驱动级结束进程

sna1 · 发表于 2018-1-26 19:49:45

本帖最后由 sna1 于 2018-1-26 19:52 编辑

emmmm,开始打算发到别的区,发现Python/VC/VB/汇编区只有求助贴,就发到了这里

可以结束一些任务管理器无法结束的进程比如火绒的 HipsDaemon.exe

可以看到这里已经结束掉了

.sys文件已签名,是一个吊销签名,如不可以吧把计算机时间改到2013-05-20到2014-05-20之间即可

驱动是x64的

下面是demo的代码

#include <stdio.h>
#include <Windows.h>
#include "ScmDrvCtrl.h"
#pragma comment(lib,"user32.lib")
void GetAppPath(char *szCurFile) //最后带斜杠
{
GetModuleFileNameA(0,szCurFile,MAX_PATH);
for(SIZE_T i=strlen(szCurFile)-1;i>=0;i--)
{
if(szCurFile[i]=='\\')
{
szCurFile[i+1]='\0';
break;
}
}
}
int main()
{
BOOL b;
cDrvCtrl dc;
char szSysFile[MAX_PATH]={0};
char szSvcLnkName[]="KillPid";;
GetAppPath(szSysFile);
strcat(szSysFile,"KillPid.sys");
//安装并启动驱动
printf("加载驱动\n");
b=dc.Install(szSysFile,szSvcLnkName,szSvcLnkName);
b=dc.Start();
if (b == 1)
printf("加载驱动成功\n");
else
printf("加载驱动失败\n");
//“打开”驱动的符号链接
dc.Open("\\\\.\\KillPid");
DWORD x,y;
printf("输入进程pid:");
scanf_s("%lu",&x);
dc.IoControl(0x802, &x, sizeof(x), &y, sizeof(y),0);
printf("Pid:%d已结束\n",y);
//关闭符号链接句柄
printf("完成,关闭符号链接句柄\n");
CloseHandle(dc.m_hDriver);
//停止并卸载驱动
printf("卸载驱动\n");
b=dc.Stop();
b=dc.Remove();
if (b == 1)
printf("卸载驱动成功\n");
else
printf("卸载驱动失败\n");
system("pause");
return 0;
}

复制代码

以及类

/*============================
Drvier Control Class (SCM way)
============================*/
#pragma comment(lib,"advapi32.lib")
class cDrvCtrl
{
public:
cDrvCtrl()
{
m_pSysPath = NULL;
m_pServiceName = NULL;
m_pDisplayName = NULL;
m_hSCManager = NULL;
m_hService = NULL;
m_hDriver = INVALID_HANDLE_VALUE;
}
~cDrvCtrl()
{
CloseServiceHandle(m_hService);
CloseServiceHandle(m_hSCManager);
CloseHandle(m_hDriver);
}
public:
DWORD m_dwLastError;
PCHAR m_pSysPath;
PCHAR m_pServiceName;
PCHAR m_pDisplayName;
HANDLE m_hDriver;
SC_HANDLE m_hSCManager;
SC_HANDLE m_hService;
public:
BOOL Install(PCHAR pSysPath,PCHAR pServiceName,PCHAR pDisplayName);
BOOL Start();
BOOL Stop();
BOOL Remove();
BOOL Open(PCHAR pLinkName);
BOOL IoControl(DWORD dwIoCode, PVOID InBuff, DWORD InBuffLen, PVOID OutBuff, DWORD OutBuffLen, DWORD *RealRetBytes);
private:
BOOL GetSvcHandle(PCHAR pServiceName);
DWORD CTL_CODE_GEN(DWORD lngFunction);
protected:
//null
};
BOOL cDrvCtrl::GetSvcHandle(PCHAR pServiceName)
{
m_pServiceName = pServiceName;
m_hSCManager = OpenSCManagerA(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (NULL == m_hSCManager)
{
m_dwLastError = GetLastError();
return FALSE;
}
m_hService = OpenServiceA(m_hSCManager,m_pServiceName,SERVICE_ALL_ACCESS);
if (NULL == m_hService)
{
CloseServiceHandle(m_hSCManager);
return FALSE;
}
else
{
return TRUE;
}
}
BOOL cDrvCtrl::Install(PCHAR pSysPath,PCHAR pServiceName,PCHAR pDisplayName)
{
m_pSysPath = pSysPath;
m_pServiceName = pServiceName;
m_pDisplayName = pDisplayName;
m_hSCManager = OpenSCManagerA(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (NULL == m_hSCManager)
{
m_dwLastError = GetLastError();
return FALSE;
}
m_hService = CreateServiceA(m_hSCManager,m_pServiceName,m_pDisplayName,
SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,
m_pSysPath,NULL,NULL,NULL,NULL,NULL);
if (NULL == m_hService)
{
m_dwLastError = GetLastError();
if (ERROR_SERVICE_EXISTS == m_dwLastError)
{
m_hService = OpenServiceA(m_hSCManager,m_pServiceName,SERVICE_ALL_ACCESS);
if (NULL == m_hService)
{
CloseServiceHandle(m_hSCManager);
return FALSE;
}
}
else
{
CloseServiceHandle(m_hSCManager);
return FALSE;
}
}
return TRUE;
}
BOOL cDrvCtrl::Start()
{
if (!StartServiceA(m_hService,NULL,NULL))
{
m_dwLastError = GetLastError();
return FALSE;
}
return TRUE;
}
BOOL cDrvCtrl::Stop()
{
SERVICE_STATUS ss;
GetSvcHandle(m_pServiceName);
if (!ControlService(m_hService,SERVICE_CONTROL_STOP,&ss))
{
m_dwLastError = GetLastError();
return FALSE;
}
return TRUE;
}
BOOL cDrvCtrl::Remove()
{
GetSvcHandle(m_pServiceName);
if (!DeleteService(m_hService))
{
m_dwLastError = GetLastError();
return FALSE;
}
return TRUE;
}
BOOL cDrvCtrl::Open(PCHAR pLinkName)//example: \\\\.\\xxoo
{
if (m_hDriver != INVALID_HANDLE_VALUE)
return TRUE;
m_hDriver = CreateFileA(pLinkName, GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if(m_hDriver != INVALID_HANDLE_VALUE)
return TRUE;
else
return FALSE;
}
BOOL cDrvCtrl::IoControl(DWORD dwIoCode, PVOID InBuff, DWORD InBuffLen, PVOID OutBuff, DWORD OutBuffLen, DWORD *RealRetBytes)
{
DWORD dw;
BOOL b=DeviceIoControl(m_hDriver,CTL_CODE_GEN(dwIoCode),InBuff,InBuffLen,OutBuff,OutBuffLen,&dw,NULL);
if(RealRetBytes)
*RealRetBytes=dw;
return b;
}
DWORD cDrvCtrl::CTL_CODE_GEN(DWORD lngFunction)
{
return (FILE_DEVICE_UNKNOWN * 65536) | (FILE_ANY_ACCESS * 16384) | (lngFunction * 4) | METHOD_BUFFERED;
}

复制代码

驱动部分的核心代码(结束进程)

void ZwKillProcess(int pid)
{
HANDLE hProcess = NULL;
CLIENT_ID ClientId;
OBJECT_ATTRIBUTES oa;
//填充 CID
ClientId.UniqueProcess = (HANDLE)pid;
ClientId.UniqueThread = 0;
//填充 OA
oa.Length = sizeof(oa);
oa.RootDirectory = 0;
oa.ObjectName = 0;
oa.Attributes = 0;
oa.SecurityDescriptor = 0;
oa.SecurityQualityOfService = 0;
//打开进程，如果句柄有效，则结束进程
ZwOpenProcess(&hProcess, 1, &oa, &ClientId);
if (hProcess)
{
ZwTerminateProcess(hProcess, 0);
ZwClose(hProcess);
};
}

复制代码

可能写的有些乱,不喜勿喷,可以x掉;

下面是源代码以及成品

Demo.zip (87.27 KB, 下载次数: 192)

exe 源码

Demo.zip (87.27 KB, 下载次数: 146)

驱动源码

Driver.zip (2.14 KB, 下载次数: 137)

yangjz · 发表于 2023-11-25 00:37:06

的娃啊娃娃法国

glr9107 · 发表于 2023-10-26 18:06:01

感谢分享

淑女不说艹 · 发表于 2022-12-4 02:54:05

支持啊好东西

2027 · 发表于 2022-4-23 00:29:34

支持一下

Dream丿夏天 · 发表于 2022-3-26 23:41:05

感谢分享，很给力

Suky · 发表于 2021-12-7 06:42:51

所以说这到底是不是安全可用的？好像是就发这么一个帖人就没了?

我是床奇 · 发表于 2021-12-7 06:08:56

蓝屏666666

撒加 · 发表于 2021-5-22 15:02:10

我擦电脑冒烟了

w8610128 · 发表于 2021-5-22 14:58:16

66666666666666666666666666666666666666

liuduan123 · 发表于 2019-7-5 11:54:49

66666666666666666666666666666666666666

		自动登录	找回密码
密码			注册

[易源码分享] 驱动级结束进程

点评