[转]应用层结束进程方法
2010-03-09 22:38
218 查看
转自:http://blog.csdn.net/wxdvc/archive/2009/12/08/4965046.aspx
方法一针对有窗口的
消息攻击法
void main(void)
{
HWND hwnd = FindWindow(NULL, "sai");
SendMessage(hwnd,WM_CLOSE,0,0);
//PostMessage(hwnd,WM_CLOSE,0,0);
//SendMessage(hwnd,WM_SYSCOMMAND,SC_CLOSE,0);
//PostMessage(hwnd,WM_SYSCOMMAND,SC_CLOSE,0);
//PostMessage(hWnd, WM_QUIT, 0, 0);
//SendMessage(hWnd, WM_COMMAND, IDOK, 0);
//SendMessage(hWnd, WM_KEYDOWN, VK_ESCAPE, 0);
HWND hwnd = FindWindow(NULL, "sai");
SendNotifyMessage(hwnd,WM_CLOSE,0,0);
//SendNotifyMessage(hwnd,WM_SYSCOMMAND,SC_CLOSE,0);
HWND hwnd = FindWindow(NULL, "sai");
SendMessageTimeout(hwnd,WM_CLOSE,0,0,SMTO_NORMAL,2000,NULL);
//SendMessageTimeout(hwnd,WM_SYSCOMMAND,SC_CLOSE,0,SMTO_NORMAL,2000,NULL);
HWND hwnd = FindWindow(NULL, "sai");
SendMessageCallback(hwnd,WM_CLOSE,0,0,NULL,0);
//SendMessageCallback(hwnd,WM_SYSCOMMAND,SC_CLOSE,0,NULL,0);
//PostMessage(hWnd,WM_NCDESTROY, 0, 0);
等等。。。
}
方法二针对有窗口的
模拟键盘和鼠标攻击法
HWND hwnd = FindWindow(NULL, "sai");
SetForegroundWindow(hwnd);//设置为当前窗口
keybd_event(VK_ESCAPE,0,0,0);//模拟键盘ESC键使其关闭
或者
hWin = FindWindow(NULL,"test");
SetForegroundWindow(hWin);
keybd_event(VK_MENU,0,0,0);
keybd_event(VK_F4,0,0,0);
keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0);
keybd_event(VK_F4,0,KEYEVENTF_KEYUP,0);//按下alt+f4关闭程序
或者
keybd_event(VK_MENU,0,0,0);
keybd_event(0x20,0,0,0);
keybd_event(0x43,0,0,0);
keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0);
keybd_event(0x20,0,KEYEVENTF_KEYUP,0);
keybd_event(0x43,0,KEYEVENTF_KEYUP,0);//按下alt+空格+C使其关闭
或者
hWin = FindWindow(NULL,"test");
GetWindowRect(hWin,&Rect);
SetForegroundWindow(hWin); //设为当前窗口
Sleep(100); //这里延迟一会
SetCursorPos(Rect.right-7,Rect.top+7); //设置叉号的坐标
mouse_event(MOUSEEVENTF_LEFTDOWN,0,0,0,0);
mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);//按下左键并松开使完成关闭
等等。。。
方法三
常规API攻击进程,原理都是一样的
1 TerminateProcess
2 ZwTerminateProcess/NtTerminateProcess(ring3&ring0 restore ssdt/inline hook等
等)
3 WINSTA.dll WinStationTerminateProcess
如下:
hWnd = FindWindow(NULL, "test");
GetWindowThreadProcessId(hWnd, &pid);
hDll = LoadLibrary("WINSTA.dll");
pFunc = (PWSTP)GetProcAddress(hDll, "WinStationTerminateProcess");
//
if((pFunc)(NULL, pid, 0))
{
printf("Successful!nProgram Terminated.n");
}
FreeLibrary(hDll);
4/* 需要安装最新的Platform SDK */
#include
#pragma comment (lib, "Wtsapi32.lib")
hWnd = FindWindow(NULL, "test");
GetWindowThreadProcessId(hWnd, &pid);
if(WTSTerminateProcess(NULL, pid, 0))
{
printf("Successful!nProgram Terminated.n");
}
5一些vbs脚本的wmi对象
方法四
常规API攻击线程
TerminateThread
Nt/ZwTerminateThread
EndTask
......
HWND hWnd = FindWindowA(NULL,"test");
DWORD dwThreadId;
dwThreadId = GetWindowThreadProcessId(hWnd,NULL);
//bSus = (BOOL):ostThreadMessageA(dwThreadId,WM_DESTROY,NULL,NULL);
//PostThreadMessage( Tid, WM_QUIT, 0 , 0);
bSus = EndTask(hWnd,FALSE,TRUE);
printf("EndTask :%d LastError :%d rn",bSus,GetLastError());
或者
typedef HANDLE ( _stdcall *XXXOpenThread)( DWORD Access, BOOL bInherit, DWORD
dwThreadID);
void KillThread()
{
HANDLE hThread;
XXXOpenThread OpenThread;
OpenThread = (XXXOpenThread)GetProcAddress( GetModuleHandle
("kernel32.dll", "OpenThread");
hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, GetTid() );
TerminateThread( hThread, 0 );
CloseHandle( hThread );
return;
}
方法五
作业对象攻击法
CreateJobObject/AssignProcessToJobObject/TerminateJobObject
方法六
远程攻击线程
1全局勾子
首先用SetWindowsHookEx(或者SetWinEventHook(EVENT_MIN,EVENT_MAX,hMyModule,
(WINEVENTPROC)WinEventProc,0,0,WINEVENT_INCONTEXT | WINEVENT_SKIPOWNPROCESS);
)一个钩子
然后广播一个消息 这样所有的窗体就被注入了(也可以用SendMessage(hwnd ,
WM_PAINT, 0, 0)/PostMessage(hWnd,WM_CHAR,13,0);等触发钩子执行)
在注入的动态库的DLL_PROCESS_ATTACH事件中判断被注入的进程名,调用
ExitProcess(0)/TerminateProcess(GetCurrentProcess(), 0)/ PostQuitMessage(0)
结束自身进程。
或者在钩子过程中:
VOID CALLBACK WinEventProc(HWINEVENTHOOK hWinEventHook,
DWORD event,
HWND hwnd,
LONG idObject,
LONG idChild,
DWORD dwEventThread,
DWORD dwmsEventTime)
{
HWND hwnd1 = FindWindow(NULL,"test");
DWORD Pid;
if (hwnd1)
{
GetWindowThreadProcessId(hwnd1,&id);
if (Pid == GetCurrentProcessId())
{
ExitProcess(0);
}
}
}
等等。。。
2直接远程注入一个线程ExitProcess
void RemoteExitProcess()
{
HANDLE hProcess;
HANDLE hThread;
DWORD Pid;
Pid = GetPid();//得到目标进程Pid
if ( Pid == 0 )
return;
hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION,
FALSE, Pid);
if ( hProcess == INVALID_HANDLE_VALUE )
return;
hThread = CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) GetProcAddress( GetModuleHandle
("kernel32.dll","ExitProcess" ),0, 0, NULL );
CloseHandle( hThread );
}
3还是远程线程,不过方法霸道一些,强制让其崩溃退出
远程线程后,
mov fs:[0],0(去除SEH)
mov eax,cr0(使进程崩溃)
方法七
ThreadContext patch法
直接修改目标进程ThreadContext的EIP指向目标程序的kernel32.dll的ExitProcess地址
hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, GetTid() );
SuspendThread( hThread );
bRet = GetThreadContext( hThread, &Context);
Context.Eip = (DWORD)GetProcAddress( GetModuleHandle("kernel32.dll"),
"ExitProcess" );
bRet = SetThreadContext( hThread, &Context);
ResumeThread( hThread );
CloseHandle( hThread );
方法八
句柄攻击法
hwnd=FindWindow(NULL, 'test');
GetWindowThreadProcessId(hwnd, &pid);
hTargetProcess=OpenProcess(PROCESS_DUP_HANDLE, false, pid);
DuplicateHandle(hTargetProcess,-1, GetCurrentProcess(),&TargetProcessHandle
, PROCESS_ALL_ACCESS, false, DUPLICATE_SAME_ACCESS);
//将目标进程句柄复制到自身的TargetProcessHandle中
CloseHandle(hProcess);
TerminateProcess(TargetProcessHandle , 0);//日掉
CloseHandle(hp_new);
//或者ring0下想办法得到句柄等等。。。。
另外所有的win32子系统的进程都会有一个句柄在csrss.exe进程里面,也可以在这个里面
找到目标进程句柄
方法九
内存攻击法
1Process Virtual Address Space Erasing (进程虚拟地址空间擦除)=配合句柄法得到目
标进程句柄,然后暴力写内存(或者NtFreeVirtualMemory 等)
2ring0附加目标进程写内存
3直接写远程进程的内存WriteProcessMemory
4搜出NtUnmapViewOfSection(更底层的MiUnmapViewOfSection)等等,卸掉目标进程的内存
空间(或者卸kernel32.dll等关键dll等也可,VirtualProtectEx设kernel32.dll为不可
读也让其崩溃。。。。),同样要配合句柄法得到目标进程句柄才行
等等。。。。
方法十
调试器攻击法
1 DebugActiveProcess--》DebugSetProcessKillOnExit(不用这个直接退出也可以)
2 ntsd -c q -p pid
等等。。。
方法十一
ring0线程进程攻击法
NtQuerySystemInformation(SystemProcessesAndThreadsInformation....
遍历线程后做判断是否目标进程的,然后:
1 Apc攻击结束(ring3/ring0)--->然后PsTerminateSystemThread-->最好用
PspExitThread
2 PspTerminateProcess(更底层的PspTerminateThreadByPointer...)
3 修改pid和tid为自身的,再插apc(防止消息死循环进程保护)
方法十二
伪关机法
先提升权限得到19号关机特权,然后hook关机消息(hook NtShutdownSystem),里面过滤
掉除了目标进程意外的所有进程的消息。
然后。。。
ring3下
ExitWindows(0,0); //第一个参数分别为0,1,2时 分别是注销,关机,重起.所以是3种
Logs off the interactive user, shuts down the system, or shuts down and
restarts the system. It sends the WM_QUERYENDSESSION message to all
applications to determine if they can be terminated.
ring0下NtShutdownSystem(0)为关机,NtShutdownSystem(1)为重启。
或者再底层点NtSetSystemPowerState。。。。
这样,目标进程接到关机消息over了,但系统不会处理关机消息。
最后,超级无敌极限结束进程法。。。。
真.关机法:按电源。。。。
方法一针对有窗口的
消息攻击法
void main(void)
{
HWND hwnd = FindWindow(NULL, "sai");
SendMessage(hwnd,WM_CLOSE,0,0);
//PostMessage(hwnd,WM_CLOSE,0,0);
//SendMessage(hwnd,WM_SYSCOMMAND,SC_CLOSE,0);
//PostMessage(hwnd,WM_SYSCOMMAND,SC_CLOSE,0);
//PostMessage(hWnd, WM_QUIT, 0, 0);
//SendMessage(hWnd, WM_COMMAND, IDOK, 0);
//SendMessage(hWnd, WM_KEYDOWN, VK_ESCAPE, 0);
HWND hwnd = FindWindow(NULL, "sai");
SendNotifyMessage(hwnd,WM_CLOSE,0,0);
//SendNotifyMessage(hwnd,WM_SYSCOMMAND,SC_CLOSE,0);
HWND hwnd = FindWindow(NULL, "sai");
SendMessageTimeout(hwnd,WM_CLOSE,0,0,SMTO_NORMAL,2000,NULL);
//SendMessageTimeout(hwnd,WM_SYSCOMMAND,SC_CLOSE,0,SMTO_NORMAL,2000,NULL);
HWND hwnd = FindWindow(NULL, "sai");
SendMessageCallback(hwnd,WM_CLOSE,0,0,NULL,0);
//SendMessageCallback(hwnd,WM_SYSCOMMAND,SC_CLOSE,0,NULL,0);
//PostMessage(hWnd,WM_NCDESTROY, 0, 0);
等等。。。
}
方法二针对有窗口的
模拟键盘和鼠标攻击法
HWND hwnd = FindWindow(NULL, "sai");
SetForegroundWindow(hwnd);//设置为当前窗口
keybd_event(VK_ESCAPE,0,0,0);//模拟键盘ESC键使其关闭
或者
hWin = FindWindow(NULL,"test");
SetForegroundWindow(hWin);
keybd_event(VK_MENU,0,0,0);
keybd_event(VK_F4,0,0,0);
keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0);
keybd_event(VK_F4,0,KEYEVENTF_KEYUP,0);//按下alt+f4关闭程序
或者
keybd_event(VK_MENU,0,0,0);
keybd_event(0x20,0,0,0);
keybd_event(0x43,0,0,0);
keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0);
keybd_event(0x20,0,KEYEVENTF_KEYUP,0);
keybd_event(0x43,0,KEYEVENTF_KEYUP,0);//按下alt+空格+C使其关闭
或者
hWin = FindWindow(NULL,"test");
GetWindowRect(hWin,&Rect);
SetForegroundWindow(hWin); //设为当前窗口
Sleep(100); //这里延迟一会
SetCursorPos(Rect.right-7,Rect.top+7); //设置叉号的坐标
mouse_event(MOUSEEVENTF_LEFTDOWN,0,0,0,0);
mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);//按下左键并松开使完成关闭
等等。。。
方法三
常规API攻击进程,原理都是一样的
1 TerminateProcess
2 ZwTerminateProcess/NtTerminateProcess(ring3&ring0 restore ssdt/inline hook等
等)
3 WINSTA.dll WinStationTerminateProcess
如下:
hWnd = FindWindow(NULL, "test");
GetWindowThreadProcessId(hWnd, &pid);
hDll = LoadLibrary("WINSTA.dll");
pFunc = (PWSTP)GetProcAddress(hDll, "WinStationTerminateProcess");
//
if((pFunc)(NULL, pid, 0))
{
printf("Successful!nProgram Terminated.n");
}
FreeLibrary(hDll);
4/* 需要安装最新的Platform SDK */
#include
#pragma comment (lib, "Wtsapi32.lib")
hWnd = FindWindow(NULL, "test");
GetWindowThreadProcessId(hWnd, &pid);
if(WTSTerminateProcess(NULL, pid, 0))
{
printf("Successful!nProgram Terminated.n");
}
5一些vbs脚本的wmi对象
方法四
常规API攻击线程
TerminateThread
Nt/ZwTerminateThread
EndTask
......
HWND hWnd = FindWindowA(NULL,"test");
DWORD dwThreadId;
dwThreadId = GetWindowThreadProcessId(hWnd,NULL);
//bSus = (BOOL):ostThreadMessageA(dwThreadId,WM_DESTROY,NULL,NULL);
//PostThreadMessage( Tid, WM_QUIT, 0 , 0);
bSus = EndTask(hWnd,FALSE,TRUE);
printf("EndTask :%d LastError :%d rn",bSus,GetLastError());
或者
typedef HANDLE ( _stdcall *XXXOpenThread)( DWORD Access, BOOL bInherit, DWORD
dwThreadID);
void KillThread()
{
HANDLE hThread;
XXXOpenThread OpenThread;
OpenThread = (XXXOpenThread)GetProcAddress( GetModuleHandle
("kernel32.dll", "OpenThread");
hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, GetTid() );
TerminateThread( hThread, 0 );
CloseHandle( hThread );
return;
}
方法五
作业对象攻击法
CreateJobObject/AssignProcessToJobObject/TerminateJobObject
方法六
远程攻击线程
1全局勾子
首先用SetWindowsHookEx(或者SetWinEventHook(EVENT_MIN,EVENT_MAX,hMyModule,
(WINEVENTPROC)WinEventProc,0,0,WINEVENT_INCONTEXT | WINEVENT_SKIPOWNPROCESS);
)一个钩子
然后广播一个消息 这样所有的窗体就被注入了(也可以用SendMessage(hwnd ,
WM_PAINT, 0, 0)/PostMessage(hWnd,WM_CHAR,13,0);等触发钩子执行)
在注入的动态库的DLL_PROCESS_ATTACH事件中判断被注入的进程名,调用
ExitProcess(0)/TerminateProcess(GetCurrentProcess(), 0)/ PostQuitMessage(0)
结束自身进程。
或者在钩子过程中:
VOID CALLBACK WinEventProc(HWINEVENTHOOK hWinEventHook,
DWORD event,
HWND hwnd,
LONG idObject,
LONG idChild,
DWORD dwEventThread,
DWORD dwmsEventTime)
{
HWND hwnd1 = FindWindow(NULL,"test");
DWORD Pid;
if (hwnd1)
{
GetWindowThreadProcessId(hwnd1,&id);
if (Pid == GetCurrentProcessId())
{
ExitProcess(0);
}
}
}
等等。。。
2直接远程注入一个线程ExitProcess
void RemoteExitProcess()
{
HANDLE hProcess;
HANDLE hThread;
DWORD Pid;
Pid = GetPid();//得到目标进程Pid
if ( Pid == 0 )
return;
hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION,
FALSE, Pid);
if ( hProcess == INVALID_HANDLE_VALUE )
return;
hThread = CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) GetProcAddress( GetModuleHandle
("kernel32.dll","ExitProcess" ),0, 0, NULL );
CloseHandle( hThread );
}
3还是远程线程,不过方法霸道一些,强制让其崩溃退出
远程线程后,
mov fs:[0],0(去除SEH)
mov eax,cr0(使进程崩溃)
方法七
ThreadContext patch法
直接修改目标进程ThreadContext的EIP指向目标程序的kernel32.dll的ExitProcess地址
hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, GetTid() );
SuspendThread( hThread );
bRet = GetThreadContext( hThread, &Context);
Context.Eip = (DWORD)GetProcAddress( GetModuleHandle("kernel32.dll"),
"ExitProcess" );
bRet = SetThreadContext( hThread, &Context);
ResumeThread( hThread );
CloseHandle( hThread );
方法八
句柄攻击法
hwnd=FindWindow(NULL, 'test');
GetWindowThreadProcessId(hwnd, &pid);
hTargetProcess=OpenProcess(PROCESS_DUP_HANDLE, false, pid);
DuplicateHandle(hTargetProcess,-1, GetCurrentProcess(),&TargetProcessHandle
, PROCESS_ALL_ACCESS, false, DUPLICATE_SAME_ACCESS);
//将目标进程句柄复制到自身的TargetProcessHandle中
CloseHandle(hProcess);
TerminateProcess(TargetProcessHandle , 0);//日掉
CloseHandle(hp_new);
//或者ring0下想办法得到句柄等等。。。。
另外所有的win32子系统的进程都会有一个句柄在csrss.exe进程里面,也可以在这个里面
找到目标进程句柄
方法九
内存攻击法
1Process Virtual Address Space Erasing (进程虚拟地址空间擦除)=配合句柄法得到目
标进程句柄,然后暴力写内存(或者NtFreeVirtualMemory 等)
2ring0附加目标进程写内存
3直接写远程进程的内存WriteProcessMemory
4搜出NtUnmapViewOfSection(更底层的MiUnmapViewOfSection)等等,卸掉目标进程的内存
空间(或者卸kernel32.dll等关键dll等也可,VirtualProtectEx设kernel32.dll为不可
读也让其崩溃。。。。),同样要配合句柄法得到目标进程句柄才行
等等。。。。
方法十
调试器攻击法
1 DebugActiveProcess--》DebugSetProcessKillOnExit(不用这个直接退出也可以)
2 ntsd -c q -p pid
等等。。。
方法十一
ring0线程进程攻击法
NtQuerySystemInformation(SystemProcessesAndThreadsInformation....
遍历线程后做判断是否目标进程的,然后:
1 Apc攻击结束(ring3/ring0)--->然后PsTerminateSystemThread-->最好用
PspExitThread
2 PspTerminateProcess(更底层的PspTerminateThreadByPointer...)
3 修改pid和tid为自身的,再插apc(防止消息死循环进程保护)
方法十二
伪关机法
先提升权限得到19号关机特权,然后hook关机消息(hook NtShutdownSystem),里面过滤
掉除了目标进程意外的所有进程的消息。
然后。。。
ring3下
ExitWindows(0,0); //第一个参数分别为0,1,2时 分别是注销,关机,重起.所以是3种
Logs off the interactive user, shuts down the system, or shuts down and
restarts the system. It sends the WM_QUERYENDSESSION message to all
applications to determine if they can be terminated.
ring0下NtShutdownSystem(0)为关机,NtShutdownSystem(1)为重启。
或者再底层点NtSetSystemPowerState。。。。
这样,目标进程接到关机消息over了,但系统不会处理关机消息。
最后,超级无敌极限结束进程法。。。。
真.关机法:按电源。。。。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Android应用结束自身进程的方法
- windows dos黑框框结束应用进程的方法
- android结束进程、退出application的方法
- Android下结束进程的方法
- 批处理-获取启动项及结束进程使用方法(摘录)
- 查看android某个应用进程方法
- C#各种结束进程的方法详细介绍
- 浅谈驱动中强制结束进程的3种方法
- Android 结束进程的方法
- PC问题-使用BAT方法结束进程
- SAP里会话结束方法(杀死进程)
- 实现进程间数据交换的两种方法和应用
- 使用ActivityManager的forceStopPackage方法结束进程
- Excel.exe进程结束方法
- Android下结束进程的方法
- 一种提高Android应用进程存活率新方法
- 关于ASP.NET中调用Excel组件不能结束进程的解决方法
- 一种提高Android应用进程存活率新方法
- 一种提高Android应用进程存活率新方法
- 杀死应用进程的几种方法