,经测试, 例子是能成功运行的。 可是用来实际删除我所说的文件,却不能删除。 后来我加了一些调试信息如下: #include "DeleteFile.h" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString) { ForceDeleteFile(L"C:\\Windows\\SysWOW64\\TWZ269cfj.dll"); return STATUS_SUCCESS; } VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj) { } NTSTATUS ForceDeleteFile(WCHAR* wzFileFullPath) { NTSTATUS Status = STATUS_UNSUCCESSFUL; WCHAR wzPath[MAX_PATH] = {0}; //先关闭所占用文件的句柄 Status = ForceCloseFileHandle(wzFileFullPath); if (!NT_SUCCESS(Status)) { KdPrint(("ForceCloseFileHandle Failed!")); return Status; } wcscat(wzPath,L"\\??\\"); wcscat(wzPath,wzFileFullPath); DeleteFile(wzPath); return Status; } NTSTATUS ForceCloseFileHandle(WCHAR* wzFileFullPath) { NTSTATUS Status; PSYSTEM_HANDLE_INFOR SystemHandleInfor = NULL; PSYSTEM_HANDLE_TABLE_ENTRY_INFOR SystemHandleTableEntryInfor = NULL; ULONG ulLength = 0x1000; int i = 0; OBJECT_ATTRIBUTES oa; CLIENT_ID Cid; KIRQL OldIrql; HANDLE hCurrentProcess = NULL; HANDLE hTargetProcess = NULL; HANDLE hCurrentHandle = NULL; char szBuffer[260] = {0}; UNICODE_STRING uniFileFullPath; POBJECT_NAME_INFORMATION NameInfor; NameInfor = (POBJECT_NAME_INFORMATION)szBuffer; //RtlInitUnicodeString(&uniFileFullPath,wzFileFullPath); RtlInitUnicodeString(&uniFileFullPath,L"\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\TWZ269cfj.dll"); Cid.UniqueProcess = PsGetCurrentProcessId(); //获得SystemID Cid.UniqueThread = 0; InitializeObjectAttributes(&oa,NULL,OBJ_KERNEL_HANDLE,NULL,NULL); Status = NtOpenProcess(&hCurrentProcess,PROCESS_ALL_ACCESS,&oa,&Cid); //获得System句柄 if (!NT_SUCCESS(Status)) { KdPrint(("NtOpenProcess Error!")); return Status; } SystemHandleInfor = ExAllocatePool(PagedPool,ulLength); if (SystemHandleInfor==NULL) { KdPrint(("SystemHandleInfor==NULL")); ZwClose(hCurrentProcess); return STATUS_INSUFFICIENT_RESOURCES; } Status = ZwQuerySystemInformation(SystemHandleInformation,SystemHandleInfor, ulLength,&ulLength); if (Status==STATUS_INFO_LENGTH_MISMATCH) { ExFreePool(SystemHandleInfor); SystemHandleInfor = ExAllocatePool(PagedPool,ulLength); if (SystemHandleInfor==NULL) { KdPrint(("SystemHandleInfor 11111111111111 ==NULL")); ZwClose(hCurrentProcess); return STATUS_INSUFFICIENT_RESOURCES; } Status = ZwQuerySystemInformation(SystemHandleInformation,SystemHandleInfor, ulLength,&ulLength); } if (!NT_SUCCESS(Status)) { KdPrint(("!NT_SUCCESS(Status)")); ZwClose(hCurrentProcess); ExFreePool(SystemHandleInfor); return Status; } KdPrint(("NumberOfHandles: %d", SystemHandleInfor->NumberOfHandles)); for (i=0;i<SystemHandleInfor->NumberOfHandles;i++) { SystemHandleTableEntryInfor = &SystemHandleInfor->Handles[i]; if (SystemHandleTableEntryInfor->ObjectTypeIndex == OB_TYPE_FILE) //如果是文件对象 { InitializeObjectAttributes(&oa,NULL,OBJ_KERNEL_HANDLE,NULL,NULL); Cid.UniqueProcess = (HANDLE)SystemHandleTableEntryInfor->UniqueProcessId; Cid.UniqueThread = 0; //打开占用文件对象的进程 Status = NtOpenProcess(&hTargetProcess,PROCESS_DUP_HANDLE,&oa,&Cid); if (NT_SUCCESS(Status)) { KdPrint(("NtOpenProcess Success!")); if (NT_SUCCESS(ZwDuplicateObject(hTargetProcess, (HANDLE)SystemHandleTableEntryInfor->HandleValue, hCurrentProcess, &hCurrentHandle, 0,0, DUPLICATE_SAME_ACCESS))) //相同权限,可以用来绕过CreateFile()的权限 { KdPrint(("ZwDuplicateObject Success!")); if (NT_SUCCESS(ZwQueryObject(hCurrentHandle,ObjectNameInformation,NameInfor,260,NULL))) { DbgPrint("%wZ\r\n",&NameInfor->Name); //如果句柄引用的是我们目标的文件对象 if (RtlCompareUnicodeString(&NameInfor->Name,&uniFileFullPath,FALSE)==0) { KdPrint(("RtlCompareUnicodeString == 0!")); //关闭之前拷贝的句柄 ZwClose(hCurrentHandle); OldIrql = KeRaiseIrqlToDpcLevel(); if (NT_SUCCESS(ZwDuplicateObject(hTargetProcess, (HANDLE)SystemHandleTableEntryInfor->HandleValue, hCurrentProcess, &hCurrentHandle,0,0, DUPLICATE_CLOSE_SOURCE))) //拷贝句柄并将原句柄关闭 { KdPrint(("ZwDuplicateObject111111111111111111 sucess!")); Status = ZwClose(hCurrentHandle); //关闭拷贝的句柄 if(!NT_SUCCESS(Status)) { KdPrint(("ZwClose(hCurrentHandle) Failed, Status: %X", Status)); } } KeLowerIrql(OldIrql); Status = ZwClose(hTargetProcess); if(!NT_SUCCESS(Status)) { KdPrint(("ZwClose(hTargetProcess) Failed, Status: %X", Status)); } break; } } ZwClose(hCurrentHandle); } ZwClose(hTargetProcess); } } } ZwClose(hCurrentProcess); ExFreePool(SystemHandleInfor); return Status; } NTSTATUS DeleteFile(WCHAR* wzFileFullPath) { NTSTATUS Status; OBJECT_ATTRIBUTES oa; UNICODE_STRING uniFileFullPath; RtlInitUnicodeString(&uniFileFullPath,wzFileFullPath); InitializeObjectAttributes(&oa,&uniFileFullPath,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL,NULL); Status = ZwDeleteFile(&oa); if(!NT_SUCCESS(Status)) { KdPrint(("ZwDeleteFile(&oa) Failed, Status: %X", Status)); } return Status; } 加载驱动DbgView输出结果如下: 00000001 0.00000000 NumberOfHandles: 9721 00000002 0.00000241 NtOpenProcess Success! 00000003 0.00000453 ZwDuplicateObject Success! 00000004 0.00000815 \Device\Tcp 00000005 0.00000996 NtOpenProcess Success! 00000006 0.00001117 ZwDuplicateObject Success! 00000007 0.00001268 \Device\Tcp 00000008 0.00001419 NtOpenProcess Success! 00000009 0.00001540 ZwDuplicateObject Success! 00000010 0.00001690 \Device\Tcp 00000011 0.00001811 NtOpenProcess Success! 00000012 0.00001932 ZwDuplicateObject Success! 00000013 0.00002083 \Device\Tcp 00000014 0.00002204 NtOpenProcess Success! 00000015 0.00002324 ZwDuplicateObject Success! 00000016 0.00002475 \Device\Tcp 00000017 0.00002596 NtOpenProcess Success! 00000018 0.00002717 ZwDuplicateObject Success! 00000019 0.00002868 \Device\Tcp 00000020 0.00003019 NtOpenProcess Success! 00000021 0.00003139 ZwDuplicateObject Success! 00000022 0.00003260 \Device\Tcp 00000023 0.00003411 NtOpenProcess Success! 00000024 0.00003502 ZwDuplicateObject Success! 00000025 0.00003653 \Device\Tcp 00000026 0.00003804 NtOpenProcess Success! 00000027 0.00003894 ZwDuplicateObject Success! 00000028 0.00004045 \Device\Tcp 00000029 0.00004196 NtOpenProcess Success! 00000030 0.00004287 ZwDuplicateObject Success! 00000031 0.00004437 \Device\Tcp 00000032 0.00004588 NtOpenProcess Success! 00000033 0.00004679 ZwDuplicateObject Success! 00000034 0.00004830 \Device\Tcp 00000035 0.00004981 NtOpenProcess Success! 00000036 0.00005071 ZwDuplicateObject Success! 00000037 0.00005222 \Device\Tcp 00000038 0.00005373 NtOpenProcess Success! 00000039 0.00005464 ZwDuplicateObject Success! 00000040 0.00005615 \Device\Tcp 00000041 0.00005766 NtOpenProcess Success! 00000042 0.00005856 ZwDuplicateObject Success! 00000043 0.00006007 \Device\Tcp 00000044 0.00006128 NtOpenProcess Success! 00000045 0.00006249 ZwDuplicateObject Success! 00000046 0.00006400 \Device\Tcp 00000047 0.00006520 NtOpenProcess Success! 00000048 0.00006641 ZwDuplicateObject Success! 00000049 0.00006792 \Device\Tcp 00000050 0.00006913 NtOpenProcess Success! 00000051 0.00007034 ZwDuplicateObject Success! 00000052 0.00007184 \Device\Tcp 00000053 0.00007305 NtOpenProcess Success! 00000054 0.00007426 ZwDuplicateObject Success! 00000055 0.00007577 \Device\Udp 00000056 0.00007728 NtOpenProcess Success! 00000057 0.00007849 ZwDuplicateObject Success! 00000058 0.00007969 \Device\Tcp 00000059 0.00008090 NtOpenProcess Success! 00000060 0.00008211 ZwDuplicateObject Success! 00000061 0.00008362 \Device\Tcp 00000062 0.00008513 NtOpenProcess Success! 00000063 0.00008633 ZwDuplicateObject Success! 00000064 0.00009147 \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl 00000065 0.00009298 NtOpenProcess Success! 00000066 0.00009418 ZwDuplicateObject Success! 00000067 0.00009811 \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 00000068 0.00009962 NtOpenProcess Success! 00000069 0.00010082 ZwDuplicateObject Success! 00000070 0.00010445 \Device\HarddiskVolume1\Windows\System32\config\RegBack\SYSTEM 00000071 0.00010596 NtOpenProcess Success! 00000072 0.00010716 ZwDuplicateObject Success! 00000073 0.00011048 \Device\Mup 00000074 0.00011199 NtOpenProcess Success! 00000075 0.00011320 ZwDuplicateObject Success! 00000076 0.00011682 \Device\HarddiskVolume1\Windows\System32\wdi\LogFiles\WdiContextLog.etl.002 00000077 0.00011833 NtOpenProcess Success! 00000078 0.00011954 ZwDuplicateObject Success! 00000079 0.00012316 \Device\HarddiskVolume1\Windows\System32\config\SOFTWARE 00000080 0.00012437 NtOpenProcess Success! 00000081 0.00012558 ZwDuplicateObject Success! 00000082 0.00012920 \Device\HarddiskVolume1\Windows\System32\config\SOFTWARE.LOG2 00000083 0.00013041 NtOpenProcess Success! 00000084 0.00013161 ZwDuplicateObject Success! 00000085 0.00013312 \Device\Udp 00000086 0.00013463 NtOpenProcess Success! 00000087 0.00013584 ZwDuplicateObject Success! 00000088 0.00013886 \Device\HarddiskVolume1\Boot\BCD 00000089 0.00014037 NtOpenProcess Success! 00000090 0.00014158 ZwDuplicateObject Success! 00000091 0.00014429 \Device\HarddiskVolume1\Boot\BCD.LOG 00000092 0.00014580 NtOpenProcess Success! 00000093 0.00014701 ZwDuplicateObject Success! 00000094 0.00015033 \Device\HarddiskVolume1\Windows\System32\config\SOFTWARE.LOG1 00000095 0.00015184 NtOpenProcess Success! 00000096 0.00015305 ZwDuplicateObject Success! 00000097 0.00015607 \Device\HarddiskVolume1\KVDiskD.data 00000098 0.00015727 NtOpenProcess Success! 00000099 0.00015848 ZwDuplicateObject Success! 00000100 0.00015999 \Device\Tcp 00000101 0.00016150 NtOpenProcess Success! 00000102 0.00016241 ZwDuplicateObject Success! 00000103 0.00016391 \Device\Tcp 00000104 0.00016542 NtOpenProcess Success! 00000105 0.00016663 ZwDuplicateObject Success! 00000106 0.00017025 \Device\HarddiskVolume1\Windows\System32\wdi\LogFiles\BootCKCL.etl 00000107 0.00017176 NtOpenProcess Success! 00000108 0.00017267 ZwDuplicateObject Success! 00000109 0.00017418 \Device\Tcp 00000110 0.00017569 NtOpenProcess Success! 00000111 0.00017690 ZwDuplicateObject Success! 00000112 0.00017991 \clfs 00000113 0.00018142 NtOpenProcess Success! 00000114 0.00018263 ZwDuplicateObject Success! 00000115 0.00018384 \clfs 00000116 0.00018535 NtOpenProcess Success! 00000117 0.00018656 ZwDuplicateObject Success! 00000118 0.00018776 \clfs 00000119 0.00018927 NtOpenProcess Success! 00000120 0.00019018 ZwDuplicateObject Success! 00000121 0.00019169 \clfs 00000122 0.00019289 NtOpenProcess Success! 00000123 0.00019410 ZwDuplicateObject Success! 00000124 0.00019772 \Device\HarddiskVolume1\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002 00000125 0.00019923 NtOpenProcess Success! 00000126 0.00020044 ZwDuplicateObject Success! 00000127 0.00020406 \Device\HarddiskVolume1\$Extend\$RmMetadata\$Txf 00000128 0.00020557 NtOpenProcess Success! 00000129 0.00020678 ZwDuplicateObject Success! 00000130 0.00021010 \Device\HarddiskVolume1\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 00000131 0.00021161 NtOpenProcess Success! 00000132 0.00021282 ZwDuplicateObject Success! 00000133 0.00021614 \Device\HarddiskVolume1\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf 00000134 0.00021735 NtOpenProcess Success! 00000135 0.00021855 ZwDuplicateObject Success! 00000136 0.00022006 \clfs 00000137 0.00022127 NtOpenProcess Success! 00000138 0.00022248 ZwDuplicateObject Success! 00000139 0.00022399 \Device\Tcp 00000140 0.00022550 NtOpenProcess Success! 00000141 0.00022670 ZwDuplicateObject Success! 00000142 0.00022821 \Device\Tcp 00000143 0.00022942 NtOpenProcess Success! 00000144 0.00023063 ZwDuplicateObject Success! 00000145 0.00023214 \Device\Tcp 00000146 0.00023334 NtOpenProcess Success! 00000147 0.00023455 ZwDuplicateObject Success! 00000148 0.00023606 \Device\Tcp 00000149 0.00023757 NtOpenProcess Success! 00000150 0.00023848 ZwDuplicateObject Success! 00000151 0.00023999 \Device\Tcp 00000152 0.00024119 NtOpenProcess Success! 00000153 0.00024240 ZwDuplicateObject Success! 00000154 0.00024391 \Device\Tcp 00000155 0.00024512 NtOpenProcess Success! 00000156 0.00024633 ZwDuplicateObject Success! 00000157 0.00024753 \Device\Tcp 00000158 0.00024904 NtOpenProcess Success! 00000159 0.00025025 ZwDuplicateObject Success! 00000160 0.00025146 \Device\Tcp 00000161 0.00025297 NtOpenProcess Success! 00000162 0.00025417 ZwDuplicateObject Success! 00000163 0.00025538 \Device\Tcp 00000164 0.00025689 NtOpenProcess Success! 00000165 0.00025810 ZwDuplicateObject Success! 00000166 0.00025931 \Device\Tcp 00000167 0.00026081 NtOpenProcess Success! 00000168 0.00026202 ZwDuplicateObject Success! 00000169 0.00026323 \Device\Tcp 00000170 0.00026474 NtOpenProcess Success! 00000171 0.00026595 ZwDuplicateObject Success! 00000172 0.00026715 \Device\Tcp 00000173 0.00026866 NtOpenProcess Success! 00000174 0.00026987 ZwDuplicateObject Success! 00000175 0.00027138 \Device\Tcp 00000176 0.00027259 NtOpenProcess Success! 00000177 0.00027380 ZwDuplicateObject Success! 00000178 0.00027530 \Device\Tcp 00000179 0.00027651 NtOpenProcess Success! 00000180 0.00027772 ZwDuplicateObject Success! 00000181 0.00027923 \Device\Tcp 00000182 0.00028044 NtOpenProcess Success! 00000183 0.00028164 ZwDuplicateObject Success! 00000184 0.00028315 \Device\Tcp 00000185 0.00028436 NtOpenProcess Success! 00000186 0.00028557 ZwDuplicateObject Success! 00000187 0.00028708 \Device\Tcp 00000188 0.00028859 NtOpenProcess Success! 00000189 0.00028979 ZwDuplicateObject Success! 00000190 0.00029100 \Device\Tcp 00000191 0.00029221 NtOpenProcess Success! 00000192 0.00029342 ZwDuplicateObject Success! 00000193 0.00029493 \Device\Tcp 00000194 0.00029613 NtOpenProcess Success! 00000195 0.00029734 ZwDuplicateObject Success! 00000196 0.00029885 \Device\Tcp 00000197 0.00030006 NtOpenProcess Success! 00000198 0.00030127 ZwDuplicateObject Success! 00000199 0.00030277 \Device\Tcp 00000200 0.00030398 NtOpenProcess Success! 00000201 0.00030519 ZwDuplicateObject Success! 00000202 0.00030670 \Device\Tcp 00000203 0.00030791 NtOpenProcess Success! 00000204 0.00030911 ZwDuplicateObject Success! 00000205 0.00031062 \Device\Tcp 00000206 0.00031183 NtOpenProcess Success! 00000207 0.00031304 ZwDuplicateObject Success! 00000208 0.00031455 \Device\Tcp 00000209 0.00031575 NtOpenProcess Success! 00000210 0.00031696 ZwDuplicateObject Success! 00000211 0.00031847 \Device\Tcp 00000212 0.00031968 NtOpenProcess Success! 00000213 0.00032089 ZwDuplicateObject Success! 00000214 0.00032240 \Device\Tcp 00000215 0.00032360 NtOpenProcess Success! 00000216 0.00032481 ZwDuplicateObject Success! 00000217 0.00032602 \Device\Tcp 00000218 0.00032753 NtOpenProcess Success! 00000219 0.00032874 ZwDuplicateObject Success! 00000220 0.00032994 \Device\Tcp 00000221 0.00033145 NtOpenProcess Success! 00000222 0.00033266 ZwDuplicateObject Success! 00000223 0.00033387 \Device\Tcp 00000224 0.00033538 NtOpenProcess Success! 00000225 0.00033658 ZwDuplicateObject Success! 00000226 0.00033779 \Device\Tcp 00000227 0.00033930 NtOpenProcess Success! 00000228 0.00034051 ZwDuplicateObject Success! 00000229 0.00034172 \Device\Tcp 00000230 0.00034323 NtOpenProcess Success! 00000231 0.00034443 ZwDuplicateObject Success! 00000232 0.00034564 \Device\Tcp 00000233 0.00034715 NtOpenProcess Success! 00000234 0.00034836 ZwDuplicateObject Success! 00000235 0.00034956 \Device\Tcp 00000236 0.00035107 NtOpenProcess Success! 00000237 0.00035228 ZwDuplicateObject Success! 00000238 0.00035560 \Device\HarddiskVolume1\Windows\System32\config\SYSTEM.LOG1 00000239 0.00035711 NtOpenProcess Success! 00000240 0.00035832 ZwDuplicateObject Success! 00000241 0.00036134 \Device\HarddiskVolume1\Windows\System32\config\SYSTEM 00000242 0.00036285 NtOpenProcess Success! 00000243 0.00036405 ZwDuplicateObject Success! 00000244 0.00036737 NtOpenProcess Success! 00000245 0.00036828 ZwDuplicateObject Success! 00000246 0.00037251 \Device\HarddiskVolume1\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 00000247 0.00037402 NtOpenProcess Success! 00000248 0.00037522 ZwDuplicateObject Success! 00000249 0.00037854 \Device\HarddiskVolume1\Windows\System32\config\SYSTEM.LOG2 00000250 0.00038005 NtOpenProcess Success! 00000251 0.00038126 ZwDuplicateObject Success! 00000252 0.00038458 NtOpenProcess Success! 00000253 0.00038549 ZwDuplicateObject Success! 00000254 0.00038941 \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl 00000255 0.00039092 NtOpenProcess Success! 00000256 0.00039183 ZwDuplicateObject Success! 00000257 0.00039575 \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl 00000258 0.00039726 NtOpenProcess Success! 00000259 0.00039847 ZwDuplicateObject Success! 00000260 0.00040239 \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl 00000261 0.00040360 NtOpenProcess Success! 00000262 0.00040481 ZwDuplicateObject Success! 00000263 0.00040873 \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl 00000264 0.00040994 NtOpenProcess Success! 00000265 0.00041115 ZwDuplicateObject Success! 00000266 0.00041265 \clfs 00000267 0.00041386 NtOpenProcess Success! 00000268 0.00041507 ZwDuplicateObject Success! 00000269 0.00041628 \clfs 00000270 0.00041779 NtOpenProcess Success! 00000271 0.00041899 ZwDuplicateObject Success! 00000272 0.00042231 \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf 00000273 0.00042382 NtOpenProcess Success! 00000274 0.00042473 ZwDuplicateObject Success! 00000275 0.00042865 \Device\HarddiskVolume1\Windows\System32\config\RegBack\SOFTWARE 00000276 0.00042986 NtOpenProcess Success! 00000277 0.00043137 ZwDuplicateObject Success! 00000278 0.00043469 \Device\HarddiskVolume1\Windows\Prefetch\ReadyBoot\ReadyBoot.etl 00000279 0.00043620 NtOpenProcess Success! 00000280 0.00043741 ZwDuplicateObject Success! 00000281 0.00043982 \Device\KsecDD 00000282 0.00044133 NtOpenProcess Success! 00000283 0.00044254 ZwDuplicateObject Success! 00000284 0.00044375 \clfs 00000285 0.00044526 NtOpenProcess Success! 00000286 0.00044646 ZwDuplicateObject Success! 00000287 0.00044978 \Device\HarddiskVolume2\$Extend\$RmMetadata\$Txf 00000288 0.00045099 NtOpenProcess Success! 00000289 0.00045220 ZwDuplicateObject Success! 00000290 0.00045582 \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002 00000291 0.00045733 NtOpenProcess Success! 00000292 0.00045854 ZwDuplicateObject Success! 00000293 0.00045975 \clfs 00000294 0.00046126 NtOpenProcess Success! 00000295 0.00046246 ZwDuplicateObject Success! 00000296 0.00046367 \clfs 00000297 0.00046518 NtOpenProcess Success! 00000298 0.00046639 ZwDuplicateObject Success! 00000299 0.00046760 \clfs 00000300 0.00046910 NtOpenProcess Success! 00000301 0.00047031 ZwDuplicateObject Success! 00000302 0.00047152 \clfs 00000303 0.00047273 NtOpenProcess Success! 00000304 0.00047393 ZwDuplicateObject Success! 00000305 0.00047725 \Device\HarddiskVolume1\pagefile.sys 00000306 0.00047876 NtOpenProcess Success! 00000307 0.00047997 ZwDuplicateObject Success! 00000308 0.00048329 \Device\HarddiskVolume1\Windows\System32\config\DEFAULT 00000309 0.00048480 NtOpenProcess Success! 00000310 0.00048571 ZwDuplicateObject Success! 00000311 0.00048933 \Device\HarddiskVolume1\Windows\System32\config\RegBack\DEFAULT 00000312 0.00049084 NtOpenProcess Success! 00000313 0.00049205 ZwDuplicateObject Success! 00000314 0.00049537 \Device\HarddiskVolume1\Windows\System32\config\DEFAULT.LOG1 00000315 0.00049688 NtOpenProcess Success! 00000316 0.00049808 ZwDuplicateObject Success! 00000317 0.00050140 \Device\HarddiskVolume1\Windows\System32\config\DEFAULT.LOG2 00000318 0.00050291 NtOpenProcess Success! 00000319 0.00050412 ZwDuplicateObject Success! 00000320 0.00050744 \Device\HarddiskVolume1\Windows\System32\zh-CN\win32k.sys.mui 00000321 0.00050895 NtOpenProcess Success! 00000322 0.00051016 ZwDuplicateObject Success! 00000323 0.00051348 \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG1 00000324 0.00051499 NtOpenProcess Success! 00000325 0.00051620 ZwDuplicateObject Success! 00000326 0.00051952 \Device\HarddiskVolume1\Windows\System32\config\RegBack\SECURITY 00000327 0.00052103 NtOpenProcess Success! 00000328 0.00052223 ZwDuplicateObject Success! 00000329 0.00052555 \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG2 00000330 0.00052706 NtOpenProcess Success! 00000331 0.00052827 ZwDuplicateObject Success! 00000332 0.00053129 \Device\HarddiskVolume1\Windows\System32\config\SECURITY 00000333 0.00053310 NtOpenProcess Success! 00000334 0.00053431 ZwDuplicateObject Success! 00000335 0.00053793 \Device\HarddiskVolume1\Windows\System32\config\RegBack\SAM 00000336 0.00053914 NtOpenProcess Success! 00000337 0.00054035 ZwDuplicateObject Success! 00000338 0.00054367 \Device\HarddiskVolume1\Windows\System32\config\SAM 00000339 0.00054518 NtOpenProcess Success! 00000340 0.00054638 ZwDuplicateObject Success! 00000341 0.00054970 \Device\HarddiskVolume1\Windows\System32\config\SAM.LOG1 00000342 0.00055121 NtOpenProcess Success! 00000343 0.00055242 ZwDuplicateObject Success! 00000344 0.00055544 \Device\HarddiskVolume1\Windows\System32\config\SAM.LOG2 00000345 0.00055695 NtOpenProcess Success! 00000346 0.00055816 ZwDuplicateObject Success! 00000347 0.00056087 \Device\HarddiskVolume1 00000348 0.00056238 NtOpenProcess Success! 00000349 0.00056359 ZwDuplicateObject Success! 00000350 0.00056812 \Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 00000351 0.00056963 NtOpenProcess Success! 00000352 0.00057053 ZwDuplicateObject Success! 00000353 0.00057446 \Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 00000354 0.00057597 NtOpenProcess Success! 00000355 0.00057717 ZwDuplicateObject Success! 00000356 0.00058080 \Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 00000357 0.00058200 NtOpenProcess Success! 00000358 0.00058321 ZwDuplicateObject Success! 00000359 0.00058714 \Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 00000360 0.00058834 NtOpenProcess Success! 00000361 0.00058955 ZwDuplicateObject Success! 00000362 0.00059257 NtOpenProcess Success! 00000363 0.00059408 ZwDuplicateObject Success! 00000364 0.00059710 NtOpenProcess Success! 00000365 0.00059800 ZwDuplicateObject Success! 00000366 0.00059951 \clfs 00000367 0.00060072 NtOpenProcess Success! 00000368 0.00060193 ZwDuplicateObject Success! 00000369 0.00060313 \clfs 00000370 0.00060464 NtOpenProcess Success! 00000371 0.00060585 ZwDuplicateObject Success! 00000372 0.00061008 \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 00000373 0.00061159 NtOpenProcess Success! 00000374 0.00061279 ZwDuplicateObject Success! 00000375 0.00061642 \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT 00000376 0.00061793 NtOpenProcess Success! 00000377 0.00061913 ZwDuplicateObject Success! 00000378 0.00062306 \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 00000379 0.00062457 NtOpenProcess Success! 00000380 0.00062577 ZwDuplicateObject Success! 00000381 0.00062940 \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 00000382 0.00063060 NtOpenProcess Success! 00000383 0.00063181 ZwDuplicateObject Success! 00000384 0.00063513 NtOpenProcess Success! 00000385 0.00063634 ZwDuplicateObject Success! 00000386 0.00063936 NtOpenProcess Success! 00000387 0.00064057 ZwDuplicateObject Success! 00000388 0.00064177 \clfs 00000389 0.00064328 NtOpenProcess Success! 00000390 0.00064449 ZwDuplicateObject Success! 00000391 0.00064570 \clfs 00000392 0.00064721 NtOpenProcess Success! 00000393 0.00064841 ZwDuplicateObject Success! 00000394 0.00065174 \Device\HarddiskVolume1\Windows\System32\LogFiles\WUDF\WUDFTrace.etl 00000395 0.00065324 NtOpenProcess Success! 00000396 0.00065445 ZwDuplicateObject Success! 00000397 0.00065596 \Device\Tcp 00000398 0.00065717 NtOpenProcess Success! 00000399 0.00065838 ZwDuplicateObject Success! 00000400 0.00066140 \Device\HarddiskVolume1\Windows\CSC 00000401 0.00066290 NtOpenProcess Success! 00000402 0.00066411 ZwDuplicateObject Success! 00000403 0.00066592 \Device\Mup 00000404 0.00066713 NtOpenProcess Success! 00000405 0.00066834 ZwDuplicateObject Success! 00000406 0.00066985 \Device\Mup 00000407 0.00067136 NtOpenProcess Success! 00000408 0.00067256 ZwDuplicateObject Success! 00000409 0.00067528 \Device\NetBT_Tcpip_{47025BAE-6F07-4732-80E4-FACA95497527} 00000410 0.00067679 NtOpenProcess Success! 00000411 0.00067800 ZwDuplicateObject Success! 00000412 0.00068011 \Device\NetBT_Tcpip_{47025BAE-6F07-4732-80E4-FACA95497527} 00000413 0.00068162 NtOpenProcess Success! 00000414 0.00068253 ZwDuplicateObject Success! 00000415 0.00068494 \Device\NetBT_Tcpip_{47025BAE-6F07-4732-80E4-FACA95497527} 00000416 0.00068645 NtOpenProcess Success! 00000417 0.00068736 ZwDuplicateObject Success! 00000418 0.00069188 \Device\HarddiskVolume1\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 00000419 0.00069339 NtOpenProcess Success! 00000420 0.00069460 ZwDuplicateObject Success! 00000421 0.00069581 \clfs 00000422 0.00069732 NtOpenProcess Success! 00000423 0.00069822 ZwDuplicateObject Success! 00000424 0.00069973 \clfs 00000425 0.00070094 NtOpenProcess Success! 00000426 0.00070215 ZwDuplicateObject Success! 00000427 0.00070547 NtOpenProcess Success! 00000428 0.00070668 ZwDuplicateObject Success! 00000429 0.00070969 NtOpenProcess Success! 00000430 0.00071090 ZwDuplicateObject Success! 00000431 0.00071513 \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 00000432 0.00071634 NtOpenProcess Success! 00000433 0.00071754 ZwDuplicateObject Success! 00000434 0.00072086 NtOpenProcess Success! 00000435 0.00072207 ZwDuplicateObject Success! 00000436 0.00072569 \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat 00000437 0.00072720 NtOpenProcess Success! 00000438 0.00072841 ZwDuplicateObject Success! 00000439 0.00073233 \Device\HarddiskVolume1\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 00000440 0.00073354 NtOpenProcess Success! 00000441 0.00073475 ZwDuplicateObject Success! 00000442 0.00073596 \clfs 00000443 0.00073747 NtOpenProcess Success! 00000444 0.00073867 ZwDuplicateObject Success! 00000445 0.00073988 \clfs 00000446 0.00074139 NtOpenProcess Success! 00000447 0.00074260 ZwDuplicateObject Success! 00000448 0.00074562 NtOpenProcess Success! 00000449 0.00074682 ZwDuplicateObject Success! 00000450 0.00074984 NtOpenProcess Success! 00000451 0.00075105 ZwDuplicateObject Success! 00000452 0.00075528 \Device\HarddiskVolume1\Users\Administrator\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 00000453 0.00075648 NtOpenProcess Success! 00000454 0.00075769 ZwDuplicateObject Success! 00000455 0.00076101 \Device\HarddiskVolume1\Users\Administrator\ntuser.dat.LOG2 00000456 0.00076252 NtOpenProcess Success! 00000457 0.00076373 ZwDuplicateObject Success! 00000458 0.00076705 \Device\HarddiskVolume1\Users\Administrator\ntuser.dat.LOG1 00000459 0.00076856 NtOpenProcess Success! 00000460 0.00076977 ZwDuplicateObject Success! 00000461 0.00077309 \Device\HarddiskVolume1\Users\Administrator\NTUSER.DAT 00000462 0.00077460 NtOpenProcess Success! 00000463 0.00077580 ZwDuplicateObject Success! 00000464 0.00078003 \Device\HarddiskVolume1\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 00000465 0.00078154 NtOpenProcess Success! 00000466 0.00078275 ZwDuplicateObject Success! 00000467 0.00078486 \Device\NetBT_Tcpip_{47025BAE-6F07-4732-80E4-FACA95497527} 00000468 0.00078637 NtOpenProcess Success! 00000469 0.00078758 ZwDuplicateObject Success! 00000470 0.00078909 \Device\Tcp 00000471 0.00079029 NtOpenProcess Success! 00000472 0.00079150 ZwDuplicateObject Success! 00000473 0.00079482 \Device\HarddiskVolume1\Windows\System32\JMQTW036.dll 00000474 0.00079633 NtOpenProcess Success! 00000475 0.00079754 ZwDuplicateObject Success! 00000476 0.00080086 \Device\HarddiskVolume1\Windows\SysWOW64\TWZ269cfj.dll 00000477 0.00080176 RtlCompareUnicodeString == 0! 00000478 0.00080358 ZwDuplicateObject111111111111111111 sucess! 00000479 0.00084704 ZwDeleteFile(&oa) Failed, Status: C0000043 C0000043 应该是文件还是被占用,但是前面的Close都显示成功了,不知道是什么原因, 大侠能再指点一下吗? |
|
[求助]被system进程占用的文件怎么删除?
我找了个驱动, 用遍历内核句柄的方法,找到这个文件的句柄然后调用如下方法: VOID ForceCloseHandle(PEPROCESS Process, ULONG64 HandleValue) { NTSTATUS ntStatus; HANDLE h; KAPC_STATE ks; OBJECT_HANDLE_FLAG_INFORMATION ohfi; if( Process==NULL ) return; if( !MmIsAddressValid(Process) ) { KdPrint(("!MmIsAddressValid\r\n")); return; } KeStackAttachProcess(Process, &ks); h=(HANDLE)HandleValue; ohfi.Inherit=0; ohfi.ProtectFromClose=0; ntStatus = ObSetHandleAttributes(h, &ohfi, KernelMode); if (!NT_SUCCESS(ntStatus)) { KdPrint(("ObSetHandleAttributes Failed\r\n")); } ntStatus = ZwClose(h); if (!NT_SUCCESS(ntStatus)) { KdPrint(("ZwClose Failed! ntStatus= %X\r\n", ntStatus)); } KeUnstackDetachProcess(&ks); } 来强制关闭句柄,但是ZwClose这一句返回值为C0000008错误, TATUS_INVALID_HANDLE. 试过被其他进程占用都可以正常的解除文件的占用, 只有被system进程占用的文件解除不了,不知道是什么原因,各位大侠给指点一下。 |
|
[求助]被system进程占用的文件怎么删除?
可能我说的不够清楚, 我要的不是手动删除,我是说用程序删除掉。手动用PCHUNTER可以删除。 |
|
[求助]在内存中运行EXE为什么不成功?
确实可以了, 谢谢安生于此! |
|
[求助]在内存中运行EXE为什么不成功?
我测试在执行ResumeThread时会崩溃,提示“应用程序无法正常启动(oxc00000005)”,请问你修改了什么地方了? |
|
[求助]在内存中运行EXE为什么不成功?
我是用c:\windows\system32\svchost.exe做为外壳程序 |
|
[求助]在内存中运行EXE为什么不成功?
我是在网上找了一段名为MemoryRun的vc源码,调试发现xp下运行是成功的, 但是win7下不成功 |
|
[求助][求助]如何不调用系统API就能创建一个进程?
[QUOTE=achillis;1303026]好吧,我直接扔代码了。。。。 可能是你做的重定位不完整吧 testCreateProc.rar[/QUOTE] 果然是大牛, 俺佩服!!! |
|
[求助][求助]如何不调用系统API就能创建一个进程?
谢谢achillis的分析,让我的思路清晰了很多, 但是我自己重定位了一下, 还是不行,我测试的环境是xp,用LordPE看kernel32.dll的区段如下: voffset vsize .text 00001000 000831E9 .data 00085000 00004460 .rsrc 0008A000 00008D3FC .reloc 00118000 00005C84 我重定位了代码段中访问.data的数据,效果如下: 00E7159F FF 75 0C push dword ptr [ebp+0Ch] 00E715A2 8D 45 F8 lea eax,[ebp-8] 00E715A5 50 push eax 00E715A6 FF 15 94 12 E6 00 call dword ptr ds:[0E61294h] 00E715AC 83 3D E0 56 88 7C 00 cmp dword ptr ds:[7C8856E0h],0 //这个全局变量已经重定位好了 00E715B3 6A 01 push 1 //下面是重定位的代码, 我只是简单写了一下, 没有写通用的, 只是想看看能不能成功 void ReLocationData(HMODULE hModule) { DWORD dwImageBase = (DWORD)hModule; DWORD dwBaseOfCode, dwSizeOfCode; DWORD dwBaseOfData, dwSizeOfData; DWORD dwOriginalBaseOfData; DWORD dwValue; DWORD mbi_thunk; if(hModule == NULL) return; dwBaseOfCode = dwImageBase + 0x1000; dwSizeOfCode = 0x831E9; dwBaseOfData = dwImageBase + 0x85000; dwSizeOfData = 0x4460; dwOriginalBaseOfData = 0x7C885000; //kernel32.dll的.data的起始地址 VirtualProtect((BYTE*)dwBaseOfCode, dwSizeOfCode, PAGE_READWRITE, &mbi_thunk); for(DWORD i = 0; i < dwSizeOfCode - 4; i ++) { dwValue = *(DWORD*)(dwBaseOfCode + i); if(dwValue > dwBaseOfData && dwValue < (dwBaseOfData + dwSizeOfData)) { *(DWORD*)(dwBaseOfCode + i) = dwValue - dwBaseOfData + dwOriginalBaseOfData; } } VirtualProtect((BYTE*)dwBaseOfCode, dwSizeOfCode, mbi_thunk, &mbi_thunk); } 现在数据和代码都对上了, 还是不成功。跟过跟踪发现前面所有的步骤都是正常的, 包括NtCreateProcess, NtCreateThread等, 就是最后一步NtResumThread恢复线程运行后整个进程就结束了,不知道这是为什么,希望achillis再给指点一下! |
|
[求助][求助]如何不调用系统API就能创建一个进程?
自己顶一下!!! |
|
[求助][求助]如何不调用系统API就能创建一个进程?
00EBA3FB 68 C0 02 00 00 push 2C0h 00EBA400 68 D0 A5 EB 00 push 0EBA5D0h 00EBA405 E8 CC 80 FE FF call 00EA24D6 00EBA40A A1 CC 56 F2 00 mov eax,[00F256CC] 00EBA40F 89 45 E4 mov dword ptr [ebp-1Ch],eax 00EBA412 8B 45 0C mov eax,dword ptr [ebp+0Ch] kernel32.dll本来基址应该是7C800000, 现在我用LoadLibrary("Mykernel32.dll"); 基址为00EB0000, 发现Loadlibrary会自己重定位,应该不会我们再手动重定位了吧? |
|
|
|
[求助][求助]如何不调用系统API就能创建一个进程?
[QUOTE=bxc;1302477]lz不发这贴,我还忘了我有这么个东西呢。 先声明不是我写的,这玩意原来在XP下测试成功。但是创建的程序会丢失XP风格。 刚在win8.1下编译测试了一下,创建失败了。 MyCreateprocess.zip[/QUOTE] 谢谢你了, 你发的这个程序我也有, 但是不太完善, 参数也不好控制,还有win7以上不能用, 所以不太想用这种直接调用底层api来实现,最好还是能通过我上面的办法来做,不过还是谢谢你的热心. |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值