[原创]伪造句柄方法结束进程-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]伪造句柄方法结束进程

发表于: 2010-6-13 11:51 13223

[原创]伪造句柄方法结束进程

zzz3265

2010-6-13 11:51

13223

伪造句柄方法结束进程(无需驱动)

2010-6-13

系统为WinXp

XP_5.1.2600.2180

EULAID: XPSP2_RM.0_PRO_RTL_CN

TerminateProcess函数分析:

TerminateProcess

NtTerminateProcess

PspTerminateThreadByPointer(ObReferenceObjectByHandle, PsGetNextProcessThread(loop))

->Self: PspExitThread

->Other: KeInsertQueueApc, KiInsertQueueApc

* @implemented

NTSTATUS

NTAPI

NtTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,

IN NTSTATUS ExitStatus)

{

NTSTATUS Status;

PEPROCESS Process, CurrentProcess = PsGetCurrentProcess();

PETHREAD Thread, CurrentThread = PsGetCurrentThread();

BOOLEAN KillByHandle;

PAGED_CODE();

PSTRACE(PS_KILL_DEBUG,

"ProcessHandle: %p ExitStatus: %p\n", ProcessHandle, ExitStatus);

/* Were we passed a process handle? */

if (ProcessHandle)

{

/* Yes we were, use it */

KillByHandle = TRUE;

}

else

{

/* We weren't... we assume this is suicide */

KillByHandle = FALSE;

ProcessHandle = NtCurrentProcess();

}

/* Get the Process Object */

Status = ObReferenceObjectByHandle(ProcessHandle,

PROCESS_TERMINATE,

PsProcessType,

KeGetPreviousMode(),

(PVOID*)&Process,

NULL);

if (!NT_SUCCESS(Status)) return(Status);

/* Check if this is a Critical Process, and Bugcheck */

if (Process->BreakOnTermination)

{

/* Break to debugger */

PspCatchCriticalBreak("Terminating critical process 0x%p (%s)\n",

Process,

Process->ImageFileName);

}

/* Lock the Process */

if (!ExAcquireRundownProtection(&Process->RundownProtect))

{

/* Failed to lock, fal */

ObDereferenceObject (Process);

return STATUS_PROCESS_IS_TERMINATING;

}

/* Set the delete flag, unless the process is comitting suicide */

if (KillByHandle) PspSetProcessFlag(Process, PSF_PROCESS_DELETE_BIT);

/* Get the first thread */

Status = STATUS_NOTHING_TO_TERMINATE;

Thread = PsGetNextProcessThread(Process, NULL);

if (Thread)

{

/* We know we have at least a thread */

Status = STATUS_SUCCESS;

/* Loop and kill the others */

{

/* Ensure it's not ours*/

if (Thread != CurrentThread)

{

/* Kill it */

PspTerminateThreadByPointer(Thread, ExitStatus, FALSE);

}

/* Move to the next thread */

Thread = PsGetNextProcessThread(Process, Thread);

} while (Thread);

}

/* Unlock the process */

ExReleaseRundownProtection(&Process->RundownProtect);

/* Check if we are killing ourselves */

if (Process == CurrentProcess)

{

/* Also make sure the caller gave us our handle */

if (KillByHandle)

{

/* Dereference the project */

ObDereferenceObject(Process);

/* Terminate ourselves */

PspTerminateThreadByPointer(CurrentThread, ExitStatus, TRUE);

}

else if (ExitStatus == DBG_TERMINATE_PROCESS)

{

/* Disable debugging on this process */

DbgkClearProcessDebugObject(Process, NULL);

}

/* Check if there was nothing to terminate, or if we have a Debug Port */

if ((Status == STATUS_NOTHING_TO_TERMINATE) ||

((Process->DebugPort) && (KillByHandle)))

{

/* Clear the handle table */

ObClearProcessHandleTable(Process);

/* Return status now */

Status = STATUS_SUCCESS;

}

/* Decrease the reference count we added */

ObDereferenceObject(Process);

/* Return status */

return Status;

}

/* H:\ntoskrnl\ps\kill.c

* See "Windows Internals" - Chapter 13, Page 49

NTSTATUS

NTAPI

PspTerminateThreadByPointer(IN PETHREAD Thread,

IN NTSTATUS ExitStatus,

IN BOOLEAN bSelf)

{

PKAPC Apc;

NTSTATUS Status = STATUS_SUCCESS;

ULONG Flags;

PAGED_CODE();

PSTRACE(PS_KILL_DEBUG, "Thread: %p ExitStatus: %p\n", Thread, ExitStatus);

PSREFTRACE(Thread);

/* Check if this is a Critical Thread, and Bugcheck */

if (Thread->BreakOnTermination)

{

/* Break to debugger */

PspCatchCriticalBreak("Terminating critical thread 0x%p (%s)\n",

Thread,

Thread->ThreadsProcess->ImageFileName);

}

/* Check if we are already inside the thread */

if ((bSelf) || (PsGetCurrentThread() == Thread))

{

/* This should only happen at passive */

ASSERT_IRQL_EQUAL(PASSIVE_LEVEL);

/* Mark it as terminated */

PspSetCrossThreadFlag(Thread, CT_TERMINATED_BIT);

/* Directly terminate the thread */

PspExitThread(ExitStatus);

}

登录后可查看完整内容

[注意]看雪招聘，专注安全领域的专业人才平台！

收藏・4

免费・7

支持

最新回复 (7)
zzz3265 雪币： 251 活跃值： (31) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 28 粉丝 0 关注私信	zzz3265 2 楼主要代码, 没有整理... BOOL CHandleList::OnSupperKill() { if(m_MenuOpItem.dwTypeTag != (DWORD &)"Proc") return FALSE; HANDLE hProc; STARTUPINFOA si; PROCESS_INFORMATION pi; NNtKrn::EPROCESS_XP * pKrnProc; DWORD dwKrnAddr; DWORD dwSize; DWORD dwWriteAddr; EPROCESS_XP_R3 ShellProc; ETHREAD_XP_R3 ShellThread; DWORD dwAddr; DWORD dwAddrDlt; EPROCESS_XP_R3 DestProc; ETHREAD_XP_R3 DestThread; NNtKrn::LIST_ENTRY ShellThreadList; NNtKrn::LIST_ENTRY DestThreadList; memset(&si, 0, sizeof(si)); si.cb = sizeof(si); CreateProcessA(NULL, "Notepad.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi); // 壳数据 dwKrnAddr = NNtKrn::GetHandleKrnObject(pi.hProcess); if(dwKrnAddr == 0) return FALSE; NLog::LogString("Shell dwKrnAddr: %08X", dwKrnAddr); ShellProc.dwObjAddr = dwKrnAddr; NNtKrn::ReadKrnObject(ShellProc); dwAddr = GetEThreadByThreadListHead(&ShellProc.Obj.ThreadListHead); ShellThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(ShellThread); if((DWORD)(__int64)ShellProc.Obj.UniqueProcessId != pi.dwProcessId) return FALSE; if((DWORD)(__int64)ShellThread.Obj.Cid.UniqueProcess != pi.dwProcessId) return FALSE; // 目标数据 DestProc.dwObjAddr = (DWORD)(__int64)m_MenuOpItem.Base.Object; DestProc.Obj = m_MenuOpItem.KrnObj.EProcessXp; dwAddr = GetEThreadByThreadListHead(&DestProc.Obj.ThreadListHead); DestThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(DestThread); if((DWORD)(__int64)DestProc.Obj.UniqueProcessId != (DWORD)(__int64)DestThread.Obj.Cid.UniqueProcess) return FALSE; dwAddr = NNtKrn::GetLastThreadAddr((DWORD)(__int64)m_MenuOpItem.Base.Object); if(dwAddr == 0) return FALSE; DestThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(DestThread); if((DWORD)(__int64)DestProc.Obj.UniqueProcessId != (DWORD)(__int64)DestThread.Obj.Cid.UniqueProcess) return FALSE; NNtKrn::ETHREAD_XP * pKrnDestLastThread; NNtKrn::LIST_ENTRY * pHead; LIST_ENTRY_R3 OldList; LIST_ENTRY_R3 MokeList; pKrnProc = (NNtKrn::EPROCESS_XP )ShellProc.dwObjAddr; pHead = &pKrnProc->ThreadListHead; MokeList.Obj.Blink = pHead; MokeList.Obj.Flink = pHead; pKrnDestLastThread = (NNtKrn::ETHREAD_XP )DestThread.dwObjAddr; MokeList.dwObjAddr = (DWORD)(__int64)&pKrnDestLastThread->ThreadListEntry; OldList.dwObjAddr = MokeList.dwObjAddr; NNtKrn::ReadKrnObject(OldList); NNtKrn::WriteKrnObject(MokeList); //写入结束线程 pKrnDestLastThread = (NNtKrn::ETHREAD_XP )DestThread.dwObjAddr; dwAddr = (DWORD)(__int64)&pKrnDestLastThread->pThreadsProcess; // Nntdll::WriteKernelMem(dwAddr, sizeof(NNtKrn::EPROCESS_XP ), &ShellProc.dwObjAddr); //修改线程的Proc指针 // 伪造 ShellThreadList = ShellProc.Obj.ThreadListHead; DestThreadList = DestProc.Obj.ThreadListHead; pKrnProc = (NNtKrn::EPROCESS_XP *)ShellProc.dwObjAddr; dwWriteAddr = (DWORD)(__int64)&pKrnProc->ThreadListHead; dwSize = sizeof(NNtKrn::LIST_ENTRY); Nntdll::WriteKernelMem(dwWriteAddr, dwSize, &DestThreadList); //写入首线程 TerminateProcess(pi.hProcess, 0); NNtKrn::WriteKrnObject(OldList); //恢复原来的列表 Nntdll::WriteKernelMem(dwWriteAddr, dwSize, &ShellThreadList); //恢复首线程 TerminateProcess(pi.hProcess, 0); return TRUE; } 2010-6-13 11:55 0
achillis 雪币： 7651 活跃值： (523) 能力值： ( LV9，RANK：610 ) 在线值：发帖 32 回帖 2032 粉丝 49 关注私信	achillis 15 3 楼能直接读写R0内存的话，能搞的事情多了…何必如此 2010-6-13 15:59 0
gotiger 雪币： 243 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 54 粉丝 0 关注私信	gotiger 4 楼你在R0搞，直接就能把进程搞挂。何必绕了一大圈？ 2010-6-13 16:24 0
ghban 雪币： 364 活跃值： (91) 能力值： ( LV3，RANK：20 ) 在线值：发帖 7 回帖 123 粉丝 0 关注私信	ghban 5 楼是不是伪造某个正常使用的进程的句柄，然后非法的把这个目标进程杀掉？？？ 2010-6-13 16:29 0
LintChD 雪币： 411 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 47 粉丝 0 关注私信	LintChD 6 楼我觉得算是一种思路，应该说伪造线程链更准确。但这样不稳定吧，线程切换的时候会出问题的。 2010-6-13 16:54 0
xacker 雪币： 522 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 17 回帖 449 粉丝 0 关注私信	xacker 1 7 楼吃力不讨好. 你这样还不如直接转投apc. 2010-6-16 08:48 0
jokersky 雪币： 132 活跃值： (30) 能力值： ( LV4，RANK：50 ) 在线值：发帖 13 回帖 189 粉丝 1 关注私信	jokersky 1 8 楼劫杀过路高手 2010-10-29 19:45 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

zzz3265

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (7)
zzz3265 雪币： 251 活跃值： (31) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 28 粉丝 0 关注私信	zzz3265 2 楼主要代码, 没有整理... BOOL CHandleList::OnSupperKill() { if(m_MenuOpItem.dwTypeTag != (DWORD &)"Proc") return FALSE; HANDLE hProc; STARTUPINFOA si; PROCESS_INFORMATION pi; NNtKrn::EPROCESS_XP * pKrnProc; DWORD dwKrnAddr; DWORD dwSize; DWORD dwWriteAddr; EPROCESS_XP_R3 ShellProc; ETHREAD_XP_R3 ShellThread; DWORD dwAddr; DWORD dwAddrDlt; EPROCESS_XP_R3 DestProc; ETHREAD_XP_R3 DestThread; NNtKrn::LIST_ENTRY ShellThreadList; NNtKrn::LIST_ENTRY DestThreadList; memset(&si, 0, sizeof(si)); si.cb = sizeof(si); CreateProcessA(NULL, "Notepad.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi); // 壳数据 dwKrnAddr = NNtKrn::GetHandleKrnObject(pi.hProcess); if(dwKrnAddr == 0) return FALSE; NLog::LogString("Shell dwKrnAddr: %08X", dwKrnAddr); ShellProc.dwObjAddr = dwKrnAddr; NNtKrn::ReadKrnObject(ShellProc); dwAddr = GetEThreadByThreadListHead(&ShellProc.Obj.ThreadListHead); ShellThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(ShellThread); if((DWORD)(__int64)ShellProc.Obj.UniqueProcessId != pi.dwProcessId) return FALSE; if((DWORD)(__int64)ShellThread.Obj.Cid.UniqueProcess != pi.dwProcessId) return FALSE; // 目标数据 DestProc.dwObjAddr = (DWORD)(__int64)m_MenuOpItem.Base.Object; DestProc.Obj = m_MenuOpItem.KrnObj.EProcessXp; dwAddr = GetEThreadByThreadListHead(&DestProc.Obj.ThreadListHead); DestThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(DestThread); if((DWORD)(__int64)DestProc.Obj.UniqueProcessId != (DWORD)(__int64)DestThread.Obj.Cid.UniqueProcess) return FALSE; dwAddr = NNtKrn::GetLastThreadAddr((DWORD)(__int64)m_MenuOpItem.Base.Object); if(dwAddr == 0) return FALSE; DestThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(DestThread); if((DWORD)(__int64)DestProc.Obj.UniqueProcessId != (DWORD)(__int64)DestThread.Obj.Cid.UniqueProcess) return FALSE; NNtKrn::ETHREAD_XP * pKrnDestLastThread; NNtKrn::LIST_ENTRY * pHead; LIST_ENTRY_R3 OldList; LIST_ENTRY_R3 MokeList; pKrnProc = (NNtKrn::EPROCESS_XP )ShellProc.dwObjAddr; pHead = &pKrnProc->ThreadListHead; MokeList.Obj.Blink = pHead; MokeList.Obj.Flink = pHead; pKrnDestLastThread = (NNtKrn::ETHREAD_XP )DestThread.dwObjAddr; MokeList.dwObjAddr = (DWORD)(__int64)&pKrnDestLastThread->ThreadListEntry; OldList.dwObjAddr = MokeList.dwObjAddr; NNtKrn::ReadKrnObject(OldList); NNtKrn::WriteKrnObject(MokeList); //写入结束线程 pKrnDestLastThread = (NNtKrn::ETHREAD_XP )DestThread.dwObjAddr; dwAddr = (DWORD)(__int64)&pKrnDestLastThread->pThreadsProcess; // Nntdll::WriteKernelMem(dwAddr, sizeof(NNtKrn::EPROCESS_XP ), &ShellProc.dwObjAddr); //修改线程的Proc指针 // 伪造 ShellThreadList = ShellProc.Obj.ThreadListHead; DestThreadList = DestProc.Obj.ThreadListHead; pKrnProc = (NNtKrn::EPROCESS_XP *)ShellProc.dwObjAddr; dwWriteAddr = (DWORD)(__int64)&pKrnProc->ThreadListHead; dwSize = sizeof(NNtKrn::LIST_ENTRY); Nntdll::WriteKernelMem(dwWriteAddr, dwSize, &DestThreadList); //写入首线程 TerminateProcess(pi.hProcess, 0); NNtKrn::WriteKrnObject(OldList); //恢复原来的列表 Nntdll::WriteKernelMem(dwWriteAddr, dwSize, &ShellThreadList); //恢复首线程 TerminateProcess(pi.hProcess, 0); return TRUE; } 2010-6-13 11:55 0
achillis 雪币： 7651 活跃值： (523) 能力值： ( LV9，RANK：610 ) 在线值：发帖 32 回帖 2032 粉丝 49 关注私信	achillis 15 3 楼能直接读写R0内存的话，能搞的事情多了…何必如此 2010-6-13 15:59 0
gotiger 雪币： 243 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 54 粉丝 0 关注私信	gotiger 4 楼你在R0搞，直接就能把进程搞挂。何必绕了一大圈？ 2010-6-13 16:24 0
ghban 雪币： 364 活跃值： (91) 能力值： ( LV3，RANK：20 ) 在线值：发帖 7 回帖 123 粉丝 0 关注私信	ghban 5 楼是不是伪造某个正常使用的进程的句柄，然后非法的把这个目标进程杀掉？？？ 2010-6-13 16:29 0
LintChD 雪币： 411 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 47 粉丝 0 关注私信	LintChD 6 楼我觉得算是一种思路，应该说伪造线程链更准确。但这样不稳定吧，线程切换的时候会出问题的。 2010-6-13 16:54 0
xacker 雪币： 522 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 17 回帖 449 粉丝 0 关注私信	xacker 1 7 楼吃力不讨好. 你这样还不如直接转投apc. 2010-6-16 08:48 0
jokersky 雪币： 132 活跃值： (30) 能力值： ( LV4，RANK：50 ) 在线值：发帖 13 回帖 189 粉丝 1 关注私信	jokersky 1 8 楼劫杀过路高手 2010-10-29 19:45 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复