//头文件 struct.h #pragma once typedef long LONG; typedef unsigned char BOOL, *PBOOL; typedef unsigned char BYTE, *PBYTE; typedef unsigned long DWORD, *PDWORD; typedef unsigned short WORD, *PWORD; typedef void *HMODULE; typedef long NTSTATUS, *PNTSTATUS; typedef unsigned long DWORD; typedef DWORD * PDWORD; typedef unsigned long ULONG; typedef unsigned long ULONG_PTR; typedef ULONG *PULONG; typedef unsigned short WORD; typedef unsigned char BYTE; typedef unsigned char UCHAR; typedef unsigned short USHORT; typedef void *PVOID; typedef BYTE BOOLEAN; #define SEC_IMAGE 0x01000000 //---------------------------------------------------- // PEB #pragma pack(4) typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; #pragma pack() typedef struct _PEB_ORIG { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[229]; PVOID Reserved3[59]; ULONG SessionId; } PEB_ORIG, *PPEB_ORIG; typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); struct _PEB_FREE_BLOCK { struct _PEB_FREE_BLOCK *Next; ULONG Size; }; typedef struct _KAPC_STATE { LIST_ENTRY ApcListHead[MaximumMode];//分成2个list,kernel mode和user mode。分别连接着一个douible linked list的APC对象 struct _KPROCESS *Process;//指向拥有这个apc的thread object的所属process BOOLEAN KernelApcInProgress;//标志,kernel apc正在处理状态 BOOLEAN KernelApcPending; BOOLEAN UserApcPending; } KAPC_STATE, *PKAPC_STATE, *RESTRICTED_POINTER PRKAPC_STATE; typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK; typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK; typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; UNICODE_STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; PVOID ConsoleHandle; ULONG ConsoleFlags; HANDLE StdInputHandle; HANDLE StdOutputHandle; HANDLE StdErrorHandle; UNICODE_STRING CurrentDirectoryPath; HANDLE CurrentDirectoryHandle; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PVOID Environment; ULONG StartingPositionLeft; ULONG StartingPositionTop; ULONG Width; ULONG Height; ULONG CharWidth; ULONG CharHeight; ULONG ConsoleTextAttributes; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopName; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; BOOLEAN Spare; HANDLE Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA LoaderData; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PVOID FastPebLock; PPEBLOCKROUTINE FastPebLockRoutine; PPEBLOCKROUTINE FastPebUnlockRoutine; ULONG EnvironmentUpdateCount; PVOID *KernelCallbackTable; PVOID EventLogSection; PVOID EventLog; PPEB_FREE_BLOCK FreeList; ULONG TlsExpansionCounter; PVOID TlsBitmap; ULONG TlsBitmapBits[0x2]; PVOID ReadOnlySharedMemoryBase; PVOID ReadOnlySharedMemoryHeap; PVOID *ReadOnlyStaticServerData; PVOID AnsiCodePageData; PVOID OemCodePageData; PVOID UnicodeCaseTableData; ULONG NumberOfProcessors; ULONG NtGlobalFlag; BYTE Spare2[0x4]; LARGE_INTEGER CriticalSectionTimeout; ULONG HeapSegmentReserve; ULONG HeapSegmentCommit; ULONG HeapDeCommitTotalFreeThreshold; ULONG HeapDeCommitFreeBlockThreshold; ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; PVOID **ProcessHeaps; PVOID GdiSharedHandleTable; PVOID ProcessStarterHelper; PVOID GdiDCAttributeList; PVOID LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; ULONG OSBuildNumber; ULONG OSPlatformId; ULONG ImageSubSystem; ULONG ImageSubSystemMajorVersion; ULONG ImageSubSystemMinorVersion; ULONG GdiHandleBuffer[0x22]; ULONG PostProcessInitRoutine; ULONG TlsExpansionBitmap; BYTE TlsExpansionBitmapBits[0x80]; ULONG SessionId; } PEB, *PPEB; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER SpareLi1; LARGE_INTEGER SpareLi2; LARGE_INTEGER SpareLi3; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SpareUl2; ULONG SpareUl3; ULONG PeakVirtualSize; ULONG VirtualSize; ULONG PageFaultCount; ULONG PeakWorkingSetSize; ULONG WorkingSetSize; ULONG QuotaPeakPagedPoolUsage; ULONG QuotaPagedPoolUsage; ULONG QuotaPeakNonPagedPoolUsage; ULONG QuotaNonPagedPoolUsage; ULONG PagefileUsage; ULONG PeakPagefileUsage; ULONG PrivatePageCount; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; LONG BasePriority; ULONG ContextSwitches; ULONG ThreadState; ULONG WaitReason; } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }; struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; //windows 2000 only struct _SYSTEM_THREADS Threads[1]; }; typedef struct _HANDLE_TABLE_ENTRY_INFO { ULONG AuditMask; } HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO; typedef struct _HANDLE_TABLE_ENTRY { union { PVOID Object; ULONG_PTR ObAttributes; PHANDLE_TABLE_ENTRY_INFO InfoTable; ULONG_PTR Value; }; union { ULONG GrantedAccess; struct { USHORT GrantedAccessIndex; USHORT CreatorBackTraceIndex; }; LONG NextFreeTableEntry; }; } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; typedef struct _HANDLE_TABLE { ULONG TableCode; PEPROCESS QuotaProcess; PVOID UniqueProcessId; ULONG HandleTableLock[4]; LIST_ENTRY HandleTableList; ULONG HandleContentionEvent; PVOID DebugInfo; LONG ExtraInfoPages; ULONG FirstFree; ULONG LastFree; ULONG NextHandleNeedingPool; LONG HandleCount; union { ULONG Flags; UCHAR StrictFIFO:1; }; } HANDLE_TABLE, *PHANDLE_TABLE; typedef struct _OBJECT_TYPE_INITIALIZER { USHORT Length; BOOLEAN UseDefaultObject; BOOLEAN CaseInsensitive; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ULONG ValidAccessMask; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; BOOLEAN MaintainTypeList; POOL_TYPE PoolType; ULONG DefaultPagedPoolCharge; ULONG DefaultNonPagedPoolCharge; PVOID DumpProcedure; PVOID OpenProcedure; PVOID CloseProcedure; PVOID DeleteProcedure; PVOID ParseProcedure; PVOID SecurityProcedure; PVOID QueryNameProcedure; PVOID OkayToCloseProcedure; } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; typedef struct _OBJECT_TYPE { ERESOURCE Mutex; LIST_ENTRY TypeList; UNICODE_STRING Name; // Copy from object header for convenience PVOID DefaultObject; ULONG Index; ULONG TotalNumberOfObjects; ULONG TotalNumberOfHandles; ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfHandles; OBJECT_TYPE_INITIALIZER TypeInfo; ULONG Key; ERESOURCE ObjectLocks[4]; } OBJECT_TYPE, *POBJECT_TYPE; typedef struct _OBJECT_DIRECTORY { struct _OBJECT_DIRECTORY_ENTRY *HashBuckets[ 37 ]; ULONG Lock; PVOID DeviceMap; ULONG SessionId; USHORT Reserved; USHORT SymbolicLinkUsageCount; } OBJECT_DIRECTORY, *POBJECT_DIRECTORY; /* typedef enum _KAPC_ENVIRONMENT { OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment, InsertApcEnvironment } KAPC_ENVIRONMENT; */ typedef enum { OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment } KAPC_ENVIRONMENT; //---------------------------------------------------- extern "C" { NTSYSAPI NTSTATUS _stdcall NTAPI ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); NTSTATUS _stdcall NtOpenFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ); NTSTATUS _stdcall ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); NTKERNELAPI NTSTATUS _stdcall ObOpenObjectByPointer( IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle ); NTSTATUS _stdcall PsLookupProcessByProcessId( IN HANDLE ProcessId, OUT PEPROCESS *Process ); HANDLE _stdcall PsGetProcessId( IN PEPROCESS Process ); NTSTATUS _stdcall RtlFormatCurrentUserKeyPath( OUT PUNICODE_STRING CurrentUserKeyPath ); VOID _stdcall KeStackAttachProcess (IN PEPROCESS Process, OUT PRKAPC_STATE ApcState ); VOID _stdcall KeUnstackDetachProcess(IN PRKAPC_STATE ApcState); VOID KeAttachProcess( PEPROCESS proc ); VOID KeDetachProcess(); __declspec(dllimport) NTSTATUS ZwTerminateProcess(ULONG pProcessHandle,int ExitStatus); NTSTATUS ZwCreateJobObject( OUT PHANDLE JobHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); NTSTATUS ZwAssignProcessToJobObject( HANDLE JobHandle, HANDLE ProcessHandle ); NTSTATUS ZwTerminateJobObject( HANDLE JobHandle, NTSTATUS ExitStatus ); } //头文件 KILLPRC.H #pragma once #include <excpt.h> #ifdef __cplusplus extern "C" { #endif #include <NTDDK.h> #include <devioctl.h> #ifdef __cplusplus } #endif typedef struct _tagSSDT { PVOID ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfService; ULONG ParamTableBase; } SSDT, *PSSDT; #ifndef _WGPH_H #define _WGPH_H 1 / #define dprintf if (DBG) DbgPrint #define nprintf DbgPrint #define DEVICE_NAME L"//Device//devKILLPRC" // Driver Name #define LINK_NAME L"//DosDevices//KILLPRC" // Link Name // // The device driver IOCTLs // #define FILE_DEVICE_MYUNKNOWN 0x0000420 #define IOCTL_CODE(index) (ULONG)CTL_CODE( FILE_DEVICE_MYUNKNOWN, index, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA ) / extern "C" PSSDT KeServiceDescriptorTable; / #endif #define MYCODE code_seg("MYCODE") #define PAGEDCODE code_seg("PAGE") #define LOCKEDCODE code_seg() #define INITCODE code_seg("INIT") #define PAGEDDATA data_seg("PAGE") #define LOCKEDDATA data_seg() #define INITDATA data_seg("INIT") extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath); VOID DriverUnload( PDRIVER_OBJECT pDriverObj ); NTSTATUS DispatchCreate( PDEVICE_OBJECT pDevObj, PIRP pIrp ); NTSTATUS DispatchClose( PDEVICE_OBJECT pDevObj, PIRP pIrp ); NTSTATUS DispatchIoctl( PDEVICE_OBJECT pDevObj, PIRP pIrp ); //源文件 KILLPRC.cpp #include "KILLPRC.H" #include "struct.h" #pragma PAGEDCODE NTSTATUS MyOpenProcess(HANDLE PID, PHANDLE pHandle,ACCESS_MASK DesiredAccess) { NTSTATUS status=0; PEPROCESS EProcess = NULL; HANDLE handle = NULL; UNICODE_STRING y; PULONG PsProcessType; status = PsLookupProcessByProcessId(PID, &EProcess); if (NT_SUCCESS(status)) { handle = 0; RtlInitUnicodeString(&y, L"PsProcessType"); PsProcessType =(PULONG) MmGetSystemRoutineAddress(&y); if (PsProcessType) { status = ObOpenObjectByPointer(EProcess, 0, 0, DesiredAccess, (POBJECT_TYPE)*PsProcessType, UserMode, &handle); if (NT_SUCCESS(status)) { *pHandle = handle; } } ObfDereferenceObject(EProcess); } return status; } void MyTerminateProcess(HANDLE hProcess) { OBJECT_ATTRIBUTES objOa; NTSTATUS st; HANDLE hJob; // RtlZeroMemory(&objOa,sizeof(OBJECT_ATTRIBUTES)); /// objOa.Length = sizeof (OBJECT_ATTRIBUTES); st = ZwCreateJobObject(&hJob, 0, &objOa); if (NT_SUCCESS (st)) { ZwAssignProcessToJobObject(hJob, (HANDLE)hProcess); ZwTerminateJobObject((HANDLE)hJob,0); ZwClose (hJob); ZwClose ((HANDLE)hProcess); } } NTSTATUS MyKillProcess(HANDLE Pid) { HANDLE hProcess; NTSTATUS ret= MyOpenProcess(Pid,&hProcess,1); MyTerminateProcess(hProcess); return ret; } #pragma INITCODE extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryPath) { NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING ustrLinkName; UNICODE_STRING ustrDevName; PDEVICE_OBJECT pDevObj; dprintf("[KILLPRC] DriverEntry/n"); pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl; pDriverObj->DriverUnload = DriverUnload; RtlInitUnicodeString(&ustrDevName, DEVICE_NAME); status = IoCreateDevice(pDriverObj, 0, &ustrDevName, FILE_DEVICE_MYUNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevObj); if(!NT_SUCCESS(status)) { dprintf("[KILLPRC] IoCreateDevice = 0x%x/n", status); return status; } RtlInitUnicodeString(&ustrLinkName, LINK_NAME); status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName); if(!NT_SUCCESS(status)) { dprintf("[KILLPRC] IoCreateSymbolicLink = 0x%x/n", status); IoDeleteDevice(pDevObj); return status; } return STATUS_SUCCESS; } #pragma PAGEDCODE VOID DriverUnload( PDRIVER_OBJECT pDriverObj ) { UNICODE_STRING strLink; RtlInitUnicodeString(&strLink, LINK_NAME); IoDeleteSymbolicLink(&strLink); IoDeleteDevice(pDriverObj->DeviceObject); dprintf("[KILLPRC] Unloaded/n"); } #pragma PAGEDCODE NTSTATUS DispatchCreate( PDEVICE_OBJECT pDevObj, PIRP pIrp ) { pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; dprintf("[KILLPRC] IRP_MJ_CREATE/n"); IoCompleteRequest(pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS; } #pragma PAGEDCODE NTSTATUS DispatchClose( PDEVICE_OBJECT pDevObj, PIRP pIrp ) { pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; dprintf("[KILLPRC] IRP_MJ_CLOSE/n"); IoCompleteRequest(pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS; } #pragma PAGEDCODE NTSTATUS DispatchIoctl( PDEVICE_OBJECT pDevObj, PIRP pIrp ) { PIO_STACK_LOCATION irpStack; PVOID inputBuffer; PVOID outputBuffer; ULONG inputBufferLength; ULONG outputBufferLength; ULONG ioControlCode; NTSTATUS ntstatus; ntstatus = pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; irpStack = IoGetCurrentIrpStackLocation( pIrp ); inputBuffer = irpStack->Parameters.DeviceIoControl.Type3InputBuffer; inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength; outputBuffer = pIrp->UserBuffer; outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength; ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode; switch( ioControlCode) { case IOCTL_CODE(0X1): { MyKillProcess(*(PHANDLE)inputBuffer); ntstatus = STATUS_SUCCESS; } break; } if(ntstatus != STATUS_SUCCESS) pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = ntstatus; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return ntstatus; }