[代码原创]开启内核线程调用Nt系列函数
既然有人问到了,我就把代码贴出来:#include <ntddk.h>
#include "ssdt.h"
NTKERNELAPI NTSTATUS NtOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL);
KEVENT kEvent;
ULONG MyTFpid;
ULONG pNtTerminateProcess;
// 线程函数
VOID MyThreadFunc(IN PVOID context)
{
HANDLE ProcessHandle=0;
CLIENT_ID objCid;
OBJECT_ATTRIBUTES objOa;
RtlZeroMemory(&objOa,sizeof(OBJECT_ATTRIBUTES));
RtlZeroMemory(&objCid,sizeof(CLIENT_ID));
objOa.Length = sizeof(objOa);
objCid.UniqueProcess = (HANDLE)MyTFpid;//进程pid
NtOpenProcess (&ProcessHandle, PROCESS_ALL_ACCESS, &objOa, &objCid);//打开进程
DbgPrint("hProcess=%ld",ProcessHandle);
if (pNtTerminateProcess!=0)
{
__asm
{
push 0
push ProcessHandle
call pNtTerminateProcess
}
}
ZwClose(ProcessHandle);
KeSetEvent(&kEvent, 0, TRUE);
PsTerminateSystemThread(STATUS_SUCCESS);
}
VOID CreateThreadTest(ULONG PidToOpen)
{
HANDLE hThread;
NTSTATUS status;
UNICODE_STRING ustrTest;
KeInitializeEvent(&kEvent, SynchronizationEvent, TRUE);
RtlInitUnicodeString(&ustrTest, L"kernel thread test!");
pNtTerminateProcess=GetSSDTRealAddr(GetSysCallIndex("NtTerminateProcess"));
MyTFpid=PidToOpen;
status = PsCreateSystemThread(&hThread, 0, NULL, NULL, NULL, MyThreadFunc, (PVOID)&ustrTest);
if (!NT_SUCCESS(status))
{
DbgPrint("CreateThread Test Failed!");
}
ZwClose(hThread);
KeWaitForSingleObject(&kEvent, Executive, KernelMode, FALSE, 0);
}
ssdt.h我发过了,你们自己找找吧,我忘记在哪个帖子里了。。。 回复 3# naylon
具体问题具体分析,关于SetContextThread,可以参考我的帖子:VB无驱杀冰刃、狙剑、天琊 - TaKillThread 谢谢分享,正在学习内核编程中
页:
[1]