传说中的会话管理服务器进程,它是windows操作系统启动时引导的最重要的系统进程,它负责启动csrss.exe和winlogon.exe进程,并对它们进行监控,如果发现其中一个挂掉,它马上叫你当机,所以要想结束csrss.exe/winlogon.exe,先结束Smss.exe,源码前一目了然(摘自windows nt 4.0代码)//1 Module Info : 变量定义,提高当前进程的优先级(11级)NTSTATUS Status; KPRIORITY SetBasePriority; UNICODE_STRING InitialCommand, DebugInitialCommand, UnicodeParameter; HANDLE ProcessHandles[ 2 ]; ULONG Parameters[ 4 ]; ULONG Response; PROCESS_BASIC_INFORMATION ProcessInfo; BOOLEAN WasEnabled;SetBasePriority = FOREGROUND_BASE_PRIORITY+2;//#define FOREGROUND_BASE_PRIORITY 9 Status = NtSetInformationProcess( NtCurrentProcess(), ProcessBasePriority, (PVOID) &SetBasePriority, sizeof( SetBasePriority ) ); ASSERT(NT_SUCCESS(Status));if (ARGUMENT_PRESENT( DebugParameter )) { SmpDebug = DebugParameter; }//2 Module Info : 获取Csrss.exe和winlogon.exe进程的句柄,并对它们进行监控try { Status = SmpInit( &InitialCommand, &ProcessHandles[ 0 ] );//返回crsss.exe进程的句柄 if (!NT_SUCCESS( Status )) { KdPrint(( "SMSS: SmpInit return failure - Status == %x/n" )); RtlInitUnicodeString( &UnicodeParameter, L"Session Manager Initialization" ); Parameters[ 1 ] = (ULONG)Status; } else { SYSTEM_FLAGS_INFORMATION FlagInfo;NtQuerySystemInformation( SystemFlagsInformation, &FlagInfo, sizeof( FlagInfo ), NULL ); if (FlagInfo.Flags & (FLG_DEBUG_INITIAL_COMMAND | FLG_DEBUG_INITIAL_COMMAND_EX) ) { DebugInitialCommand.MaximumLength = InitialCommand.Length + 64; DebugInitialCommand.Length = 0; DebugInitialCommand.Buffer = RtlAllocateHeap( RtlProcessHeap(), MAKE_TAG( INIT_TAG ), DebugInitialCommand.MaximumLength ); if (FlagInfo.Flags & FLG_ENABLE_CSRDEBUG) { RtlAppendUnicodeToString( &DebugInitialCommand, L"ntsd -p -1 -d " ); } else { RtlAppendUnicodeToString( &DebugInitialCommand, L"ntsd -d " ); }if (FlagInfo.Flags & FLG_DEBUG_INITIAL_COMMAND_EX ) { RtlAppendUnicodeToString( &DebugInitialCommand, L"-g -x " ); }RtlAppendUnicodeStringToString( &DebugInitialCommand, &InitialCommand ); InitialCommand = DebugInitialCommand; }Status = SmpExecuteInitialCommand( &InitialCommand, &ProcessHandles[ 1 ] );//返回winlogon进程句柄 if (NT_SUCCESS( Status )) { Status = NtWaitForMultipleObjects( 2, ProcessHandles, WaitAny, FALSE, NULL ); }if (Status == STATUS_WAIT_0) { RtlInitUnicodeString( &UnicodeParameter, L"Windows SubSystem" ); Status = NtQueryInformationProcess( ProcessHandles[ 0 ], ProcessBasicInformation, &ProcessInfo, sizeof( ProcessInfo ), NULL );KdPrint(( "SMSS: Windows subsystem terminated when it wasn't supposed to./n" )); } else { RtlInitUnicodeString( &UnicodeParameter, L"Windows Logon Process" ); if (Status == STATUS_WAIT_1) { Status = NtQueryInformationProcess( ProcessHandles[ 1 ], ProcessBasicInformation, &ProcessInfo, sizeof( ProcessInfo ), NULL ); } else { ProcessInfo.ExitStatus = Status; Status = STATUS_SUCCESS; }KdPrint(( "SMSS: Initial command '%wZ' terminated when it wasn't supposed to./n", &InitialCommand )); }if (NT_SUCCESS( Status )) { Parameters[ 1 ] = (ULONG)ProcessInfo.ExitStatus; } else { Parameters[ 1 ] = (ULONG)STATUS_UNSUCCESSFUL; } } } except( SmpUnhandledExceptionFilter( GetExceptionInformation() ) ) { RtlInitUnicodeString( &UnicodeParameter, L"Unhandled Exception in Session Manager" ); Parameters[ 1 ] = (ULONG)GetExceptionCode(); }//3 Module Info : 当机代码!呵呵,其实就是通知操作系统,发生了一个硬件中断Status = RtlAdjustPrivilege( SE_SHUTDOWN_PRIVILEGE, (BOOLEAN)TRUE, TRUE, &WasEnabled );//提高当前的权限,可以执行shutdown指令if (Status == STATUS_NO_TOKEN) {// // No thread token, use the process token //Status = RtlAdjustPrivilege( SE_SHUTDOWN_PRIVILEGE, (BOOLEAN)TRUE, FALSE, &WasEnabled ); }Parameters[ 0 ] = (ULONG)&UnicodeParameter;Status = NtRaiseHardError( STATUS_SYSTEM_PROCESS_TERMINATED, 2, 1, Parameters, OptionShutdownSystem, &Response );//看看,字面意思就知道发生什么了,唤起硬件错误// // If this returns, giveup //NtTerminateProcess( NtCurrentProcess(), Status );
扫一扫
06-15
3976
3976
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
