利用PspTerminateThreadByPointer结束进程

血腥魔术师

搜索PspTerminateThreadByPointer地址，用得是sysnap的方法，程序有点小瑕疵，使用用了很多硬编码.在winxp sp测试成功.

1. /*\r\n  MyKiller.C\r\n  Author: <Dayed>\r\n  Last Updated: 2007-07-06\r\n\r\n  This framework is generated by EasySYS 0.3.0 Modify\r\n  This template file is copying from QuickSYS 0.3.0 written by Chunhua Liu\r\n  //=============================================\r\n  Modified by PLK_XiaoWei[0GiNr]\r\n  http://www.0GiNr.com\r\n  //=============================================\r\n*/\r\n#include \"ntddk.h\"\r\n#include <windef.h>\r\n#include <stdlib.h>\r\n#include \"MyKiller.h\"    \r\n#include \"dbghelp.h\"\r\n#include \"dayed.h\"\r\n#include \"hookiat.h\"\r\n\r\n#define ThreadProc      = 0x22C\r\n#define ThreadListHead    = 0x190\r\n\r\n//===========================================\r\nNTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);\r\nNTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp);\r\nNTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);\r\nVOID DriverUnload(PDRIVER_OBJECT pDriverObj);\r\nNTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);\r\n\r\ntypedef NTSTATUS (*PSPTERMINATETHREADBYPOINTER)( PETHREAD, NTSTATUS);\r\nNTKERNELAPI NTSTATUS PsLookupProcessByProcessId (IN ULONG ProcessId,OUT PEPROCESS *Process);\r\n//==========================================\r\n\r\n\r\n\r\n\r\nPEPROCESS  eProcess;\r\nULONG      processID;\r\nPSPTERMINATETHREADBYPOINTER MyPspTerminateThreadByPointer ;\r\n\r\n\r\n\r\n//==========================================\r\nPVOID GetUndocumentFunctionAdress()\r\n{\r\n  ULONG size,index;\r\n  PULONG buf;\r\n  ULONG i;\r\n  PSYSTEM_MODULE_INFORMATION module;\r\n  PVOID driverAddress=0;\r\n  ULONG ntosknlBase;\r\n  ULONG ntosknlEndAddr;\r\n  ULONG curAddr;\r\n  NTSTATUS status;\r\n  PVOID retAddr;\r\n  ULONG code1_sp2=0x8b55ff8b,code2_sp2=0x0cec83ec,code3_sp2=0xfff84d83,code4_sp2=0x7d8b5756;\r\n  \r\n  ZwQuerySystemInformation(SystemModuleInformation,&size, 0, &size);\r\n  if(NULL==(buf = (PULONG)ExAllocatePool(PagedPool, size)))\r\n  {\r\n    DbgPrint(\"failed alloc memory failed \\n\");\r\n    return 0;\r\n  }\r\n  status=ZwQuerySystemInformation(SystemModuleInformation,buf, size , 0);\r\n  if(!NT_SUCCESS( status ))\r\n  {\r\n    DbgPrint(\"failed query\\n\");\r\n    return 0;\r\n  }\r\n  module = (PSYSTEM_MODULE_INFORMATION)(( PULONG )buf + 1);\r\n  ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size;\r\n  ntosknlBase=(ULONG)module->Base;\r\n  curAddr=ntosknlBase;\r\n  ExFreePool(buf);\r\n  for (i=curAddr;i<=ntosknlEndAddr;i++)\r\n  {\r\n    if ((*((ULONG *)i)==code1_sp2)&&(*((ULONG *)(i+4))==code2_sp2)&&(*((ULONG *)(i+8))==code3_sp2)&&(*((ULONG*)(i+12))==code4_sp2)) \r\n    {\r\n      retAddr=(PVOID*)i;\r\n      DbgPrint(\"MyPspTerminateThreadByPointer  adress is:%x\\n\",retAddr); \r\n      return retAddr;\r\n    }\r\n  }\r\n  DbgPrint(\"Can\'t Find MyPspTerminateThreadByPointer  Address:%x\\n\"); \r\n  return 0;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n//载自ReactOS-0.3.4-REL-src\r\nPETHREAD\r\nNTAPI\r\nGetNextProcessThread(IN PEPROCESS Process,\r\n           IN PETHREAD Thread OPTIONAL)\r\n{\r\n    PETHREAD FoundThread = NULL;\r\n    PLIST_ENTRY ListHead, Entry;\r\n    PAGED_CODE();\r\n    \r\n    if (Thread)\r\n    {\r\n    //  Entry = Thread->ThreadListEntry.Flink;;//   +0x22c ThreadListEntry  : _LIST_ENTRY\r\n    Entry = (PLIST_ENTRY)((ULONG)(Thread)+0x22c);\r\n    Entry=Entry->Flink;\r\n    }\r\n    else\r\n    {\r\n        Entry = (PLIST_ENTRY)((ULONG)(Process)+0x190);//+0x190 ThreadListHead   : _LIST_ENTRY\r\n        Entry = Entry->Flink; \r\n    }\r\n  // ListHead = &rocess->ThreadListHead;\r\n  ListHead = (PLIST_ENTRY)((ULONG)Process + 0x190);\r\n    while (ListHead != Entry)\r\n    {\r\n    //   FoundThread = CONTAINING_RECORD(Entry, ETHREAD, ThreadListEntry);\r\n    FoundThread = (PETHREAD)((ULONG)Entry - 0x22c);\r\n    //    if (ObReferenceObjectSafe(FoundThread)) break;\r\n    if (ObReferenceObject(FoundThread)) break;\r\n        FoundThread = NULL;\r\n        Entry = Entry->Flink;\r\n    }\r\n    if (Thread) ObDereferenceObject(Thread);\r\n    return FoundThread;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\nNTSTATUS TerminateProcess( PEPROCESS Process )\r\n{\r\n  NTSTATUS          Status;\r\n  PETHREAD          Thread;\r\n  \r\n  Status = STATUS_SUCCESS;\r\n  __try\r\n  {\r\n    for (Thread = GetNextProcessThread( Process, NULL );\r\n    Thread != NULL;\r\n    Thread = GetNextProcessThread( Process, Thread ))\r\n    {\r\n      Status = STATUS_SUCCESS;\r\n      Status = (*MyPspTerminateThreadByPointer)( Thread, 0);\r\n    }\r\n  }\r\n  __except(EXCEPTION_EXECUTE_HANDLER)\r\n  {\r\n    Status = GetExceptionCode();\r\n  }\r\n  return Status;\r\n}\r\n\r\n\r\n//==========================================\r\n\r\n\r\nNTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)\r\n{\r\n  NTSTATUS status = STATUS_SUCCESS;\r\n  UNICODE_STRING ustrLinkName;\r\n  UNICODE_STRING ustrDevName;    \r\n  PDEVICE_OBJECT pDevObj;\r\n  \r\n  dprintf(\"[MyKiller] DriverEntry: %S\\n\",pRegistryString->Buffer);\r\n\r\n    // Create dispatch points for device control, create, close.\r\n  pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;\r\n  pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;\r\n  pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;\r\n  pDriverObj->DriverUnload = DriverUnload;\r\n  //\r\n\r\n  RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);\r\n  \r\n  status = IoCreateDevice(pDriverObj, \r\n        0,\r\n        &ustrDevName, \r\n        FILE_DEVICE_UNKNOWN,\r\n        0,\r\n        FALSE,\r\n        &pDevObj);\r\n\r\n  dprintf(\"[MyKiller] Device Name %S\",ustrDevName.Buffer);\r\n\r\n  if(!NT_SUCCESS(status))\r\n  {\r\n    dprintf(\"[MyKiller] IoCreateDevice = 0x%x\\n\", status);\r\n    return status;\r\n  }\r\n\r\n  \r\n  RtlInitUnicodeString(&ustrLinkName, LINK_NAME);\r\n\r\n  status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);  \r\n  if(!NT_SUCCESS(status))\r\n  {\r\n    dprintf(\"[MyKiller] IoCreateSymbolicLink = 0x%x\\n\", status);\r\n    IoDeleteDevice(pDevObj);  \r\n    return status;\r\n  }\r\n  \r\n  dprintf(\"[MyKiller] SymbolicLink:%S\",ustrLinkName.Buffer);\r\n\r\n  //获取PspTerminateThreadByPointer地址\r\n  MyPspTerminateThreadByPointer  =GetUndocumentFunctionAdress();\r\n\r\n  return STATUS_SUCCESS;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nVOID DriverUnload(PDRIVER_OBJECT pDriverObj)\r\n{  \r\n  UNICODE_STRING strLink;\r\n  RtlInitUnicodeString(&strLink, LINK_NAME);\r\n  //\r\n    // Delete the symbolic link\r\n    //\r\n  IoDeleteSymbolicLink(&strLink);\r\n  //\r\n    // Delete the device object\r\n    //\r\n  IoDeleteDevice(pDriverObj->DeviceObject);\r\n  dprintf(\"[MyKiller] Unloaded\\n\");\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nNTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)\r\n{\r\n  pIrp->IoStatus.Status = STATUS_SUCCESS;\r\n  pIrp->IoStatus.Information = 0;\r\n  dprintf(\"[MyKiller] IRP_MJ_CREATE\\n\");\r\n  IoCompleteRequest(pIrp, IO_NO_INCREMENT);\r\n  return STATUS_SUCCESS;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nNTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)\r\n{\r\n  pIrp->IoStatus.Status = STATUS_SUCCESS;\r\n  pIrp->IoStatus.Information = 0;\r\n  dprintf(\"[MyKiller] IRP_MJ_CLOSE\\n\");\r\n  IoCompleteRequest(pIrp, IO_NO_INCREMENT);\r\n  return STATUS_SUCCESS;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nNTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)\r\n{\r\n  NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;\r\n  PIO_STACK_LOCATION pIrpStack;\r\n  ULONG uIoControlCode;\r\n  PVOID pIoBuffer;\r\n  ULONG uInSize;\r\n  ULONG uOutSize;\r\n\r\n  pIrpStack = IoGetCurrentIrpStackLocation(pIrp);\r\n  uIoControlCode = pIrpStack->arameters.DeviceIoControl.IoControlCode;\r\n  pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;\r\n  uInSize = pIrpStack->arameters.DeviceIoControl.InputBufferLength;\r\n  uOutSize = pIrpStack->arameters.DeviceIoControl.OutputBufferLength;\r\n\r\n  switch(uIoControlCode)\r\n  {\r\n  case IOCTL_Killer:\r\n    {\r\n      dprintf(\"Call IOCTL_Killer\");\r\n\r\n      __try\r\n      {\r\n        memcpy(&processID,pIoBuffer,sizeof(processID));\r\n        status=PsLookupProcessByProcessId(processID,&eProcess);\r\n        if(NT_SUCCESS(status))\r\n        {\r\n          ObDereferenceObject(eProcess);\r\n        }\r\n        status=TerminateProcess(eProcess);\r\n        if(NT_SUCCESS(status))\r\n        {\r\n          dprintf(\"TerminateProcess Ok!\\n\");\r\n        }\r\n      }\r\n      __except(EXCEPTION_EXECUTE_HANDLER)\r\n      {\r\n        ;\r\n      }\r\n      \r\n    //  status = STATUS_SUCCESS;\r\n        break;\r\n    }\r\n  }\r\n\r\n  if(status == STATUS_SUCCESS)\r\n    pIrp->IoStatus.Information = uOutSize;\r\n  else\r\n    pIrp->IoStatus.Information = 0;\r\n\r\n  pIrp->IoStatus.Status = status;\r\n  IoCompleteRequest(pIrp, IO_NO_INCREMENT);\r\n\r\n  return status;\r\n}

复制代码

血腥魔术师

lkd> u PsTerminateSystemThread L 20\r\nnt!PsTerminateSystemThread:\r\n8057e22d 8bff            mov     edi,edi\r\n8057e22f 55              push    ebp\r\n8057e230 8bec            mov     ebp,esp\r\n8057e232 64a124010000    mov     eax,dword ptr fs:[00000124h]\r\n8057e238 f6804802000010  test    byte ptr [eax+248h],10h\r\n8057e23f 0f8464cf0700    je      nt!PsTerminateSystemThread+0x14 (805fb1a9)\r\n8057e245 ff7508          push    dword ptr [ebp+8]\r\n8057e248 50              push    eax\r\n8057e249 e8b5e4ffff      call    nt!PspTerminateThreadByPointer (8057c703)\r\n8057e24e 5d              pop     ebp\r\n8057e24f c20400          ret     4