-
-
[旧帖] [原创]PspTerminateThreadByPointer结束指定进程 0.00雪花
-
2012-5-22 21:39
-
方法是别人的,代码是自己写的,没有技术含量,大牛您们懂的
驱动部分:
应用程序部分:
驱动部分:
//////////////////////////////////////////////////////////////////////////
//利用PsTerminateSystemThread函数查找PspTerminateThreadByPointer
//结束指定进程
//////////////////////////////////////////////////////////////////////////
#include <ntddk.h>
#include "ntifs.h"
#define IOCTL_KILL_PROCESS (ULONG) CTL_CODE( FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS ) //自定义控制码
typedef NTSTATUS (*PSPTERMINATETHREADBYPOINTER)( PETHREAD, NTSTATUS);
PSPTERMINATETHREADBYPOINTER PspTerminateThreadByPointer;
//////////////////////////////////////////////////////////////////////////
NTSTATUS MyCreateDevice(PDRIVER_OBJECT obj)
{//创建设备
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT pDevice; //返回创建的设备
UNICODE_STRING DevName; //设备名
UNICODE_STRING SymLinkName; //符号链接名
RtlInitUnicodeString(&DevName, L"\\Device\\MyDDK_Device");//初始化设备名
status = IoCreateDevice(obj, 0, &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevice);
if (STATUS_UNSUCCESSFUL == status)
{
KdPrint(("创建设备失败!\n"));
return status;
}
//创建设备成功
KdPrint(("创建设备成功!\n"));
//设置缓冲区方式
pDevice->Flags |= DO_BUFFERED_IO;
//创建符号链接
RtlInitUnicodeString(&SymLinkName, L"\\DosDevices\\My_SymLink");
status = IoCreateSymbolicLink(&SymLinkName, &DevName);
if (STATUS_UNSUCCESSFUL == status)
{
KdPrint(("创建符号链接失败!\n"));
IoDeleteDevice(pDevice); //删除设备
return status;
}
KdPrint(("创建符号链接成功!\n"));
return status;
}
//////////////////////////////////////////////////////////////////////////
VOID KillProcess(ULONG pID)
{//根据指定pid杀进程中所有线程
PEPROCESS tProcess; //目标进程
PEPROCESS Process;
PETHREAD Thread;
ULONG i=0;
if ( !NT_SUCCESS(PsLookupProcessByProcessId((PVOID)pID, &tProcess)) )
{
KdPrint(("查找目标进程EPROCESS失败!\n"));
return;
}
for (i = 4; i < 0x40000; i += 4)
{
if(NT_SUCCESS(PsLookupThreadByThreadId((PVOID)i, &Thread)) )
{
Process = IoThreadToProcess(Thread);
if (Process == tProcess)
{
PspTerminateThreadByPointer(Thread, 0);
}
ObDereferenceObject(Thread); //解除引用
}
}
ObDereferenceObject(tProcess);
}
//////////////////////////////////////////////////////////////////////////
VOID Unload(PDRIVER_OBJECT obj)
{
//添加代码
//删除符号链接名
UNICODE_STRING SymLinkName;
RtlInitUnicodeString(&SymLinkName, L"\\??\\My_SymLink");
IoDeleteSymbolicLink(&SymLinkName);
//删除设备
IoDeleteDevice(obj->DeviceObject);
KdPrint(("PspTerminateThreadByPointer.sys 卸载成功!\n"));
}
//////////////////////////////////////////////////////////////////////////
NTSTATUS DispchDriver(PDEVICE_OBJECT pDev, PIRP pIrp)
{//派遣函数
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(pIrp); //获取当前irp栈
ULONG* input = pIrp->AssociatedIrp.SystemBuffer; //获取缓冲区
ULONG ControlCode = irpsp->Parameters.DeviceIoControl.IoControlCode; //获取控制号
ULONG pID; //指定进程ID
switch (ControlCode)
{
case IOCTL_KILL_PROCESS:
memcpy(&pID, input, sizeof(pID));
KdPrint(("指定进程pID = %ld\n", pID));
KillProcess(pID);
break;
}
pIrp->IoStatus.Status=STATUS_SUCCESS;//返回成功
IoCompleteRequest(pIrp,IO_NO_INCREMENT);//指示完成此IRP
KdPrint(("离开派遣函数\n"));//调试信息
return status;
}
//////////////////////////////////////////////////////////////////////////
ULONG GetFunctionAddr( IN PCWSTR FunctionName)
{//查找指定函数
UNICODE_STRING UniCodeFunctionName;
RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );
}
//////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING path)
{
NTSTATUS status = STATUS_SUCCESS;//返回
ULONG PTSTAddress = 0; // PsTerminateSystemThread
ULONG PTTBPAddress = 0; // PspTerminateThreadByPointer
ULONG CallCode = 0; // 从call指令中计算函数地址
ULONG i = 0;
//////////////////////////////////////////////////////////////////////////
pDriver->DriverUnload = Unload; //设置卸载函数
pDriver->MajorFunction[IRP_MJ_CREATE] = DispchDriver;
pDriver->MajorFunction[IRP_MJ_CLOSE] = DispchDriver;
pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispchDriver; //设置派遣函数
//////////////////////////////////////////////////////////////////////////
//创建设备
status = MyCreateDevice(pDriver);
if (STATUS_SUCCESS != status)
return status;
//////////////////////////////////////////////////////////////////////////
//获取函数地址
PTSTAddress = (ULONG)GetFunctionAddr(L"PsTerminateSystemThread");
if (PTSTAddress == 0)
{
KdPrint(("获取PsTerminateSystemThread地址失败!\n"));
return STATUS_UNSUCCESSFUL;
}
for (i = 1; i < 0xff; i++)
{
if ( MmIsAddressValid((PVOID)(PTSTAddress+i)) )
{
if (*(unsigned char*)(PTSTAddress + i) == 0x50 && *(unsigned char*)(PTSTAddress + i + 1) == 0xE8)
{
RtlMoveMemory(&CallCode, (PVOID)(PTSTAddress+i+2), 4);
PTTBPAddress = (PTSTAddress+i+1) + CallCode + 5;
}
}
}
PspTerminateThreadByPointer = (PSPTERMINATETHREADBYPOINTER)PTTBPAddress;
KdPrint(("PspTerminateThreadByPointer:[0x%p]\n",PspTerminateThreadByPointer));
//////////////////////////////////////////////////////////////////////////
return STATUS_SUCCESS;
}应用程序部分:
// KillProcessBySys.cpp : 定义控制台应用程序的入口点。
#include "stdafx.h"
#include <windows.h>
#include <iostream>
using namespace std;
#define IOCTL_KILL_PROCESS (ULONG) CTL_CODE( FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS ) //自定义控制码
int _tmain(int argc, _TCHAR* argv[])
{
DWORD pid = 0;
DWORD bufret,dwWrite;
cout<<"输入要结束的进程ID:(输入0退出)\n";
cin>>pid;
HANDLE hDevice =
CreateFile(L"\\\\.\\My_SymLink",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL );
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("获取驱动句柄失败: %s with Win32 error code: %d\n","MyDriver", GetLastError() );
system("pause");
return 0;
}
do
{
if(DeviceIoControl(hDevice, IOCTL_KILL_PROCESS ,
(LPVOID)&pid, 4, &bufret, 4, &dwWrite, NULL))
{
cout<<"PID: "<<pid<<" 结束!"<<endl;
cin>>pid;
}
else
{
cout<<"结束进程 "<<pid<<" 出错!"<<endl;
return 0;
}
}while(pid);//输入pid 0 退出
cout<<"Bye!\n";
system("pause");
return 0;
}
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
|
|
|---|---|
