[求助]内核版结束进程-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
lovelyday 雪币： 31 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 169 粉丝 0 关注私信	lovelyday 2 楼 ZwOpenProcess和ZwTerminateProcess？记不太清楚了 2014-2-17 21:45 0
安于此生雪币： 2664 活跃值： (3401) 能力值： ( LV13，RANK：1760 ) 在线值：发帖 103 回帖 2020 粉丝 199 关注私信	安于此生 34 3 楼 ZwTerminateProcess,代码网上一搜一堆 2014-2-17 21:53 0
chinadaily 雪币： 195 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 17 回帖 40 粉丝 0 关注私信	chinadaily 4 楼楼上正解。发一段ring3下的zwo和zwt。 #include <windows.h> #include <tlhelp32.h> #include <string.h> #include <stdio.h> #include <stdlib.h> typedef LONG NTSTATUS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PVOID Buffer; } UNICODE_STRING, PUNICODE_STRING; typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID; typedef CLIENT_ID PCLIENT_ID; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE } OBJECT_ATTRIBUTES; typedef OBJECT_ATTRIBUTES POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK ZwOpenProcess)( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ); typedef NTSTATUS (CALLBACK ZwTerminateProcess)( HANDLE ProcessHandle, NTSTATUS ExitStatus ); DWORD GetPID(char exe) { DWORD pid = -1; // Get the process list snapshot. HANDLE hProcessSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0 ); // Initialize the process entry structure. PROCESSENTRY32 ProcessEntry = { 0 }; ProcessEntry.dwSize = sizeof( ProcessEntry ); // Get the first process info. BOOL Return = FALSE; Return = Process32First( hProcessSnapShot, &ProcessEntry ); // Getting process info failed. if( !Return ) { return pid; } do { if( strcmp(exe, (char)ProcessEntry.szExeFile) == 0 ) { pid = ProcessEntry.th32ProcessID; break; } } while( Process32Next( hProcessSnapShot, &ProcessEntry )); // Close the handle CloseHandle( hProcessSnapShot ); return pid; } int main(int argc, char argv[]) { DWORD pid = GetPID("QQ.exe"); printf("pid: %d\n", pid); ZwOpenProcess zop = (ZwOpenProcess)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwOpenProcess" ); printf("f open: %d\n", zop); ZwTerminateProcess ztp = (ZwTerminateProcess)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwTerminateProcess" ); printf("f terminate: %d\n", ztp); HANDLE hProc; CLIENT_ID cid; cid.UniqueProcess = (HANDLE)pid; cid.UniqueThread = 0; OBJECT_ATTRIBUTES attr; attr.Length = sizeof(OBJECT_ATTRIBUTES); attr.RootDirectory = NULL; attr.ObjectName = NULL; attr.Attributes = NULL; attr.SecurityDescriptor = NULL; attr.SecurityQualityOfService = NULL; zop(&hProc, PROCESS_TERMINATE, &attr, &cid); printf("handle: %d\n", hProc); printf("open error: %d\n", GetLastError()); ztp(hProc, 0); printf("close error: %d\n", GetLastError()); return 0; } 上传的附件： ZwOpenprocess.rar （1.11MB，49次下载） 2014-2-18 09:36 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
lovelyday 雪币： 31 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 169 粉丝 0 关注私信	lovelyday 2 楼 ZwOpenProcess和ZwTerminateProcess？记不太清楚了 2014-2-17 21:45 0
安于此生雪币： 2664 活跃值： (3401) 能力值： ( LV13，RANK：1760 ) 在线值：发帖 103 回帖 2020 粉丝 199 关注私信	安于此生 34 3 楼 ZwTerminateProcess,代码网上一搜一堆 2014-2-17 21:53 0
chinadaily 雪币： 195 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 17 回帖 40 粉丝 0 关注私信	chinadaily 4 楼楼上正解。发一段ring3下的zwo和zwt。 #include <windows.h> #include <tlhelp32.h> #include <string.h> #include <stdio.h> #include <stdlib.h> typedef LONG NTSTATUS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PVOID Buffer; } UNICODE_STRING, PUNICODE_STRING; typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID; typedef CLIENT_ID PCLIENT_ID; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE } OBJECT_ATTRIBUTES; typedef OBJECT_ATTRIBUTES POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK ZwOpenProcess)( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ); typedef NTSTATUS (CALLBACK ZwTerminateProcess)( HANDLE ProcessHandle, NTSTATUS ExitStatus ); DWORD GetPID(char exe) { DWORD pid = -1; // Get the process list snapshot. HANDLE hProcessSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0 ); // Initialize the process entry structure. PROCESSENTRY32 ProcessEntry = { 0 }; ProcessEntry.dwSize = sizeof( ProcessEntry ); // Get the first process info. BOOL Return = FALSE; Return = Process32First( hProcessSnapShot, &ProcessEntry ); // Getting process info failed. if( !Return ) { return pid; } do { if( strcmp(exe, (char)ProcessEntry.szExeFile) == 0 ) { pid = ProcessEntry.th32ProcessID; break; } } while( Process32Next( hProcessSnapShot, &ProcessEntry )); // Close the handle CloseHandle( hProcessSnapShot ); return pid; } int main(int argc, char argv[]) { DWORD pid = GetPID("QQ.exe"); printf("pid: %d\n", pid); ZwOpenProcess zop = (ZwOpenProcess)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwOpenProcess" ); printf("f open: %d\n", zop); ZwTerminateProcess ztp = (ZwTerminateProcess)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwTerminateProcess" ); printf("f terminate: %d\n", ztp); HANDLE hProc; CLIENT_ID cid; cid.UniqueProcess = (HANDLE)pid; cid.UniqueThread = 0; OBJECT_ATTRIBUTES attr; attr.Length = sizeof(OBJECT_ATTRIBUTES); attr.RootDirectory = NULL; attr.ObjectName = NULL; attr.Attributes = NULL; attr.SecurityDescriptor = NULL; attr.SecurityQualityOfService = NULL; zop(&hProc, PROCESS_TERMINATE, &attr, &cid); printf("handle: %d\n", hProc); printf("open error: %d\n", GetLastError()); ztp(hProc, 0); printf("close error: %d\n", GetLastError()); return 0; } 上传的附件： ZwOpenprocess.rar （1.11MB，49次下载） 2014-2-18 09:36 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复