|
阅读:2286回复:1
PspTerminateThreadByPointer 函数的实现 [zt]
[note]嗯,PspTerminateThreadByPointer没有改变2008/02/02 13:06用Windbg看了遍PspTerminateThreadByPointer,发现和WRK上的一样.哈哈,没有任何出入.这样自己实现起来就方便咯.
btw: XP SP2下是2个参数 NTSTATUS PspTerminateThreadByPointer( IN PETHREAD Thread, IN NTSTATUS ExitStatus, IN BOOLEAN DirectTerminate ) { NTSTATUS Status; PKAPC ExitApc=NULL; ULONG OldMask; PAGED_CODE(); if (Thread->CrossThreadFlags & PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION) { PspCatchCriticalBreak("Terminating critical thread 0x%p (in %s)\n", Thread, THREAD_TO_PROCESS(Thread)->ImageFileName); } if (DirectTerminate && Thread == PsGetCurrentThread()) { ASSERT (KeGetCurrentIrql() < APC_LEVEL); PS_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_TERMINATED); PspExitThread (ExitStatus); } else { // 10h // 嘿嘿,若thread的flag中有PS_CROSS_THREAD_FLAGS_SYSTEM, 就pass了. =。=|| if (IS_SYSTEM_THREAD (Thread)) { return STATUS_ACCESS_DENIED; } Status = STATUS_SUCCESS; while (1) { ExitApc = (PKAPC) ExAllocatePoolWithTag (NonPagedPool, sizeof(KAPC), 'xEsP'); if (ExitApc != NULL) { break; } KeDelayExecutionThread(KernelMode, FALSE, &ShortTime); } // Mark the thread as terminating and call the exit function. OldMask = PS_TEST_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_TERMINATED);// 01h // 若之前没有设置过关闭标志,那就插个APC if ((OldMask & PS_CROSS_THREAD_FLAGS_TERMINATED) == 0) { KeInitializeApc (ExitApc, PsGetKernelThread (Thread), OriginalApcEnvironment, PsExitSpecialApc, PspExitApcRundown, PspExitNormalApc, KernelMode, ULongToPtr (ExitStatus)); if (!KeInsertQueueApc (ExitApc, ExitApc, NULL, 2)) { // 看来可以在KeInsertQueueApc上做手脚啦。 ExFreePool (ExitApc); Status = STATUS_UNSUCCESSFUL; } else { KeForceResumeThread (&Thread->Tcb); } } else { ExFreePool (ExitApc); } } return Status; } 是自身线程就直接调用PspExitThread,其他情况就插APC。。。 btw:炉子半年前就把这些弄透了,俺现在才开始学习。差距啊 |
|
|
|
沙发#
发布于:2008-04-09 12:13
实现一个函数不难,难的是实现所有的函数.32位下HOOK无极限,随便一个HOOK,都够你从WRK里CTRL C ,CTRL V 半天的了.
|
|
|
