[代码原创]开启内核线程调用Nt系列函数

Tesla.Angela

既然有人问到了，我就把代码贴出来：

#include <ntddk.h>
#include "ssdt.h"

NTKERNELAPI NTSTATUS NtOpenProcess (
   OUT PHANDLE ProcessHandle,
   IN ACCESS_MASK DesiredAccess,
   IN POBJECT_ATTRIBUTES ObjectAttributes,
   IN PCLIENT_ID ClientId OPTIONAL);

KEVENT kEvent;
ULONG MyTFpid;
ULONG pNtTerminateProcess;

// 线程函数
VOID MyThreadFunc(IN PVOID context)
{
    HANDLE ProcessHandle=0;
    CLIENT_ID objCid;
    OBJECT_ATTRIBUTES objOa;
    RtlZeroMemory(&objOa,sizeof(OBJECT_ATTRIBUTES));
    RtlZeroMemory(&objCid,sizeof(CLIENT_ID));
    objOa.Length = sizeof(objOa);
    objCid.UniqueProcess = (HANDLE)MyTFpid;//进程pid
    NtOpenProcess (&ProcessHandle, PROCESS_ALL_ACCESS, &objOa, &objCid);//打开进程
    DbgPrint("hProcess=%ld",ProcessHandle);
    if (pNtTerminateProcess!=0)
    {
        __asm
        {
            push 0
            push ProcessHandle
            call pNtTerminateProcess
        }
    }
    ZwClose(ProcessHandle);
    KeSetEvent(&kEvent, 0, TRUE);
    PsTerminateSystemThread(STATUS_SUCCESS);
}

VOID CreateThreadTest(ULONG PidToOpen)
{
    HANDLE     hThread;
    NTSTATUS status;
    UNICODE_STRING ustrTest;
    KeInitializeEvent(&kEvent, SynchronizationEvent, TRUE);
    RtlInitUnicodeString(&ustrTest, L"kernel thread test!");
    pNtTerminateProcess=GetSSDTRealAddr(GetSysCallIndex("NtTerminateProcess"));
    MyTFpid=PidToOpen;
    status = PsCreateSystemThread(&hThread, 0, NULL, NULL, NULL, MyThreadFunc, (PVOID)&ustrTest);
    if (!NT_SUCCESS(status))
    {
        DbgPrint("CreateThread Test Failed!");
    }
    ZwClose(hThread);
    KeWaitForSingleObject(&kEvent, Executive, KernelMode, FALSE, 0);
}

Tesla.Angela

ssdt.h我发过了，你们自己找找吧，我忘记在哪个帖子里了。。。

Tesla.Angela

回复 3# naylon

具体问题具体分析，关于SetContextThread，可以参考我的帖子：VB无驱杀冰刃、狙剑、天琊 - TaKillThread

pe1011

谢谢分享，正在学习内核编程中