谁能给我一个在内核下关闭其他进程的例子?(使用NtOpenprocess,NtTerimateprocess)
刚学驱动,想找现成的代码学习一下
祝大家身体健康
[解决办法]
#include "ntddk.h"
#include "string.h"
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTable;
PULONG ServiceCounterTable;
ULONG NumberOfService;
ULONG ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
} SYSPROCESS,*PSYSPROCESS ;
NTSTATUS ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
__declspec(dllimport) NTSTATUS ZwTerminateProcess( HANDLE ProcessHandle, NTSTATUS ExitStatus );
__declspec(dllimport) SERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SYSCALL(_function) KeServiceDescriptorTable.ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
typedef NTSTATUS (*NTTERMIPROCESS) ( HANDLE ProcessHandle, NTSTATUS ExitStatus );
NTTERMIPROCESS NtTerminateProcess;
WCHAR wszExplorer[] = L"explorer.exe" ;
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("ROOTKIT: OnUnload called\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath)
{
PSYSPROCESS ProcessList;
OBJECT_ATTRIBUTES ProcAttr;
CLIENT_ID ProcClentId;
ULONG BufferSize;
NTSTATUS nStatus;
PCHAR ProcessName;
HANDLE hProc1;
PVOID p1;
theDriverObject->DriverUnload = OnUnload;
(ULONG)NtTerminateProcess = SYSCALL(ZwTerminateProcess);
ZwQuerySystemInformation(5,NULL,0,&BufferSize);
if (! BufferSize)
return STATUS_UNSUCCESSFUL;
p1 = ExAllocatePool (PagedPool ,BufferSize);
if((ULONG)p1 != 0)
{
nStatus = ZwQuerySystemInformation( 5, p1 , BufferSize , 0);
if(nStatus == STATUS_SUCCESS)
{
ProcessList = (PSYSPROCESS)p1;
while(ProcessList)
{
ProcessName = (char*)(ProcessList -> ProcessName.Buffer);
if(ProcessName)
if( _strnicmp (ProcessName,(char*)wszExplorer,24) == 0)
{
ProcClentId.UniqueProcess = (HANDLE)ProcessList -> ProcessId;
ProcClentId.UniqueThread = 0;
//////////////////////////////////////////////////////////////////////////
InitializeObjectAttributes(&ProcAttr,0,0,0,0);
nStatus = NtOpenProcess(&hProc1,PROCESS_ALL_ACCESS ,&ProcAttr,&ProcClentId);
if ( nStatus== STATUS_SUCCESS)
{
NtTerminateProcess(hProc1,0);
break;
}
}
if(ProcessList -> NextEntryDelta)
(char *)ProcessList +=ProcessList -> NextEntryDelta;
else
ProcessList = NULL;
}
}
}
ExFreePool(p1);
return STATUS_SUCCESS;
}
驱动简单的演示了用 NtOpenProcess 和 NtTerminateProcess 来打开并结束进程,功能就是查找名为 "EXPLORER.EXE" 的进程
并将其结束..
其实如果没有特殊目的的话,直接调用 ZwTerminateProcess 会更省事,但楼主要求的是用 NtTerminateProcess ...
内核中并没有导出 NtTerminateProcess ,但却可以在SSDT 中找到地址,且内核中导出 ZwTerminateProcess
于是就可以很方便用 SYSCALL 宏来获取地址
程序代码我尽量把它写的简单易懂,也调试通过. 希望对你有些帮助...^_^
