放假了，来跟TA学驱动了，但有一个问题啊

ok100fen · 发表于 2010-8-4 09:10:38

我想请求TA做一个这样的例子：
VB做的，界面上有个按钮，按下按钮后，结束掉系统计算器的进程（假设系统计算器已经打开）
同时在VB界面上有个label提示，“成功结束”
当然sys用c写的，结束计算器进程的代码在sys里进行的

这个例子能做到吗？
谢谢

Tesla.Angela · 发表于 2010-8-4 11:19:29

能，看置顶帖，有个把字符串从驱动传到VB的例子。

Tesla.Angela · 发表于 2010-8-4 11:30:34

结束进程你会吧？不会就参考这个。。。
纯粹的垃圾代码，蓝屏不要骂我哈。。。

马大哈 · 发表于 2010-8-4 12:34:14

支持一下

ok100fen · 发表于 2010-8-4 12:42:34

能不能把下面的代码简要的注释一下？

还有，怎样用VB来调用？

谢谢TA~

#include "ntddk.h"
#include <windef.h>
#include <stdlib.h>
#include "MyKiller.h"
#include "dbghelp.h"

//===========================================
typedef struct _KAPC_STATE
{
LIST_ENTRY ApcListHead[2];
PVOID Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
}KAPC_STATE, *PKAPC_STATE;

typedef enum _KAPC_ENVIRONMENT
{
OriginalApcEnvironment,
AttachedApcEnvironment,
CurrentApcEnvironment,
InsertApcEnvironment
}KAPC_ENVIRONMENT;

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
VOID DriverUnload(PDRIVER_OBJECT pDriverObj);
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTKERNELAPI VOID KeAttachProcess (PEPROCESS Process);
NTKERNELAPI VOID KeDetachProcess (VOID);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId (IN ULONG ProcessId,OUT PEPROCESS *Process);
NTKERNELAPI NTSTATUS PsLookupThreadByThreadId (IN ULONG ThreadId,OUT PETHREAD *Thread);
NTKERNELAPI PEPROCESS IoThreadToProcess(IN PETHREAD Thread);
NTKERNELAPI BOOLEAN MmIsAddressValid(IN PVOID VirtualAddress);
NTKERNELAPI NTSTATUS MmUnmapViewOfSection(IN PEPROCESS Process,IN ULONG BaseAddress);
NTKERNELAPI NTSTATUS ObOpenObjectByPointer( IN PVOID  Object,IN ULONG  HandleAttributes,IN PACCESS_STATE PassedAccessState,IN ACCESS_MASK DesiredAccess,IN POBJECT_TYPE ObjectType,IN KPROCESSOR_MODE  AccessMode,OUT HANDLE Handle );
NTKERNELAPI VOID KeStackAttachProcess(PEPROCESS PROCESS,PKAPC_STATE ApcState);
NTKERNELAPI VOID KeUnstackDetachProcess(PKAPC_STATE ApcState);
NTKERNELAPI NTSTATUS PsTerminateSystemThread(IN NTSTATUS ExitStatus);
NTKERNELAPI VOID KeInitializeApc(PKAPC Apc,PETHREAD Thread,KAPC_ENVIRONMENT Environment,PKKERNEL_ROUTINE KernelRoutine,PKRUNDOWN_ROUTINE RundownRoutine,PKNORMAL_ROUTINE NormalRoutine,KPROCESSOR_MODE ProcessorMode,PVOID NormalContext);
NTKERNELAPI BOOLEAN KeInsertQueueApc(PKAPC Apc,PVOID SystemArgument1,PVOID SystemArgument2,KPRIORITY Increment);
__declspec(dllimport) NTSTATUS ZwTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus);
__declspec(dllimport) NTSTATUS ZwClose(HANDLE ObjectHandle);
__declspec(dllimport) NTSTATUS ZwAssignProcessToJobObject(HANDLE JobHandle,HANDLE ProcessHandle);
__declspec(dllimport) NTSTATUS ZwCreateJobObject(OUT PHANDLE JobHandle,IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes);
__declspec(dllimport) NTSTATUS ZwTerminateJobObject(HANDLE JobHandle,NTSTATUS ExitStatus);
__declspec(dllimport) NTSTATUS ZwOpenProcess(HANDLE* pProcessHandle, ULONG AccessMask, OBJECT_ATTRIBUTES* pObjectAttributes, CLIENT_ID* pClientId);
//====================
PEPROCESS eProcess;
PETHREAD eThread;
ULONG processID;
ULONG threadID;
ULONG EToffSET=0x248; //default is XP
HANDLE hprocess;
long myHproc;
HANDLE    myPID;
ULONG NtdllBase;
//====================

VOID ApcCallBack(PKAPC Apc,PKNORMAL_ROUTINE *NormalRoutine,PVOID *NormalContext,PVOID *SystemArgument1,PVOID *SystemArgument2)
{
ExFreePool(Apc);
PsTerminateSystemThread(STATUS_SUCCESS);
}

NTSTATUS ForceTerminateThread(PETHREAD Thread)
{
ULONG SYS_THREAD = 0x10;
NTSTATUS st = STATUS_UNSUCCESSFUL;
ULONG Size = 0;
ULONG i = 0;
PKAPC pApc = 0;
if ( MmIsAddressValid((PVOID)Thread) == TRUE)
{
pApc = ExAllocatePool(NonPagedPool, sizeof(KAPC));
//Fix Thread Type To SYSTEM THREAD
*(PULONG)((ULONG)Thread+EToffSET)=SYS_THREAD; //XP=0x248, 2K3=0x240, VISTA+2k8=0x260, Win7=0x280
//If APC is OK
if (pApc)
{
KeInitializeApc(pApc, Thread, OriginalApcEnvironment, ApcCallBack, 0, 0, KernelMode, 0);
KeInsertQueueApc(pApc, pApc, 0, 2);
}
st = STATUS_SUCCESS;
}
return st;
}

NTSTATUS ForceTerminateProcess(PEPROCESS Process)
{
ULONG i;
PETHREAD txtd;
PEPROCESS txps;
NTSTATUS st = STATUS_UNSUCCESSFUL;
for (i=8;i<=65536;i=i+4)
{
st = PsLookupThreadByThreadId(i,&txtd);
if ( NT_SUCCESS(st) )
{
txps=IoThreadToProcess(txtd);
if ( txps == Process )
{
ForceTerminateThread(txtd);
}
}
}
return STATUS_SUCCESS;
}

NTSTATUS BreakProcessMemory(ULONG Process)
{
NTSTATUS st = STATUS_UNSUCCESSFUL;
KAPC_STATE ks;
ULONG EndAddress = (ULONG*)MmUserProbeAddress;
ULONG i = 0;

if (!MmIsAddressValid((PEPROCESS)Process)) return st;
KeStackAttachProcess((PEPROCESS)Process, &ks);
for (i = 0; i < EndAddress; i += 0x1000)
{
__try
{
if (MmIsAddressValid((PVOID)i))
{
ProbeForWrite((CONST PVOID)i, 0x1000, 0x1000);
memset((PVOID)i, 0xcc, 0x1000);//int 3
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
}
KeUnstackDetachProcess(&ks);
return STATUS_SUCCESS;
}

NTSTATUS NormalTerminateProcess(PEPROCESS Process)
{
NTSTATUS st = STATUS_UNSUCCESSFUL;
KAPC_STATE ks;
KeStackAttachProcess(Process, &ks);
st = ZwTerminateProcess(0,0);
KeUnstackDetachProcess(&ks);
return st;
}

NTSTATUS TerminateProcess( PEPROCESS Process )
{
NTSTATUS Status;
OBJECT_ATTRIBUTES objOa;
NTSTATUS st;
HANDLE hJob;
CLIENT_ID objCid;
Status = STATUS_SUCCESS;
__try
{
ObOpenObjectByPointer(Process,0,0,0,0,0,&hprocess) ;
RtlZeroMemory(&objOa,sizeof(OBJECT_ATTRIBUTES));
objOa.Length = sizeof (OBJECT_ATTRIBUTES);
st = ZwCreateJobObject(&hJob, 0, &objOa);
if (NT_SUCCESS (st))
{
st=ZwAssignProcessToJobObject(hJob, hprocess);
if NT_SUCCESS(st)
{ZwTerminateJobObject(hJob,0);
ZwClose (hJob);}
ZwClose (hprocess);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
Status = 0;
}
return Status;
}

NTSTATUS ZwKP( PEPROCESS Process )
{
NTSTATUS Status;
NTSTATUS st;
Status = STATUS_SUCCESS;
__try
{
st=ObOpenObjectByPointer(Process,0,0,0,0,0,&hprocess) ;
if NT_SUCCESS(st)
{ZwTerminateProcess (hprocess,0);
ZwClose(hprocess);}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
Status = 0;
}
return Status;
}

long Ring0OpenProcess(HANDLE Pid)
{
ULONG ProcessHandle=0;
CLIENT_ID objCid;
OBJECT_ATTRIBUTES objOa;
RtlZeroMemory(&objOa,sizeof(OBJECT_ATTRIBUTES));
RtlZeroMemory(&objCid,sizeof(CLIENT_ID));
objOa.Length = sizeof(objOa);
objCid.UniqueProcess = (HANDLE)Pid;//进程pid
ZwOpenProcess (&(HANDLE)ProcessHandle, 0x1F0FFF, &objOa, &objCid);//打开进程
return ProcessHandle;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
dprintf("[MyKiller] DriverEntry: %S\n",pRegistryString->Buffer);
// Create dispatch points for device control, create, close.
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
dprintf("[MyKiller] Device Name %S",ustrDevName.Buffer);
if(!NT_SUCCESS(status))
{
dprintf("[MyKiller] IoCreateDevice = 0x%x\n", status);
return status;
}
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
dprintf("[MyKiller] IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObj);
return status;
}
dprintf("[MyKiller] SymbolicLink:%S",ustrLinkName.Buffer);
return STATUS_SUCCESS;
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
RtlInitUnicodeString(&strLink, LINK_NAME);
//
// Delete the symbolic link
//
IoDeleteSymbolicLink(&strLink);
//
// Delete the device object
//
IoDeleteDevice(pDriverObj->DeviceObject);
dprintf("[MyKiller] Unloaded\n");
}

NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[MyKiller] IRP_MJ_CREATE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}

NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[MyKiller] IRP_MJ_CLOSE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}

NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack;
ULONG uIoControlCode;
PVOID pIoBuffer;
ULONG uInSize;
ULONG uOutSize;
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode)
{
case IOCTL_NtBase:
{
__try
{
memcpy(&NtdllBase,pIoBuffer,sizeof(NtdllBase));
DbgPrint("NTDLL BASE: 0x%x",NtdllBase); //Get Base Of NTDLL From Ring 3
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_Killer:
{
__try
{
memcpy(&processID,pIoBuffer,sizeof(processID));
status=PsLookupProcessByProcessId(processID,&eProcess);
if(NT_SUCCESS(status))
{
status=TerminateProcess(eProcess);
if(NT_SUCCESS(status))
{
dprintf("TerminateProcess Ok!\n");
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_ZwKill:
{
__try
{
memcpy(&processID,pIoBuffer,sizeof(processID));
status=PsLookupProcessByProcessId(processID,&eProcess);
if(NT_SUCCESS(status))
{
status=ZwKP(eProcess);
if(NT_SUCCESS(status))
{
dprintf("TerminateProcess Ok!\n");
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_NmKill:
{
__try
{
memcpy(&processID,pIoBuffer,sizeof(processID));
myPID = (PHANDLE)(PULONG)processID; //类型转换: ULONG->HANDLE
myHproc=Ring0OpenProcess(myPID);
ZwTerminateProcess ((HANDLE)myHproc,0); //Ring0OpenProcess返回的值是long型的，ZwTerminateProcess传入的值是HANDLE型的
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_AtKill:
{
__try
{
memcpy(&processID,pIoBuffer,sizeof(processID));
PsLookupProcessByProcessId(processID,&eProcess);
NormalTerminateProcess(eProcess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_MmKill:
{
__try
{
memcpy(&processID,pIoBuffer,sizeof(processID));
PsLookupProcessByProcessId(processID,&eProcess);
BreakProcessMemory((ULONG)eProcess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_MdKill:
{
__try
{
memcpy(&processID,pIoBuffer,sizeof(processID));
PsLookupProcessByProcessId(processID,&eProcess);
MmUnmapViewOfSection(eProcess,NtdllBase); //ntdll base address of xp:0x7c920000
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_ApcKtd:
{
__try
{
memcpy(&threadID,pIoBuffer,sizeof(threadID));
if NT_SUCCESS( PsLookupThreadByThreadId(threadID,&eThread) )
{ForceTerminateThread(eThread);}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_ApcKps:
{
__try
{
memcpy(&processID,pIoBuffer,sizeof(processID));
PsLookupProcessByProcessId(processID,&eProcess);
ForceTerminateProcess(eProcess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_OffSet:
{
__try
{
memcpy(&EToffSET,pIoBuffer,sizeof(EToffSET));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
//OVER
}
if(status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;

pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);

return status;

8013 · 发表于 2010-8-4 13:29:54

这个也用驱动来写。汗！~·······

Tesla.Angela · 发表于 2010-8-4 15:25:09

本帖最后由 Tesla.Angela 于 2010-8-4 15:28 编辑

能不能把下面的代码简要的注释一下？
还有，怎样用VB来调用？
谢谢TA~

汗，这么一堆垃圾代码，要我怎么“简单注释”啊？？？:L

显示全部楼层 · 发表于 2010-8-4 20:05:18

提示: 作者被禁止或删除内容自动屏蔽

马大哈 · 发表于 2010-8-5 09:31:11

......简要....代码已经一大堆了:dizzy:

xiaoly99 · 发表于 2010-8-5 15:28:27

回复 1# ok100fen
用不着吧.在驱动里先枚举PsActiveProcessLinks链表,然后自备一个硬编码库(ImageName),然后以此匹配,如果是"calc.exe"就ZwOpenProcess,ZwTerminateProcess.用不着那么麻烦,你有啥不会的QQ上聊吧,你QQ多少?

账号		自动登录	找回密码
密码			加入我们

本网站最菜的人该用户已被删除	发表于 2010-8-4 20:05:18 \| 显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
本网站最菜的人该用户已被删除
	回复举报

放假了，来跟TA学驱动了，但有一个问题啊

论坛牛人

贡献奖

关注奖

最佳版主

进步奖

人气王

疯狂作品奖

精英奖

赞助论坛勋章

乐于助人勋章