本文来自优快云博客,转载请标明出处:http://blog.youkuaiyun.com/whf727/archive/2011/01/30/6170124.aspx
*/
BOOLEAN AcquireProcessLock(PEPROCESS pEPROCESS,HANDLE hPID)
{
NTSTATUS status;
if (NULL == pEPROCESS)
{
status = PsLookupProcessByProcessId(hPID,&pEPROCESS);
if (!NT_SUCCESS(status))
{
return FALSE;
}
}
//2000 需要特殊处理
if (g_MajorVersion == 4 && g_MinorVersion == 0)
{
;
}
else
{
GetSystemFunctionAddr(L"ExAcquireRundownProtection");
switch (g_MajorVersion)
{
case 5:
{
if (1==g_MinorVersion)
{
}
else if (2==g_MinorVersion)
{
}
;
}
break;
case 6:
{
if (1==g_MinorVersion)
{
}
else if (2==g_MinorVersion)
{
}
;
}
break;
default:
break;
}
}
ObDereferenceObject(pEPROCESS);
//pEPR xp 80 2003 90 98 b0
}
//2K 下使用 ,NtTerminateThread -> PspTerminateThreadByPointer
//本文来自优快云博客,转载请标明出处:http://blog.youkuaiyun.com/galihoo/archive/2008/04/16/2298731.aspx
typedef NTSTATUS (NTAPI * NTPROC) ();
typedef NTPROC * PNTPROC;
//#define NTPROC_ sizeof (NTPROC)
//typedef struct _SYSTEM_SERVICE_TABLE { PNTPROC ServiceTable;
//typedef struct _SERVICE_DESCRIPTOR_TABLE { SYSTEM_SERVICE_TABLE ntoskrnl;
//extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable->ntoskrnl.ServiceTable[*(PULONG)((PUCHAR)_function+1)]
BOOLEAN GetLockProcessAddr()
{
char * PsTerminateSystemThreadAddr;
int iLen;
DWORD dwAddr;
//pAddr;
PNTPROC ServiceTable;
DWORD NtTerminateThreadAddr;
char * pAddr;
ULONG NtAssignProcessToJobObjectAddr;
ServiceTable = KeServiceDescriptorTable->ntoskrnl.ServiceTable;
/**//*
NtTerminateThreadAddr = *((PULONG)ServiceTable + NTTERMINATETHREAD_OFFSET_2K);
pAddr = (char *)NtTerminateThreadAddr;
for (iLen = 0;iLen<0xff;iLen++)
{
//想不到windows竟然用硬编码来寻址..
if (*pAddr == (char)0x2c
&&*(pAddr+1) == (char)0x02
&&*(pAddr+2) == (char)0x00
&&*(pAddr+3) == (char)0x00
)
{
pAddr += 5;
dwAddr = *(DWORD *)pAddr + (DWORD)pAddr +4;
DbgPrint("PsLockProcess :: 0x%x ",dwAddr);
PsLockProcess = dwAddr;
for (iLen = 0;iLen<0xff;iLen++)
{
if (*pAddr == (char)0x2c
&&*(pAddr+1) == (char)0x02
&&*(pAddr+2) == (char)0x00
&&*(pAddr+3) == (char)0x00
)
{
pAddr += 5;
dwAddr = *(DWORD *)pAddr + (DWORD)pAddr +4;
DbgPrint("PsUnLockProcess :: 0x%x ",dwAddr);
PsUnLockProcess = dwAddr;
return TRUE;
//return dwAddr;
//break;
}
pAddr++;
}
//return dwAddr;
//break;
}
pAddr++;
}
*/
//DbgPrint("NtAssignProcessToJobObject中寻找");
//在NtTerminateThread 中没有找到
//NtAssignProcessToJobObject中寻找
NtAssignProcessToJobObjectAddr = *((PULONG)ServiceTable + 0x12);
pAddr = (char *)NtAssignProcessToJobObjectAddr;
for (iLen = 0;iLen<0xff;iLen++)
{
// 定位标志
if (*pAddr == (char)0xcc
&&*(pAddr+1) == (char)0x00
&&*(pAddr+2) == (char)0x00
&&*(pAddr+3) == (char)0x00
&&*(pAddr-6) == (char)0xe4
)
{
// 找到定位标志
for (iLen = 0;iLen<0x30;iLen++)
{
__asm
{
__emit 0x90;
__emit 0x90;
}
//
if (*pAddr == (char)0xff
&&*(pAddr+1) == (char)0x75
&&*(pAddr+2) == (char)0xf4
//&&*(pAddr+3) == (char)0x00
)
{
pAddr += 5;
dwAddr = *(DWORD *)pAddr + (DWORD)pAddr +4;
//DbgPrint("PsLockProcess :: 0x%x ",dwAddr);
PsLockProcess = dwAddr;
for (iLen = 0;iLen<0xff;iLen++)
{
if (*pAddr == (char)0xff
&&*(pAddr+1) == (char)0x75
&&*(pAddr+2) == (char)0xfc
//&&*(pAddr+3) == (char)0x00
)
{
pAddr += 4;
dwAddr = *(DWORD *)pAddr + (DWORD)pAddr +4;
//DbgPrint("PsUnLockProcess :: 0x%x ",dwAddr);
PsUnLockProcess = dwAddr;
return TRUE;
//return dwAddr;
//break;
}
pAddr++;
}
return FALSE;
break;
}
pAddr++;
}
return FALSE;
break;
}
pAddr++;
}
return FALSE;
}