第十节 查杀进程 我们在编写木马和后门程序时,列出和查杀进程是非常重要的. 列出进程我们使用palist函数: void pslist(void) { HANDLE hProcessSnap = NULL; PROCESSENTRY32 pe32= {0}; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == (HANDLE)-1) { printf(" CreateToolhelp32Snapshot() failed:%d",GetLastError()); return ; } pe32.dwSize = sizeof(PROCESSENTRY32); printf(" ProcessName ProcessID"); if (Process32First(hProcessSnap, &pe32)) { char a[5]; do { itoa(pe32.th32ProcessID,a,10); printf(" %-20s%d",pe32.szExeFile,pe32.th32ProcessID); } while (Process32Next(hProcessSnap, &pe32)); } else { printf(" Process32Firstt() failed:%d",GetLastError()); } CloseHandle (hProcessSnap); return; } 上边的代码列出了进程的PID,有了PID我们就可以使用PSKILL杀进程: BOOL killps(DWORD id) { HANDLE hProcess=NULL,hProcessToken=NULL; BOOL IsKilled=FALSE,bRet=FALSE; try { if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken)) { printf(" Open Current Process Token failed:%d",GetLastError()); leave; } //printf(" Open Current Process Token ok!"); if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE)) { leave; } printf(" SetPrivilege ok!"); if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL) { printf(" Open Process %d failed:%d",id,GetLastError()); leave; } //printf(" Open Process %d ok!",id); if(!TerminateProcess(hProcess,1)) { printf(" TerminateProcess failed:%d",GetLastError()); leave; } IsKilled=TRUE; } finally { if(hProcessToken!=NULL) CloseHandle(hProcessToken); if(hProcess!=NULL) CloseHandle(hProcess); } return(IsKilled); } BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege) //提升权限 { TOKEN_PRIVILEGES tp; LUID luid; if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid)) { printf(" LookupPrivilegeValue error:%d", GetLastError() ); return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if (bEnablePrivilege) tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; else tp.Privileges[0].Attributes = 0; AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL); if (GetLastError() != ERROR_SUCCESS) { printf("AdjustTokenPrivileges failed: %u ", GetLastError() ); return FALSE; } return TRUE; }