标签:
1 #pragma once 2 3 #ifndef __PROCESSFUN_H__ 4 #define __PROCESSFUN_H__ 5 6 #include <iostream> 7 #include <string> 8 #include <windows.h> 9 using namespace std; 10 #include "Ntdll.h" 11 12 #define SeBackupPrivilege "SeBackupPrivilege" 13 #define SeRestorePrivilege "SeRestorePrivilege" 14 #define SeShutdownPrivilege "SeShutdownPrivilege" 15 #define SeDebugPrivilege "SeDebugPrivilege" 16 17 BOOL EnablePrivilege(LPCSTR lpPrivilegeName = SeDebugPrivilege, ULONG Privilege = SE_DEBUG_PRIVILEGE, 18 BOOL Enable = TRUE); 19 20 HANDLE NtOpenProcess(DWORD dwPid); 21 22 HANDLE DoOpenProcess(DWORD dwPid); 23 24 HANDLE PowerOpenProcess(DWORD dwPid); 25 26 BOOL NtTerminateProcess(HANDLE hProcess); 27 28 #endif // __PROCESSFUN_H__
1 #include "ProcessFun.h" 2 3 BOOL EnablePrivilege(LPCSTR lpPrivilegeName, ULONG Privilege, BOOL Enable) 4 { 5 BOOL status = FALSE; 6 7 if (lpPrivilegeName != NULL) 8 { 9 HANDLE hToken; 10 OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); 11 12 LUID luid = {}; 13 LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &luid); 14 15 TOKEN_PRIVILEGES tp = {}; 16 tp.PrivilegeCount = 1; 17 tp.Privileges[0].Luid = luid; 18 tp.Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED; 19 status |= AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); 20 21 CloseHandle(hToken); 22 } 23 24 if (Privilege != NULL) 25 { 26 BOOLEAN Enabled = NULL; 27 status |= NT_SUCCESS(RtlAdjustPrivilege(Privilege, Enable, FALSE, &Enabled)); 28 } 29 30 return status; 31 } 32 33 HANDLE NtOpenProcess(DWORD dwPid) 34 { 35 HANDLE hProcess = NULL; 36 OBJECT_ATTRIBUTES oa = {}; 37 oa.Length = sizeof(oa); 38 CLIENT_ID cid = {}; 39 cid.UniqueProcess = (HANDLE)(dwPid % 4 ? dwPid : dwPid + 3); 40 41 NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid); 42 return hProcess; 43 } 44 45 HANDLE DoOpenProcess(DWORD dwPid) 46 { 47 PCHAR lpBuf = NULL; 48 DWORD dwNeeded = MAX_LANA; 49 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(), 50 (PVOID *)&lpBuf, 51 NULL, &dwNeeded, 52 MEM_COMMIT, PAGE_READWRITE)) || 53 lpBuf == NULL) 54 return NULL; 55 56 NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwNeeded, &dwNeeded); 57 58 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwNeeded, MEM_RELEASE); 59 lpBuf = NULL; 60 61 if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(), 62 (PVOID *)&lpBuf, 63 NULL, &dwNeeded, 64 MEM_COMMIT, 65 PAGE_READWRITE)) || 66 lpBuf == NULL) 67 return NULL; 68 69 NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwNeeded, NULL); 70 71 DWORD dwNumberOfHandle = *(DWORD*)lpBuf; 72 PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); 73 74 HANDLE hTgtProc = NULL; 75 for (int i = 0; i < dwNumberOfHandle; i++, lpSHI++) 76 { 77 if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB) 78 continue; 79 80 HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId); 81 if (hSrcProc == NULL) 82 continue; 83 84 HANDLE hTmpProc = NULL; 85 NtDuplicateObject(hSrcProc, 86 (HANDLE)lpSHI->Handle, 87 NtCurrentProcess(), 88 &hTmpProc, 89 PROCESS_ALL_ACCESS, 90 NULL, 91 NULL); 92 93 if (hTmpProc != NULL && GetProcessId(hTmpProc) == dwPid) 94 hTgtProc = hTmpProc; 95 96 NtClose(hSrcProc); 97 98 if (hTgtProc != NULL) 99 break; 100 101 if (hTmpProc != NULL) 102 NtClose(hTmpProc); 103 } 104 105 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwNeeded, MEM_RELEASE); 106 107 return hTgtProc; 108 } 109 110 HANDLE PowerOpenProcess(DWORD dwPid) 111 { 112 HANDLE hProcess = NtOpenProcess(dwPid); 113 114 if (hProcess != NULL && GetProcessId(hProcess) == dwPid) 115 return hProcess; 116 117 hProcess = DoOpenProcess(dwPid); 118 if (hProcess != NULL && GetProcessId(hProcess) == dwPid) 119 return hProcess; 120 121 return NULL; 122 } 123 124 BOOL NtTerminateProcess(HANDLE hProcess) 125 { 126 return NT_SUCCESS(NtTerminateProcess(hProcess, NULL)); 127 }
标签:
原文地址:http://www.cnblogs.com/gwsbhqt/p/5096810.html
