首页 > 代码库 > 【转】利用NtProtectVirtualMemory结束进程
【转】利用NtProtectVirtualMemory结束进程
标 题 : 【原创】利用NtProtectVirtualMemory结束进程作 者 : KiDebug时 间 : 2011 - 07 - 13, 09 : 37 : 08链 接 : http ://bbs.pediy.com/showthread.php?t=137067 原理很简单,用PROCESS_VM_OPERATION打开目标进程(没必要PROCESS_ALL_ACCESS),把目标进程的ntdll.dll设为不能访问
/** 【作者:KiDebug】* 【空间:http://hi.baidu.com/KiDebug/】* VC 6.0编译出错请百度:“vc 6.0 unicode”*/#include <stdio.h>#include <Windows.h>#include <Psapi.h>#include <Tlhelp32.h> #pragma comment(lib,"Psapi.lib") typedef NTSTATUS(__stdcall *RtlAdjustPrivilege_)(ULONG Privilege,BOOLEAN Enable,BOOLEAN CurrentThread,PBOOLEAN Enabled);RtlAdjustPrivilege_ RtlAdjustPrivilege = NULL; typedef NTSTATUS(__stdcall *NtProtectVirtualMemory_)( __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __inout PSIZE_T RegionSize, __in ULONG NewProtectWin32, __out PULONG OldProtect );NtProtectVirtualMemory_ NtProtectVirtualMemory = NULL; ULONG GetPID(WCHAR* proc){ BOOL working = 0; PROCESSENTRY32 lppe = { 0 }; ULONG targetPid = 0; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot) { lppe.dwSize = sizeof(lppe); working = Process32First(hSnapshot, &lppe); while (working) { if (_wcsicmp(lppe.szExeFile, proc) == 0) { targetPid = lppe.th32ProcessID; break; } working = Process32Next(hSnapshot, &lppe); } } CloseHandle(hSnapshot); return targetPid;} void main(){ HMODULE ntdll; MODULEINFO ModuleInfo; ntdll = GetModuleHandle(L"ntdll.dll"); if (!GetModuleInformation((HANDLE)-1, ntdll, &ModuleInfo, sizeof(MODULEINFO))) { return; } BOOLEAN Enabled; RtlAdjustPrivilege = (RtlAdjustPrivilege_)GetProcAddress(ntdll, "RtlAdjustPrivilege"); if (RtlAdjustPrivilege == NULL) { return; } RtlAdjustPrivilege(20, TRUE, FALSE, &Enabled); HANDLE hProc = OpenProcess(PROCESS_VM_OPERATION, FALSE, GetPID(L"services.exe")); if (hProc == NULL) { return; } NtProtectVirtualMemory = (NtProtectVirtualMemory_)GetProcAddress(ntdll, "NtProtectVirtualMemory"); if (NtProtectVirtualMemory == NULL) { return; } ULONG OldProtect; NtProtectVirtualMemory(hProc, &ModuleInfo.lpBaseOfDll, &ModuleInfo.SizeOfImage, PAGE_NOACCESS, &OldProtect);}
【转】利用NtProtectVirtualMemory结束进程
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。