C++强杀进程,可结束IceSword
2009-10-11 03:25
253 查看
核心代码:
#include <ntddk.h>
#define NT_DEVICE_NAME L"//Device//KillProcess"
#define DOS_DEVICE_NAME L"//DosDevices//KillProcess"
UNICODE_STRING DeviceNameString;
UNICODE_STRING LinkDeviceNameString;
#define IOCTL_GETFUNCTION CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_STARTRUN CTL_CODE(FILE_DEVICE_UNKNOWN,0x905,METHOD_BUFFERED,FILE_ANY_ACCESS)
//导出函数定义
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS *pEProcess);
typedef NTSTATUS NTKERNELAPI(*PSPTERMINATETHREADBYPOINTER)(PETHREAD Thread,NTSTATUS ExitStatus);
typedef PETHREAD NTKERNELAPI(*PSGETNEXTPROCESSTHREAD)(PEPROCESS Process,PETHREAD Thread);
typedef NTSTATUS NTKERNELAPI(*PSPTERMINATEPROCESS)(PEPROCESS Process,NTSTATUS ExitStatus);
PSPTERMINATEPROCESS PspTerminateProcess;
PSPTERMINATETHREADBYPOINTER PspTerminateThreadByPointer;
PSGETNEXTPROCESSTHREAD PsGetNextProcessThread;
//自定义的PspTerminateProcess
NTSTATUS MyPspTerminateProcess(PEPROCESS Process,NTSTATUS ExitStatus);
typedef struct _tagFuncAddrGet
{
ULONG Func_PspTerminateProcess;
ULONG Func_PspTerminateThreadByPointer;
ULONG Func_PsGetNextProcessThread;
}FuncAddrGet,*PFuncAddrGet;
NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS nStatus = STATUS_SUCCESS;
ULONG IoControlCode = 0;
PIO_STACK_LOCATION IrpStack = NULL;
PUCHAR inBufByte = NULL;
UCHAR outBuf[20];
FuncAddrGet* pstr_GetFunAddr;
ULONG ulPid;
PEPROCESS pEprocess = NULL;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation(Irp);
switch(IrpStack->MajorFunction)
{
case IRP_MJ_CREATE:
break;
case IRP_MJ_CLOSE :
break;
case IRP_MJ_DEVICE_CONTROL:
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
switch(IoControlCode)
{
case IOCTL_GETFUNCTION:
inBufByte = (PUCHAR)Irp->AssociatedIrp.SystemBuffer;
pstr_GetFunAddr = (FuncAddrGet*)inBufByte;
PspTerminateProcess
= (PSPTERMINATEPROCESS)pstr_GetFunAddr->Func_PspTerminateProcess;
PspTerminateThreadByPointer
= (PSPTERMINATETHREADBYPOINTER)pstr_GetFunAddr->Func_PspTerminateThreadByPointer;
PsGetNextProcessThread
= (PSGETNEXTPROCESSTHREAD)pstr_GetFunAddr->Func_PsGetNextProcessThread;
break;
case IOCTL_STARTRUN:
inBufByte = (PUCHAR)Irp->AssociatedIrp.SystemBuffer;
ulPid = *(PULONG)inBufByte;
DbgPrint("PspTerminateProcess: 0x0.8X ",PspTerminateProcess);
DbgPrint("The Process You Want to Kill is %d",ulPid);
PsLookupProcessByProcessId(ulPid,&pEprocess);
PspTerminateProcess(pEprocess,STATUS_SUCCESS);
// MyPspTerminateProcess(pEprocess,STATUS_SUCCESS);
break;
default:
break;
}
break;
default: DbgPrint("未知请求包调用");
break;
}
nStatus = Irp->IoStatus.Status;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return nStatus;
}
VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
PDEVICE_OBJECT deviceObject;
//卸载设备
deviceObject= DriverObject->DeviceObject;
IoDeleteSymbolicLink(&LinkDeviceNameString);
ASSERT(!deviceObject->AttachedDevice);
if ( deviceObject != NULL )
{
IoDeleteDevice( deviceObject );
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT theDriverObject, PUNICODE_STRING pRegistryString)
{
NTSTATUS status;
PDEVICE_OBJECT deviceObject;
//初始化字符串一建立连接
RtlInitUnicodeString( &DeviceNameString, NT_DEVICE_NAME );
RtlInitUnicodeString( &LinkDeviceNameString,DOS_DEVICE_NAME );
status = IoCreateDevice(
theDriverObject,
0,
&DeviceNameString,
FILE_DEVICE_DISK_FILE_SYSTEM,
FILE_DEVICE_SECURE_OPEN,
FALSE,
& deviceObject );
if (!NT_SUCCESS( status ))
{
KdPrint(("DriverEntry: Error creating control device object, status=%08x/n", status));
return status;
}
status = IoCreateSymbolicLink(
(PUNICODE_STRING) &LinkDeviceNameString,
(PUNICODE_STRING) &DeviceNameString
);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(deviceObject);
return status;
}
//建立通信
theDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchDeviceControl;
theDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchDeviceControl;
theDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
theDriverObject->DriverUnload = UnloadDriver; //设置卸载指针
return STATUS_SUCCESS;
}
NTSTATUS
MyPspTerminateProcess(PEPROCESS Process,NTSTATUS ExitStatus)
{
PETHREAD Thread;
NTSTATUS st;
// PS_SET_BITS (&Process->Flags,0x00000008ul);
for (Thread = PsGetNextProcessThread (Process, NULL);
Thread != NULL;
Thread = PsGetNextProcessThread (Process, Thread)) {
st = STATUS_SUCCESS;
PspTerminateThreadByPointer(Thread,ExitStatus);
}
return STATUS_SUCCESS;
}
http://www.3hack.com/thread-8464-1-1.html
http://www.3hack.com/viewthread.php?tid=8463&extra=page%3D1%26amp;filter%3Dtype%26amp;typeid%3D79
#include <ntddk.h>
#define NT_DEVICE_NAME L"//Device//KillProcess"
#define DOS_DEVICE_NAME L"//DosDevices//KillProcess"
UNICODE_STRING DeviceNameString;
UNICODE_STRING LinkDeviceNameString;
#define IOCTL_GETFUNCTION CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_STARTRUN CTL_CODE(FILE_DEVICE_UNKNOWN,0x905,METHOD_BUFFERED,FILE_ANY_ACCESS)
//导出函数定义
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS *pEProcess);
typedef NTSTATUS NTKERNELAPI(*PSPTERMINATETHREADBYPOINTER)(PETHREAD Thread,NTSTATUS ExitStatus);
typedef PETHREAD NTKERNELAPI(*PSGETNEXTPROCESSTHREAD)(PEPROCESS Process,PETHREAD Thread);
typedef NTSTATUS NTKERNELAPI(*PSPTERMINATEPROCESS)(PEPROCESS Process,NTSTATUS ExitStatus);
PSPTERMINATEPROCESS PspTerminateProcess;
PSPTERMINATETHREADBYPOINTER PspTerminateThreadByPointer;
PSGETNEXTPROCESSTHREAD PsGetNextProcessThread;
//自定义的PspTerminateProcess
NTSTATUS MyPspTerminateProcess(PEPROCESS Process,NTSTATUS ExitStatus);
typedef struct _tagFuncAddrGet
{
ULONG Func_PspTerminateProcess;
ULONG Func_PspTerminateThreadByPointer;
ULONG Func_PsGetNextProcessThread;
}FuncAddrGet,*PFuncAddrGet;
NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS nStatus = STATUS_SUCCESS;
ULONG IoControlCode = 0;
PIO_STACK_LOCATION IrpStack = NULL;
PUCHAR inBufByte = NULL;
UCHAR outBuf[20];
FuncAddrGet* pstr_GetFunAddr;
ULONG ulPid;
PEPROCESS pEprocess = NULL;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation(Irp);
switch(IrpStack->MajorFunction)
{
case IRP_MJ_CREATE:
break;
case IRP_MJ_CLOSE :
break;
case IRP_MJ_DEVICE_CONTROL:
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
switch(IoControlCode)
{
case IOCTL_GETFUNCTION:
inBufByte = (PUCHAR)Irp->AssociatedIrp.SystemBuffer;
pstr_GetFunAddr = (FuncAddrGet*)inBufByte;
PspTerminateProcess
= (PSPTERMINATEPROCESS)pstr_GetFunAddr->Func_PspTerminateProcess;
PspTerminateThreadByPointer
= (PSPTERMINATETHREADBYPOINTER)pstr_GetFunAddr->Func_PspTerminateThreadByPointer;
PsGetNextProcessThread
= (PSGETNEXTPROCESSTHREAD)pstr_GetFunAddr->Func_PsGetNextProcessThread;
break;
case IOCTL_STARTRUN:
inBufByte = (PUCHAR)Irp->AssociatedIrp.SystemBuffer;
ulPid = *(PULONG)inBufByte;
DbgPrint("PspTerminateProcess: 0x0.8X ",PspTerminateProcess);
DbgPrint("The Process You Want to Kill is %d",ulPid);
PsLookupProcessByProcessId(ulPid,&pEprocess);
PspTerminateProcess(pEprocess,STATUS_SUCCESS);
// MyPspTerminateProcess(pEprocess,STATUS_SUCCESS);
break;
default:
break;
}
break;
default: DbgPrint("未知请求包调用");
break;
}
nStatus = Irp->IoStatus.Status;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return nStatus;
}
VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
PDEVICE_OBJECT deviceObject;
//卸载设备
deviceObject= DriverObject->DeviceObject;
IoDeleteSymbolicLink(&LinkDeviceNameString);
ASSERT(!deviceObject->AttachedDevice);
if ( deviceObject != NULL )
{
IoDeleteDevice( deviceObject );
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT theDriverObject, PUNICODE_STRING pRegistryString)
{
NTSTATUS status;
PDEVICE_OBJECT deviceObject;
//初始化字符串一建立连接
RtlInitUnicodeString( &DeviceNameString, NT_DEVICE_NAME );
RtlInitUnicodeString( &LinkDeviceNameString,DOS_DEVICE_NAME );
status = IoCreateDevice(
theDriverObject,
0,
&DeviceNameString,
FILE_DEVICE_DISK_FILE_SYSTEM,
FILE_DEVICE_SECURE_OPEN,
FALSE,
& deviceObject );
if (!NT_SUCCESS( status ))
{
KdPrint(("DriverEntry: Error creating control device object, status=%08x/n", status));
return status;
}
status = IoCreateSymbolicLink(
(PUNICODE_STRING) &LinkDeviceNameString,
(PUNICODE_STRING) &DeviceNameString
);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(deviceObject);
return status;
}
//建立通信
theDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchDeviceControl;
theDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchDeviceControl;
theDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
theDriverObject->DriverUnload = UnloadDriver; //设置卸载指针
return STATUS_SUCCESS;
}
NTSTATUS
MyPspTerminateProcess(PEPROCESS Process,NTSTATUS ExitStatus)
{
PETHREAD Thread;
NTSTATUS st;
// PS_SET_BITS (&Process->Flags,0x00000008ul);
for (Thread = PsGetNextProcessThread (Process, NULL);
Thread != NULL;
Thread = PsGetNextProcessThread (Process, Thread)) {
st = STATUS_SUCCESS;
PspTerminateThreadByPointer(Thread,ExitStatus);
}
return STATUS_SUCCESS;
}
http://www.3hack.com/thread-8464-1-1.html
http://www.3hack.com/viewthread.php?tid=8463&extra=page%3D1%26amp;filter%3Dtype%26amp;typeid%3D79
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- C++ 新建进程和结束进程
- c++命令结束进程树
- 用c++结束进程的程序
- c/c++ 结束进程的方法
- C++ 新建进程和结束进程
- 强制结束进程的两种实现方式--C#和C++实现
- C++ 枚举进程信息,并结束指定进程
- C++结束进程
- Windows下的c++写的主进程调用Rscripte.exe子进程[进程结束的问题]
- 【vs2015】C++ 程序运行并等待进程结束
- 用C++结束进程(恶搞你的计算机!!!!)
- c++根据程序名结束进程
- c++执行cmd指令、cmd隐藏进程不出现控制台、结束进程、调用exe、CreateProcess以及WinExec的使用
- C/C++ Windows API——枚举进程、结束进程及提升权限
- 指定时间内结束指定程序名的多个进程 (c++)
- 用C++结束进程(恶搞你的计算机!!!!)
- C/C++结束系统进程
- C#和C++实现强制结束进程的两种实现方式
- c++结束进程的程序
- c/c++ 结束进程