前些天看到论坛上有个帖子,貌似求结束Anti-KillProcess-Demo的进程
那天下载回来丢到虚拟机,试了几个方法果然失效,XT之类都无能为力
当时感觉这个进程很像僵尸进程,貌似是有线程挂在了内核态一般
后来后面的回帖也有个朋友也分析了,证实我的猜测,如下:
刚才看了一下……打开程序,然后用任务管理器点终止,进程没有被终止,看一下线程的栈回溯
kd> !thread 81f39a10
THREAD 81f39a10 Cid 00e8.0154 Teb: 7ffde000 Win32Thread: e23ed4a8 READY
IRP List:
81ecc150: (0006,0094) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap e1d6e1e0
Owning Process 0 Image: <Unknown>
Attached Process 81f39c88 Image: Anti-KillProcess-Demo.exe
Wait Start TickCount 20176 Ticks: 0
Context Switch Count 12437 LargeStack
UserTime 00:00:00.109
KernelTime 00:00:00.015
Win32 Start Address Anti_KillProcess_Demo (0x0057c0d4)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init b2965000 Current b2964914 Base b2965000 Limit b2961000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
b296492c 80501cd6 81f39a80 81f39a10 804fad62 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b2964938 804fad62 81ecc160 81ba31a8 81e09310 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b2964960 b1e3304c 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
WARNING: Stack unwind information not available. Following frames may be wrong.
b2964994 b1e330f8 000022b8 b2964a90 804ef119 AntiKillProcess+0x104c
b29649a0 804ef119 81feabd8 81ecc150 81ecc150 AntiKillProcess+0x10f8
b29649b0 80579616 81feabc0 81f489ac b2964b58 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
b2964a90 805b5cbc 81feabd8 00000000 81f48908 nt!IopParseDevice+0xa12 (FPO: [Non-Fpo])
b2964b18 805b2065 00000000 b2964b58 00000040 nt!ObpLookupObjectName+0x56a (FPO: [11,19,4])
b2964b6c 8056c223 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb (FPO: [7,5,4])
b2964be8 8056cb9a 0012fc38 c0100080 0012fbd8 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
b2964c44 8056f2ac 0012fc38 c0100080 0012fbd8 nt!IoCreateFile+0x8e (FPO: [14,3,0])
b2964c84 b2c5f82a 0012fc38 c0100080 0012fbd8 nt!NtCreateFile+0x30 (FPO: [11,0,0])
b2964d30 8053e638 0012fc38 c0100080 0012fbd8 pmhafchg+0x1082a
b2964d30 7c92e4f4 0012fc38 c0100080 0012fbd8 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2964d64)
0012fb94 7c92d09c 7c8109a6 0012fc38 c0100080 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012fb98 7c8109a6 0012fc38 c0100080 0012fbd8 ntdll!ZwCreateFile+0xc (FPO: [11,0,0])
0012fc30 7c801a53 00000000 c0000000 00000000 kernel32!CreateFileW+0x35f (FPO: [7,22,0])
0012fc54 004013b0 00416560 c0000000 00000000 kernel32!CreateFileA+0x30 (FPO: [7,0,0])
0012ffc0 7c817067 0007da50 7c92d950 7ffdf000 Anti_KillProcess_Demo+0x13b0
0012fff0 00000000 0057c0d4 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])
可以看到进程尝试打开一个东西,因为LZ说没有使用HOOK(实际用ARK扫描也的确没发现HOOK),所以打开的应该是一个设备,验证一下:
kd> da 00416560
00416560 "\\.\DriverTexting"
kd> !devobj 81feabd8
Device object (81feabd8) is for:
DriverTexting \Driver\AntiKillProcess DriverObject 81ba31a8
Current Irp 00000000 RefCount 1 Type 00000022 Flags 00000040
Dacl e12c6af4 DevExt 00000000 DevObjExt 81feac90
ExtensionFlags (0000000000)
Device queue is not busy.
kd> !drvobj 81ba31a8
Driver object (81ba31a8) is for:
\Driver\AntiKillProcess
Driver Extension List: (id , addr)
Device Object list:
81feabd8
可以看到这个设备是由demo释放的的驱动建立的,由于LZ说了加了VMP就不看CREATE历程干了什么,不过从栈回溯上看应该是调用了KeWaitForSingleObject让线程永远无法返回,所以线程就没办法被终止了~
其实一直在想有没有一种办法不用驱动在R3下纯调用标准API让线程在内核态死锁呢,请大牛说说哇……
==========================================
今天也自己看了下,和这位朋友分析的一样KeWaitForSingleObject貌似无法返回了
由于是这样常规的结束进程无效,刚才整理平日的笔记,发现有个插APC结束进程的方法。立马上虚拟机试了下,果然灵验,顺利结束掉
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
pDriverObj->DriverUnload=DriverUnload;
ULONG dwProcess=0x81406468; //可以用windbg找到
KillProcessWithApc(dwProcess);
return STATUS_SUCCESS;
}
查找方式如下:
!process 0 0 枚举进程
PROCESS 81406468 SessionId: 0 Cid: 0220 Peb: 7ffde000 ParentCid: 0728
DirBase: 0331a000 ObjectTable: e1c3ee08 HandleCount: 27.
Image: Anti-KillProcess-Demo.exe
代码见附件
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!