哪位高手能给小弟我一个在内核下关闭其他进程的例子?(使用NtOpenprocess,NtTerimateprocess)
谁能给我一个在内核下关闭其他进程的例子?(使用NtOpenprocess,NtTerimateprocess)
刚学驱动,想找现成的代码学习一下
祝大家身体健康
------解决方案--------------------
#include "ntddk.h"
#include "string.h"
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTable;
PULONG ServiceCounterTable;
ULONG NumberOfService;
ULONG ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
} SYSPROCESS,*PSYSPROCESS ;
NTSTATUS ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
__declspec(dllimport) NTSTATUS ZwTerminateProcess( HANDLE ProcessHandle, NTSTATUS ExitStatus );
__declspec(dllimport) SERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SYSCALL(_function) KeServiceDescriptorTable.ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
typedef NTSTATUS (*NTTERMIPROCESS) ( HANDLE ProcessHandle, NTSTATUS ExitStatus );
NTTERMIPROCESS NtTerminateProcess;
WCHAR wszExplorer[] = L"explorer.exe" ;
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("ROOTKIT: OnUnload called\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath)
{
PSYSPROCESS ProcessList;
OBJECT_ATTRIBUTES ProcAttr;
CLIENT_ID ProcClentId;
ULONG BufferSize;
NTSTATUS nStatus;
PCHAR ProcessName;
HANDLE hProc1;
PVOID p1;
theDriverObject->DriverUnload = OnUnload;
(ULONG)NtTerminateProcess = SYSCALL(ZwTerminateProcess);
ZwQuerySystemInformation(5,NULL,0,&BufferSize);
if (! BufferSize)
return STATUS_UNSUCCESSFUL;
p1 = ExAllocatePool (PagedPool ,BufferSize);
if((ULONG)p1 != 0)
{
nStatus = ZwQuerySystemInformation( 5, p1 , BufferSize , 0);
if(nStatus == STATUS_SUCCESS)
{
ProcessList = (PSYSPROCESS)p1;
while(ProcessList)
{
ProcessName = (char*)(ProcessList -> ProcessName.Buffer);
if(ProcessName)
if( _strnicmp (ProcessName,(char*)wszExplorer,24) == 0)
{
ProcClentId.UniqueProcess = (HANDLE)ProcessList -> ProcessId;
ProcClentId.UniqueThread = 0;
//////////////////////////////////////////////////////////////////////////
刚学驱动,想找现成的代码学习一下
祝大家身体健康
------解决方案--------------------
#include "ntddk.h"
#include "string.h"
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTable;
PULONG ServiceCounterTable;
ULONG NumberOfService;
ULONG ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
} SYSPROCESS,*PSYSPROCESS ;
NTSTATUS ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
__declspec(dllimport) NTSTATUS ZwTerminateProcess( HANDLE ProcessHandle, NTSTATUS ExitStatus );
__declspec(dllimport) SERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SYSCALL(_function) KeServiceDescriptorTable.ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
typedef NTSTATUS (*NTTERMIPROCESS) ( HANDLE ProcessHandle, NTSTATUS ExitStatus );
NTTERMIPROCESS NtTerminateProcess;
WCHAR wszExplorer[] = L"explorer.exe" ;
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("ROOTKIT: OnUnload called\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath)
{
PSYSPROCESS ProcessList;
OBJECT_ATTRIBUTES ProcAttr;
CLIENT_ID ProcClentId;
ULONG BufferSize;
NTSTATUS nStatus;
PCHAR ProcessName;
HANDLE hProc1;
PVOID p1;
theDriverObject->DriverUnload = OnUnload;
(ULONG)NtTerminateProcess = SYSCALL(ZwTerminateProcess);
ZwQuerySystemInformation(5,NULL,0,&BufferSize);
if (! BufferSize)
return STATUS_UNSUCCESSFUL;
p1 = ExAllocatePool (PagedPool ,BufferSize);
if((ULONG)p1 != 0)
{
nStatus = ZwQuerySystemInformation( 5, p1 , BufferSize , 0);
if(nStatus == STATUS_SUCCESS)
{
ProcessList = (PSYSPROCESS)p1;
while(ProcessList)
{
ProcessName = (char*)(ProcessList -> ProcessName.Buffer);
if(ProcessName)
if( _strnicmp (ProcessName,(char*)wszExplorer,24) == 0)
{
ProcClentId.UniqueProcess = (HANDLE)ProcessList -> ProcessId;
ProcClentId.UniqueThread = 0;
//////////////////////////////////////////////////////////////////////////