本帖最后由 YFSafe 于 2022-5-8 14:30 编辑
如题,最近在学驱动开发,写了一个强制结束进程的驱动,发出来给大家看看,只支持64位系统
下载链接:https://pan.huang1111.cn/s/23RNIN
两个杀进程函数发出来给大家看看,低技术力,见笑了
[C++] 纯文本查看 复制代码 BOOLEAN KillProcess(LONG pid)
{
HANDLE ProcessHandle;
NTSTATUS status;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID Cid;
// 初始化ObjectAttributes和Cid
HalQuerySystemInformation()
InitializeObjectAttributes(&ObjectAttributes, 0, 0, 0, 0);
Cid.UniqueProcess = (HANDLE)pid;
Cid.UniqueThread = 0;
// 打开进程句柄
status = ZwOpenProcess(&ProcessHandle, PROCESS_ALL_ACCESS, &ObjectAttributes, &Cid);
if (NT_SUCCESS(status))
{
DbgPrint("Open Process %d Successful!\n", pid);
// 结束进程
ZwTerminateProcess(ProcessHandle, status);
// 关闭句柄
ZwClose(ProcessHandle);
return TRUE;
}
DbgPrint("Open Process %d Failed!\n", pid);
return FALSE;
}
[C++] 纯文本查看 复制代码 BOOLEAN ZeroKill(ULONG PID) //X32 X64
{
NTSTATUS ntStatus = STATUS_SUCCESS;
int i = 0;
PVOID handle;
PEPROCESS Eprocess;
ntStatus = PsLookupProcessByProcessId(PID, &Eprocess);
if (NT_SUCCESS(ntStatus))
{
PKAPC_STATE pKs = (PKAPC_STATE)ExAllocatePool(NonPagedPool, sizeof(PKAPC_STATE));
KeStackAttachProcess(Eprocess, pKs);//Attach进程虚拟空间
for (i = 0; i <= 0x7fffffff; i += 0x1000)
{
if (MmIsAddressValid((PVOID)i))
{
_try
{
ProbeForWrite((PVOID)i,0x1000,sizeof(ULONG));
memset((PVOID)i,0xcc,0x1000);
}_except(1) { continue; }
}
else {
if (i > 0x1000000) //填这么多足够破坏进程数据了
break;
}
}
KeUnstackDetachProcess(pKs);
if (ObOpenObjectByPointer((PVOID)Eprocess, 0, NULL, 0, NULL, KernelMode, &handle) != STATUS_SUCCESS)
return FALSE;
ZwTerminateProcess((HANDLE)handle, STATUS_SUCCESS);
ZwClose((HANDLE)handle);
return TRUE;
}
return FALSE;
}
END
| 
发表于 2022-5-8 14:25:00
楼主
火绒:太难了
