-
-
[原创]Ring3内存清0杀进程
-
发表于:
2009-5-1 18:15
11083
-
看到标题不要惊讶,这个东西很久很久以前就有人发过了,当时我完全没看懂。下面的代码是我根据题目按照自己的想法写的,只是因为最近很无聊,代码没有任何价值。
#include<stdio.h>
#include<windows.h>
#include<Tlhelp32.h>
int kestrcmpi(char *str1,char *str2);
BOOL EnableDebugPrivileges();
int main(void)
{
PROCESSENTRY32 pe32;
MODULEENTRY32 te32;
HANDLE hSnapshot,hSnapshot1,hTarget;
void *pNothing;
char *szTarget[31];
DWORD dwStore,dwFillSize;
printf("Input the name of process which you wanna kill(case sensitive):");
scanf("%30s",szTarget);
EnableDebugPrivileges();
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapshot == INVALID_HANDLE_VALUE)
{
printf("Create snapshot for processes failed!\n");
system("pause");
return 1;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hSnapshot,&pe32))
do
{
if(kestrcmpi(pe32.szExeFile,(char*)szTarget))
{
hSnapshot1 = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID);
if(hSnapshot1 == INVALID_HANDLE_VALUE)
{
printf("Create snapshot for modules failed!\n");
system("pause");
return 1;
}
te32.dwSize = sizeof(MODULEENTRY32);
if(Module32First(hSnapshot1,&te32))
{
hTarget = OpenProcess(PROCESS_ALL_ACCESS,0,pe32.th32ProcessID);
if(!hTarget)
{
printf("open target process failed!\n");
system("pause");
return 1;
}
if(!ReadProcessMemory(hTarget,(void*)(te32.modBaseAddr+0x3c),&dwStore,4,NULL))
{
printf("ReadProcessMemory1 failed!\n");
system("pause");
return 1;
}
if(!ReadProcessMemory(hTarget,(void*)(te32.modBaseAddr+dwStore+0x28),&dwStore,4,NULL))
{
printf("ReadProcessMemory2 failed!\n");
system("pause");
return 1;
}
dwFillSize = (int)te32.modBaseSize-dwStore;
pNothing = calloc(dwFillSize,1);
if(!WriteProcessMemory(hTarget,(void*)(te32.modBaseAddr+dwStore),pNothing,dwFillSize,NULL))
{
printf("WriteProcessMemory failed!\n");
system("pause");
return 1;
}
}
}
}
while(Process32Next(hSnapshot,&pe32));
free(pNothing);
CloseHandle(hTarget);
CloseHandle(hSnapshot);
CloseHandle(hSnapshot1);
return 0;
}
int kestrcmpi(char *str1,char *str2)
{
if(strlen(str1) != strlen(str2))
return 0;
while(*str1 != 0)
{
if((*str1|0x20) != (*str2|0x20))
return 0;
str1++;
str2++;
}
return 1;
}
BOOL EnableDebugPrivileges()
{
BOOL bRet;
HANDLE hToken;
bRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
if(!bRet)
return 0;
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
if(GetLastError() != ERROR_SUCCESS)
return 0;
return 1;
}
附bin一个
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法