[推荐]内存清零KILL进程-编程技术-看雪-安全社区|安全招聘|kanxue.com

[推荐]内存清零KILL进程

发表于: 2008-8-11 23:05 16524

[推荐]内存清零KILL进程

鸡蛋壳

2008-8-11 23:05

16524

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

#include <Windows.h>
#include <Ntsecapi.h>
#include <Aclapi.h>
#include <tlhelp32.h>
#pragma comment (lib,"Kernel32.lib")
#pragma comment (lib,"Advapi32.lib")
 
#pragma comment(linker, "/ENTRY:main")
//------------------ 数据类型声明开始 --------------------//
typedef struct _PROCES***ASIC_INFORMATION {
     NTSTATUS ExitStatus;
     ULONG PebBaseAddress;
     ULONG_PTR AffinityMask;
     LONG BasePriority;
     ULONG_PTR UniqueProcessId;
     ULONG_PTR InheritedFromUniqueProcessId;
} PROCES***ASIC_INFORMATION;
typedef PROCES***ASIC_INFORMATION *PPROCES***ASIC_INFORMATION;
 
typedef struct _SYSTEM_HANDLE_INFORMATION
{
     ULONG             ProcessId;
     UCHAR             ObjectTypeNumber;
     UCHAR             Flags;
     USHORT             Handle;
     PVOID             Object;
     ACCESS_MASK         GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
 
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
 
typedef enum _SECTION_INHERIT {
ViewShare = 1,
   ViewUnmap = 2
} SECTION_INHERIT;
 
typedef struct _MY_PROCESS_INFO {
ULONG PID;
ULONG KPEB;
ULONG CR3;
CHAR Name[16];
ULONG Reserved;
} MY_PROCESS_INFO, *PMY_PROCESS_INFO;
typedef struct _CLIENT_ID {
     HANDLE UniqueProcess;
     HANDLE UniqueThread;
} CLIENT_ID;
typedef CLIENT_ID *PCLIENT_ID;
 
typedef long NTSTATUS;
 
//------------------ 数据类型声明结束 --------------------//
 
//--------------------- 预定义开始 -----------------------//
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS         0x00000000
#define STATUS_UNSUCCESSFUL       0xC0000001
#define STATUS_NOT_IMPLEMENTED     0xC0000002
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
#define STATUS_INVALID_PARAMETER   0xC000000D
#define STATUS_ACCESS_DENIED     0xC0000022
#define STATU***UFFER_TOO_SMALL   0xC0000023
#define OBJ_KERNEL_HANDLE       0x00000200
#define SystemModuleInformation   11
#define SystemHandleInformation   0x10
 
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES );(p)->RootDirectory = r;                 (p)->Attributes = a;                     (p)->ObjectName = n;                       (p)->SecurityDescriptor = s;                 (p)->SecurityQualityOfService = NULL;         }
//--------------------- 预定义结束 -----------------------//
 
//------------------ Native API声明开始 ------------------//
 
typedef DWORD (_stdcall *XXXZwQuerySystemInformation)(
                ULONG SystemInformationClass,
                PVOID SystemInformation,
                ULONG SystemInformationLength,
                PULONG ReturnLength
                );
 
typedef DWORD (_stdcall *XXXZwOpenProcess)(
              OUT PHANDLE             ProcessHandle,
              IN ACCESS_MASK           AccessMask,
              IN POBJECT_ATTRIBUTES   ObjectAttributes,
              IN PCLIENT_ID           ClientId
              );
 
typedef DWORD (_stdcall *XXXZwAllocateVirtualMemory)(
               IN HANDLE               ProcessHandle,
               IN OUT PVOID             *BaseAddress,
               IN ULONG                 ZeroBits,
               IN OUT PULONG           RegionSize,
               IN ULONG                 AllocationType,
               IN ULONG                 Protect
               );
 
typedef DWORD (_stdcall *XXXZwDuplicateObject)(
               IN HANDLE               SourceProcessHandle,
               IN PHANDLE               SourceHandle,
               IN HANDLE               TargetProcessHandle,
               OUT PHANDLE             TargetHandle,
               IN ACCESS_MASK           DesiredAccess OPTIONAL,
               IN BOOLEAN               InheritHandle,
               IN ULONG                 Options
               );
 
typedef DWORD (_stdcall *XXXZwQueryInformationProcess)(
                 IN HANDLE               ProcessHandle,
                 IN PVOID          ProcessInformationClass,
                 OUT PVOID               ProcessInformation,
                 IN ULONG                 ProcessInformationLength,
                 OUT PULONG               ReturnLength
                 );
 
typedef DWORD (_stdcall *XXXZwProtectVirtualMemory)(
              
              IN HANDLE               ProcessHandle,
              IN OUT PVOID             *BaseAddress,
              IN OUT PULONG           NumberOfBytesToProtect,
              IN ULONG                 NewAccessProtection,
              OUT PULONG               OldAccessProtection
              );
 
typedef DWORD (_stdcall *XXXZwWriteVirtualMemory)(
               IN HANDLE               ProcessHandle,
               IN PVOID                 BaseAddress,
               IN PVOID                 Buffer,
               IN ULONG                 NumberOfBytesToWrite,
               OUT PULONG               NumberOfBytesWritten OPTIONAL
               );
 
typedef DWORD (_stdcall *XXXZwClose)(
           IN HANDLE               ObjectHandle
           );
 
typedef DWORD (_stdcall *XXXZwFreeVirtualMemory)(
              
              IN HANDLE               ProcessHandle,
              IN PVOID                 *BaseAddress,
              IN OUT PULONG           RegionSize,
              IN ULONG                 FreeType
              );
 
//------------------ Native API声明结束 ------------------//
 
//------------------ 程序正式开始 ------------------//
 
DWORD GetPidByName(char *szName)
{
HANDLE hProcessSnap = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe32={0};
DWORD dwRet=0;
 
hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)return 0;
 
pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap, &pe32))
{
   do
   {
    if(lstrcmpi(szName,pe32.szExeFile)==0)
    {
     dwRet=pe32.th32ProcessID;
     break;
    }
   }while (Process32Next(hProcessSnap,&pe32));
}
else return 0;
 
if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap);
return dwRet;
}
 
void KillIce(ULONG dwProcessId)
{
HMODULE hNTDLL = LoadLibrary ("ntdll");
HANDLE      ph, h_dup;
ULONG      bytesIO;
PVOID      buf;
ULONG         i;
CLIENT_ID     cid1;
OBJECT_ATTRIBUTES     attr;
HANDLE         csrss_id;
//   HANDLE     SnapShotHandle;
PROCES***ASIC_INFORMATION     pbi;
PVOID         p0, p1;
ULONG         sz, oldp;
ULONG         NumOfHandle;
PSYSTEM_HANDLE_INFORMATION     h_info;  
 
csrss_id = (HANDLE)GetPidByName("csrss.exe");
attr.Length = sizeof(OBJECT_ATTRIBUTES);
attr.RootDirectory = 0;
attr.ObjectName = 0;
attr.Attributes = 0;
attr.SecurityDescriptor = 0;
attr.SecurityQualityOfService = 0;
 
cid1.UniqueProcess = csrss_id;
cid1.UniqueThread = 0;
XXXZwOpenProcess ZwOpenProcess;
ZwOpenProcess = (XXXZwOpenProcess)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwOpenProcess");
ZwOpenProcess(&ph, PROCESS_ALL_ACCESS, &attr, &cid1);
 
bytesIO = 0x400000;
buf = 0;
XXXZwAllocateVirtualMemory ZwAllocateVirtualMemory;
ZwAllocateVirtualMemory = (XXXZwAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwAllocateVirtualMemory");
ZwAllocateVirtualMemory(GetCurrentProcess(), &buf, 0, &bytesIO, MEM_COMMIT, PAGE_READWRITE);
 
XXXZwQuerySystemInformation ZwQuerySystemInformation;
ZwQuerySystemInformation = (XXXZwQuerySystemInformation)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
ZwQuerySystemInformation(SystemHandleInformation, buf, 0x400000, &bytesIO);
NumOfHandle = (ULONG)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
 
for (i= 0 ; i<NumOfHandle; i++, h_info++)
{   
   if ((h_info->ProcessId == (ULONG)csrss_id)&&(h_info->ObjectTypeNumber == 5))
   {
    XXXZwDuplicateObject ZwDuplicateObject;
    ZwDuplicateObject = (XXXZwDuplicateObject)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwDuplicateObject");
    XXXZwQueryInformationProcess ZwQueryInformationProcess;
    ZwQueryInformationProcess = (XXXZwQueryInformationProcess)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQueryInformationProcess");
    if (ZwDuplicateObject(ph, (PHANDLE)h_info->Handle, (HANDLE)-1, &h_dup,
     0, 0, DUPLICATE_SAME_ACCESS) == STATUS_SUCCESS)
     ZwQueryInformationProcess(h_dup, 0, &pbi, sizeof(pbi), &bytesIO);
    if (pbi.UniqueProcessId == dwProcessId)
    {
     MessageBox(0, "目标已确定!", "OK", MB_OK);
     XXXZwProtectVirtualMemory ZwProtectVirtualMemory;
     ZwProtectVirtualMemory = (XXXZwProtectVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwProtectVirtualMemory");
     XXXZwWriteVirtualMemory ZwWriteVirtualMemory;
     ZwWriteVirtualMemory = (XXXZwWriteVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwWriteVirtualMemory");
     XXXZwClose ZwClose;
     ZwClose = (XXXZwClose)GetProcAddress(GetModuleHandle("ZwClose"), "ZwClose");
     for (i = 0x1000; i<0x80000000; i = i + 0x1000)
     {
      p0 = (PVOID)i;
      p1 = p0;
      sz = 0x1000;
      if (ZwProtectVirtualMemory(h_dup, &p1, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS)
      {              
       ZwWriteVirtualMemory(h_dup, p0, buf, 0x1000, &oldp);
      }          
     }
     MessageBox(0, "任务已完成！","OK", 0);
     ZwClose(h_dup);     
     break;
    }
   }
}
 
bytesIO = 0;
XXXZwFreeVirtualMemory ZwFreeVirtualMemory;
ZwFreeVirtualMemory = (XXXZwFreeVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"),   "ZwFreeVirtualMemory");
ZwFreeVirtualMemory(GetCurrentProcess(), &buf, &bytesIO, MEM_RELEASE);
 
FreeLibrary(hNTDLL);   
 
}
 
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
return((GetLastError() == ERROR_SUCCESS));
}
 
void main()
{    
     ULONG Pid;
     HANDLE hToken;
     OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
     EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);
     if (Pid = GetPidByName("nvsvc32.exe"))
     {
         KillIce(Pid);
     }     
     ExitProcess(0);
}

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・21

免费・7

支持

赞赏记录

参与人

雪币

留言

时间

Youlor

为你点赞~

2024-1-4 00:18

伟叔叔

为你点赞~

2023-11-12 05:31

QinBeast

为你点赞~

2023-8-22 00:07

PLEBFE

为你点赞~

2023-8-20 00:14

shinratensei

为你点赞~

2023-7-27 00:28

心游尘世外

为你点赞~

2023-7-18 00:03

飘零丶

为你点赞~

2023-7-6 00:30

最新回复 (8)
Winker 雪币： 796 活跃值： (370) 能力值： ( LV9，RANK：380 ) 在线值：发帖 133 回帖 1127 粉丝 19 关注私信	Winker 8 2 楼沙发　收藏　 2008-8-11 23:33 0
dayed 雪币： 225 活跃值： (10) 能力值： ( LV5，RANK：60 ) 在线值：发帖 10 回帖 222 粉丝 1 关注私信	dayed 1 3 楼哈~~看的有点眼熟 2008-8-11 23:41 0
nevergone 雪币： 63 活跃值： (17) 能力值： ( LV8，RANK：130 ) 在线值：发帖 5 回帖 270 粉丝 0 关注私信	nevergone 3 4 楼好像是炉子的作品哦 2008-8-12 08:23 0
xPLK 雪币： 375 活跃值： (12) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 705 粉丝 0 关注私信	xPLK 3 5 楼炉子在Ring3是VB的。而且编码风格不像他。 2008-8-12 21:14 0
Sysnap 雪币： 581 活跃值： (149) 能力值： ( LV12，RANK：600 ) 在线值：发帖 32 回帖 389 粉丝 10 关注私信	Sysnap 14 6 楼呵呵。。。感觉APC没有这种方法的强大。。支持个 2008-8-14 09:42 0
sding 雪币： 239 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 64 粉丝 0 关注私信	sding 7 楼先收藏下了,以后看 2008-8-14 11:11 0
lixupeng 雪币： 559 活跃值： (344) 能力值： ( LV2，RANK：10 ) 在线值：发帖 31 回帖 1636 粉丝 0 关注私信	lixupeng 8 楼收藏了 2008-8-14 16:37 0
ywangzi 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	ywangzi 9 楼哈哈，断断续续自学VC一年，现在终于能看懂一些了，我要不断进步，已经收藏，非常感谢。 2008-9-1 06:36 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

鸡蛋壳

456

发帖

3147

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (8)
Winker 雪币： 796 活跃值： (370) 能力值： ( LV9，RANK：380 ) 在线值：发帖 133 回帖 1127 粉丝 19 关注私信	Winker 8 2 楼沙发　收藏　 2008-8-11 23:33 0
dayed 雪币： 225 活跃值： (10) 能力值： ( LV5，RANK：60 ) 在线值：发帖 10 回帖 222 粉丝 1 关注私信	dayed 1 3 楼哈~~看的有点眼熟 2008-8-11 23:41 0
nevergone 雪币： 63 活跃值： (17) 能力值： ( LV8，RANK：130 ) 在线值：发帖 5 回帖 270 粉丝 0 关注私信	nevergone 3 4 楼好像是炉子的作品哦 2008-8-12 08:23 0
xPLK 雪币： 375 活跃值： (12) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 705 粉丝 0 关注私信	xPLK 3 5 楼炉子在Ring3是VB的。而且编码风格不像他。 2008-8-12 21:14 0
Sysnap 雪币： 581 活跃值： (149) 能力值： ( LV12，RANK：600 ) 在线值：发帖 32 回帖 389 粉丝 10 关注私信	Sysnap 14 6 楼呵呵。。。感觉APC没有这种方法的强大。。支持个 2008-8-14 09:42 0
sding 雪币： 239 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 64 粉丝 0 关注私信	sding 7 楼先收藏下了,以后看 2008-8-14 11:11 0
lixupeng 雪币： 559 活跃值： (344) 能力值： ( LV2，RANK：10 ) 在线值：发帖 31 回帖 1636 粉丝 0 关注私信	lixupeng 8 楼收藏了 2008-8-14 16:37 0
ywangzi 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	ywangzi 9 楼哈哈，断断续续自学VC一年，现在终于能看懂一些了，我要不断进步，已经收藏，非常感谢。 2008-9-1 06:36 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[推荐]内存清零KILL进程

账号登录 验证码登录

账号登录

验证码登录