另类手段挂起进程
本帖最后由 Tesla.Angela 于 2010-7-31 11:43 编辑用ZwSuspendProcess挂起进程大家都会,其实用ntdll.dll导出的几个Dbg函数也是可以变相挂起进程的。废话不说,直接上码:
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function DbgUiConnectToDbg Lib "ntdll" () As Long
Private Declare Function DbgUiDebugActiveProcess Lib "ntdll" (ByVal ProcessHandle As Long) As Long
Private Declare Function DbgUiStopDebugging Lib "ntdll" (ByVal ProcessHandle As Long) As Long
Private Function SuspendProcess(ByVal hProcess As Long) As Long
SuspendProcess = DbgUiDebugActiveProcess(hProcess)
End Function
Private Function ResumeProcess(ByVal hProcess As Long) As Long
ResumeProcess = DbgUiStopDebugging(hProcess)
End Function
Private Sub Command1_Click()
hProcess = OpenProcess(2035711, 0, CLng(Text1.Text))
SuspendProcess hProcess
CloseHandle hProcess
End Sub
Private Sub Command2_Click()
hProcess = OpenProcess(2035711, 0, CLng(Text1.Text))
ResumeProcess hProcess
CloseHandle hProcess
End Sub
Private Sub Form_Load()
Call EnablePrivilege(SE_DEBUG)
DbgUiConnectToDbg
End Sub
这个想法不是我提出来的,只是由我具体实现而已。 用户态下操作进程肯定要句柄啦! 拿瑞星测试,发现此函数使用了ZwProtectVirtualMemory,没有使用ZwSuspendProcess和ZwDebugActiveProcess,只要杀软没有挂钩ZwDuplicateObject和ZwProtectVirtualMemory,就能成功挂起进程。 可以挂起360么?!呵呵·· 话说好久没来了,收藏下 的确很另类!学习了。
谢谢楼主。 让我们一起Hook本进程的ntdll!DbgBreakPoint吧. ........是为了防止被下Debug断点吗? 还有一种办法:从本进程的ntdll!DbgBreakPoint为开始,到ntdll!DbgBreakPoint+0x10为结束(ntdll!DbgBreakPoint To ntdll!RtlpBreakWithStatusInstruction),搜索字节0xCC(int 3),经检测,出现0xCC字节的只有int 3这个指令,所以可以把这个范围内的所有0xCC(int 3)改成0x90(nop).把这些引发调试断点的int 3全部nop掉,理论上也是可以的.(基于Xp Sp1-Sp3的ntdll) 楼上的够XX!······
页:
[1]