代码基本是抄袭的教主的一段代码,但是在我这里修改过的不知道有什么问题。
在函数KillProcess中的注释掉的代码是使用JOB方式结束进程,经过试验可以正常结束。
但是用向目标进程填0的方式却没有反应。这是怎么回事呢?期待大侠的指点// ZwNtapi.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <TLHELP32.H>
#include "ntapi.h"
#pragma comment(lib,"ntdll.lib")
void KillProcess(DWORD dwProcID);
int _tmain(int argc, _TCHAR* argv[])
{
BOOLEAN wsaEnable;
RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE,TRUE,FALSE,&wsaEnable);
KillProcess(3372);//偷懒取得冰刃的PID
return 0;
}
void KillProcess(DWORD dwProcID)
{
HANDLE hProcHandle,hTmpHandle;
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa,0,0,0,0);
DWORD dwCsrssPID = 784;//偷懒一下直接取得csrss.exe的PID
NTSTATUS status;
CLIENT_ID cid;
cid.UniqueProcess = (HANDLE)dwCsrssPID;
cid.UniqueThread = 0;
PVOID pBaseAddress;
ULONG bytesIO = 0x10000;
ULONG ulReturnLength;
do
{//用一个循环去申请足够的空间
ZwAllocateVirtualMemory(NtCurrentProcess(),(PVOID*)&pBaseAddress,0,&bytesIO,MEM_COMMIT,PAGE_READWRITE);
status=ZwQuerySystemInformation(SystemHandleInformation,(PVOID)pBaseAddress,bytesIO,&ulReturnLength);
if (status==STATUS_SUCCESS)
{
break;
}
ZwFreeVirtualMemory(NtCurrentProcess(),(PVOID*)&pBaseAddress,&bytesIO,MEM_RELEASE);
bytesIO*=2;
pBaseAddress=NULL;
} while(1);
//前四个字节是句柄的数量
DWORD dwNumberHandle = *(DWORD*)(pBaseAddress);
PSYSTEM_HANDLE_INFORMATION pshi = (PSYSTEM_HANDLE_INFORMATION)((DWORD)pBaseAddress + 4);
for (int i = 0; i<dwNumberHandle; i++)
{
if (pshi->ProcessId == dwCsrssPID && pshi->ObjectTypeNumber == OB_TYPE_PROCESS)
{
//打开csrss.exe
status = ZwOpenProcess(&hProcHandle,PROCESS_ALL_ACCESS,&oa,&cid);
//复制句柄
ZwDuplicateObject(hProcHandle,
(HANDLE)pshi->Handle,
NtCurrentProcess(),
&hTmpHandle,
PROCESS_ALL_ACCESS,
FALSE,
0);
PROCESS_BASIC_INFORMATION pbi;
//查询句柄所对应的PID
ZwQueryInformationProcess(hTmpHandle,ProcessBasicInformation,&pbi,sizeof(PROCESS_BASIC_INFORMATION),NULL);
if (pbi.UniqueProcessId == dwProcID)
{//如果是目标进程的话
ZwDuplicateObject(hProcHandle,
(HANDLE)pshi->Handle,
NtCurrentProcess(),
&hTmpHandle,
PROCESS_ALL_ACCESS,
FALSE,
0);
// HANDLE hJob=CreateJobObject(NULL,NULL);
// if(AssignProcessToJobObject(hJob,hTmpHandle))
// {
// TerminateJobObject(hJob,0);
// }
// CloseHandle(hJob);
PVOID pAddress = (PVOID) i;
ULONG sz = 0x1000;
ULONG oldp;
DWORD bufsize = 0x1000;
PVOID buf = 0;
ZwAllocateVirtualMemory(NtCurrentProcess(),(PVOID*)&buf,0,&bufsize,MEM_COMMIT,PAGE_READWRITE);
memset(buf,0xCC,0x1000);
for (i = 0x1000; i < 0x80000000; i = i + 0x1000)
{
if (ZwProtectVirtualMemory (hTmpHandle, &pAddress, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS) {
ZwWriteVirtualMemory(hTmpHandle, pAddress, buf, 0x1000, &oldp);
}
}
ZwFreeVirtualMemory(NtCurrentProcess(),(PVOID*)&buf,&bufsize,MEM_RELEASE);
}
}
pshi ++;
}
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
