本文来自博客,转载请标明出处:http://blog.csdn.net/whf727/archive/2011/01/30/6170124.aspx*/BOOLEAN AcquireProcessLock(PEPROCESS pEPROCESS,HANDLE hPID){ NTSTATUS status;
if (NULL == pEPROCESS) { status = PsLookupProcessByProcessId(hPID,&pEPROCESS); if (!NT_SUCCESS(status)) { return FALSE; } }
//2000 需要特殊处理 if (g_MajorVersion == 4 && g_MinorVersion == 0) { ; } else { GetSystemFunctionAddr(L"ExAcquireRundownProtection"); switch (g_MajorVersion) { case 5: { if (1==g_MinorVersion) {
} else if (2==g_MinorVersion) {
} ; } break; case 6: { if (1==g_MinorVersion) {
} else if (2==g_MinorVersion) {
} ; } break; default: break; } } ObDereferenceObject(pEPROCESS);//pEPR xp 80 2003 90 98 b0}
//2K 下使用 ,NtTerminateThread -> PspTerminateThreadByPointer//本文来自博客,转载请标明出处:http://blog.csdn.net/galihoo/archive/2008/04/16/2298731.aspxtypedef NTSTATUS (NTAPI * NTPROC) (); typedef NTPROC * PNTPROC; //#define NTPROC_ sizeof (NTPROC) //typedef struct _SYSTEM_SERVICE_TABLE { PNTPROC ServiceTable; //typedef struct _SERVICE_DESCRIPTOR_TABLE { SYSTEM_SERVICE_TABLE ntoskrnl;//extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;#define SYSTEMSERVICE(_function) KeServiceDescriptorTable->ntoskrnl.ServiceTable[*(PULONG)((PUCHAR)_function+1)]
BOOLEAN GetLockProcessAddr(){ char * PsTerminateSystemThreadAddr; int iLen; DWORD dwAddr; //pAddr; PNTPROC ServiceTable; DWORD NtTerminateThreadAddr; char * pAddr; ULONG NtAssignProcessToJobObjectAddr; ServiceTable = KeServiceDescriptorTable->ntoskrnl.ServiceTable; /**//* NtTerminateThreadAddr = *((PULONG)ServiceTable + NTTERMINATETHREAD_OFFSET_2K); pAddr = (char *)NtTerminateThreadAddr;
for (iLen = 0;iLen<0xff;iLen++) { //想不到windows竟然用硬编码来寻址.. if (*pAddr == (char)0x2c &&*(pAddr+1) == (char)0x02 &&*(pAddr+2) == (char)0x00 &&*(pAddr+3) == (char)0x00 ) { pAddr += 5; dwAddr = *(DWORD *)pAddr + (DWORD)pAddr +4; DbgPrint("PsLockProcess :: 0x%x ",dwAddr); PsLockProcess = dwAddr; for (iLen = 0;iLen<0xff;iLen++) { if (*pAddr == (char)0x2c &&*(pAddr+1) == (char)0x02 &&*(pAddr+2) == (char)0x00 &&*(pAddr+3) == (char)0x00 ) { pAddr += 5; dwAddr = *(DWORD *)pAddr + (DWORD)pAddr +4; DbgPrint("PsUnLockProcess :: 0x%x ",dwAddr); PsUnLockProcess = dwAddr; return TRUE; //return dwAddr; //break; } pAddr++; } //return dwAddr; //break; } pAddr++; } */ //DbgPrint("NtAssignProcessToJobObject中寻找"); //在NtTerminateThread 中没有找到 //NtAssignProcessToJobObject中寻找 NtAssignProcessToJobObjectAddr = *((PULONG)ServiceTable + 0x12); pAddr = (char *)NtAssignProcessToJobObjectAddr; for (iLen = 0;iLen<0xff;iLen++) { // 定位标志 if (*pAddr == (char)0xcc &&*(pAddr+1) == (char)0x00 &&*(pAddr+2) == (char)0x00 &&*(pAddr+3) == (char)0x00 &&*(pAddr-6) == (char)0xe4 ) { // 找到定位标志 for (iLen = 0;iLen<0x30;iLen++) { __asm { __emit 0x90; __emit 0x90; } // if (*pAddr == (char)0xff &&*(pAddr+1) == (char)0x75 &&*(pAddr+2) == (char)0xf4 //&&*(pAddr+3) == (char)0x00 ) { pAddr += 5; dwAddr = *(DWORD *)pAddr + (DWORD)pAddr +4; //DbgPrint("PsLockProcess :: 0x%x ",dwAddr); PsLockProcess = dwAddr; for (iLen = 0;iLen<0xff;iLen++) { if (*pAddr == (char)0xff &&*(pAddr+1) == (char)0x75 &&*(pAddr+2) == (char)0xfc //&&*(pAddr+3) == (char)0x00 ) { pAddr += 4; dwAddr = *(DWORD *)pAddr + (DWORD)pAddr +4; //DbgPrint("PsUnLockProcess :: 0x%x ",dwAddr); PsUnLockProcess = dwAddr; return TRUE; //return dwAddr; //break; } pAddr++; } return FALSE; break; } pAddr++; } return FALSE; break; } pAddr++; } return FALSE;}
