如何实现结束不了的进程
就像卡巴的进程一样 结束提示结束不了 改SSDT挂钩NTOPENPROCESS,过滤要保护的进程PIDDeroemon
哇 啊啊看不懂 啊::42:: ::42:: [quote]原帖由 [i]610548422[/i] 于 2008-7-25 11:59 发表 [url=http://www.hackerxfiles.net/redirect.php?goto=findpost&pid=856032&ptid=113087][img]http://www.hackerxfiles.net/images/common/back.gif[/img][/url]
改SSDT挂钩NTOPENPROCESS,过滤要保护的进程PID [/quote]
具体说说拿出代码看看撒,呵呵` 你想结束杀软的进程做什么,可以用兵刃的. 我也不懂啊。。。。。。
看看这个吧,天才写的。
[url]http://bbs.pediy.com/showthread.php?t=40832[/url] [quote]具体说说拿出代码看看撒,呵呵`[/quote]
没本事,写不出来 可以想网吧的管理系统一样不??创立两个进程 一个进程结束另一个进程就重新建立一个 互相保护 不过这样好像可以在DOS一起结束了 要是两个进程保护,那可以轻易结束
要是一个诸如到其他进程就麻烦了 双进程守护,这个其实是最简单的啊 卸载注入到别的进程的模块,在结束进程树 那些都是驱动级得进程防杀,要驱动基础。 有很多啊,ssdt就不说了,地球人都知道,
inline hook PspTerminateThreadByPointer,KeInsertQueueApc,KiInsertQueueApc,NtOpenProcess,ObOpenObjectByPointer,ObReferenceObjectByHandle,KernelApcDisable(sysnop发明的),===其中KiInsertQueueApc较为有效::10:: ::10:: ::10:: 忘了说的,需要驱动编写的 说起来很简单。做起来::18:: 我给你个代码[code]#include "ntddk.h"
#include <windef.h>
#include <stdlib.h>
#include "dayed.h"
KSPIN_LOCK SDTSpinLock;
KIRQL oldIrql;
BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 };
BYTE g_OrigCode[5] = { 0 };
BYTE jmp_orig_code[7] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00 };
char* MyProtectName = "notepad.exe";
ULONG MyProcessId=0;
PEPROCESS ProtectedProcess;
extern POBJECT_TYPE *PsProcessType;
extern POBJECT_TYPE *PsThreadType;
void StartHook ();
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
IN ULONG ProcessId,
OUT PEPROCESS *Process
);
void StopHook ()
{
WPOFF();
KeAcquireSpinLock( &SDTSpinLock, &oldIrql );
RtlCopyMemory ( (BYTE*)ObReferenceObjectByHandle, g_OrigCode, 5 );
KeReleaseSpinLock( &SDTSpinLock, oldIrql );
WPON();
}
__declspec (naked)
NTSTATUS
Proxy_ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
__asm { // 共12字节
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90 // 前5字节实现原函数的头5字节功能
_emit 0x90 // 这个填充jmp
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90 // 这4字节保存原函数+5处的地址
_emit 0x90
_emit 0x90 // 因为是长转移,所以必须是 0x0080
}
}
NTSTATUS __stdcall
fake_ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
// DbgPrint("ThreadId is %x\n",Handle);
PEPROCESS EPROCESSKILL;
if (*PsProcessType == ObjectType)
{
if (ProtectedProcess!=PsGetCurrentProcess())
{
if (Proxy_ObReferenceObjectByHandle(Handle,GENERIC_READ,NULL,KernelMode,&EPROCESSKILL,0) == STATUS_SUCCESS)
{
if (ProtectedProcess== EPROCESSKILL)
{
if (_stricmp((char*)((char*)EPROCESSKILL+0x174), MyProtectName) == 0)
{
DbgPrint("ThreadId is %d\n",Handle);
DbgPrint("PEPROCESS at %x\n",EPROCESSKILL);//冰刃中可以看到
return STATUS_ACCESS_DENIED;
}
}
}
}
}
return Proxy_ObReferenceObjectByHandle(Handle, DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
void StartHook ()
{
RtlCopyMemory (g_OrigCode, (BYTE*)ObReferenceObjectByHandle, 5);
*( (ULONG*)(g_HookCode + 1) ) = (ULONG)fake_ObReferenceObjectByHandle - (ULONG)ObReferenceObjectByHandle - 5;
WPOFF();
KeAcquireSpinLock( &SDTSpinLock, &oldIrql );
RtlCopyMemory ( (BYTE*)ObReferenceObjectByHandle, g_HookCode, 5 );
*( (ULONG*)(jmp_orig_code + 1) ) = (ULONG) ( (BYTE*)ObReferenceObjectByHandle + 5 );
RtlCopyMemory ( (BYTE*)Proxy_ObReferenceObjectByHandle, g_OrigCode, 5);
RtlCopyMemory ( (BYTE*)Proxy_ObReferenceObjectByHandle+ 5, jmp_orig_code, 7);
KeReleaseSpinLock( &SDTSpinLock, oldIrql );
WPON();
}
VOID Unload(PDRIVER_OBJECT DriverObject)
{
if (MyProcessId!=0)
{
StopHook();
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING str)
{
NTSTATUS ntStatus;
char ProcessName[256];
ULONG cbBuffer;
PSYSTEM_PROCESS_INFORMATION pInfo;
PSYSTEM_THREAD_INFORMATION pThread;
VOID* pBuffer = NULL;
ULONG i;
ULONG ThreadCount;
DriverObject->DriverUnload = Unload;
ZwQuerySystemInformation(5, &cbBuffer, 0, &cbBuffer);
pBuffer = ExAllocatePool (NonPagedPool, cbBuffer);
if (pBuffer == NULL)
{
return 1;
}
ntStatus = ZwQuerySystemInformation(5, pBuffer, cbBuffer, NULL);
if (!NT_SUCCESS(ntStatus))
{
ExFreePool(pBuffer);
return 1;
}
pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
while(1){
LPWSTR pszProcessName = pInfo->ProcessName.Buffer;
if (pszProcessName == NULL)
pszProcessName = L"NULL";
wcstombs(ProcessName,pszProcessName,256);
if(_stricmp(MyProtectName,ProcessName)==0)
{
DbgPrint("the MyProtectPID is %d\n",pInfo->ProcessId);
MyProcessId=pInfo->ProcessId;
}
if (pInfo->NextEntryDelta == 0)
break;
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta);
}
ExFreePool(pBuffer);
if (MyProcessId!=0)
{
ntStatus = PsLookupProcessByProcessId(MyProcessId, &ProtectedProcess);
if(NT_SUCCESS(ntStatus))
{
ObDereferenceObject(ProtectedProcess);
}
StartHook();
return STATUS_SUCCESS;
}
return STATUS_ACCESS_DENIED;
}[/code] 这个是inline ObReferenceObjectByHandle的::10:: ObReferenceObjectByHandle没导出,要自己定位 ObReferenceObjectByHandle没导出?
这个函数是微软的标准函数吧!::08::
页:
[1]
