这段代码真神了,
当我还在考虑,进程创建回调里面怎么结束进程更方便的时候,
当我还在找oep、写ret的时候,
当我还在阻止进程创建的时候,
这份神代码给了一个极其简单的方法,
直接OpenProcess,然后Terminate就好了,
根本不用什么ret oep的,没有,
什么逢冲以合为应期,什么相合以冲定应期,根本没有,不需要,
直接应期就出来了
(别看它没有释放那个句柄,导致进程泄露,但是这不是重点,重点是这个结束进程的方法)
1 #include <ntddk.h> 2 3 //进程监视回调函数 4 VOID ProcessMonitorCallback( 5 IN HANDLE hParentId, 6 IN HANDLE hProcessId, 7 IN BOOLEAN bCreate) 8 { 9 NTSTATUS status; 10 HANDLE procHandle = NULL; 11 CLIENT_ID ClientId; 12 13 OBJECT_ATTRIBUTES Obja; 14 Obja.Length = sizeof(Obja); 15 Obja.RootDirectory = 0; 16 Obja.ObjectName = 0; 17 Obja.Attributes = 0; 18 Obja.SecurityDescriptor = 0; 19 Obja.SecurityQualityOfService = 0; 20 21 ClientId.UniqueProcess = (HANDLE)hProcessId; 22 ClientId.UniqueThread = 0; 23 //不管创建什么程序都关闭程序 24 if(bCreate) //bCreate 为True表示创建程序 25 { 26 //调用函数ZwOpenProcess函数,通过进程pid号获得进程句柄 27 28 status = ZwOpenProcess(&procHandle, PROCESS_ALL_ACCESS, &Obja, &ClientId); 29 if(status == STATUS_INVALID_PARAMETER_MIX) 30 DbgPrint("STATUS_INVALID_PARAMETER_MIX "); 31 else if(status == STATUS_INVALID_CID) 32 DbgPrint("STATUS_INVALID_CID "); 33 else if(status == STATUS_INVALID_PARAMETER) 34 DbgPrint("STATUS_INVALID_PARAMETER "); 35 else if(status == STATUS_ACCESS_DENIED) 36 DbgPrint("STATUS_ACCESS_DENIED "); 37 else 38 { 39 DbgPrint("STATUS_SUCCESS "); 40 } 41 42 if(procHandle != NULL) 43 { 44 status = ZwTerminateProcess(procHandle,1); 45 } 46 else 47 { 48 DbgPrint("failed to ZwOpenProcess... "); 49 return ; 50 } 51 //这里是我来判断没有成功结束进程用的 52 switch(status) 53 { 54 case STATUS_SUCCESS: 55 DbgPrint("process %u has beed killed ... ",hProcessId); 56 break; 57 case STATUS_OBJECT_TYPE_MISMATCH: 58 DbgPrint("failed to kill %u process,The specified handle is not a process handle. ",hProcessId); 59 break; 60 case STATUS_INVALID_HANDLE: 61 DbgPrint("failed to kill %u process,The specified handle is not valid. ",hProcessId); 62 break; 63 case STATUS_ACCESS_DENIED: 64 DbgPrint("failed to kill %u process,The driver cannot access the specified process object. ",hProcessId); 65 break; 66 case STATUS_PROCESS_IS_TERMINATING: 67 DbgPrint("failed to kill %u process,The specified process is already terminating. ",hProcessId); 68 break; 69 default: 70 break; 71 } 72 } 73 } 74 //驱动卸载函数 75 void DriverUnload(PDRIVER_OBJECT pDriveObj) 76 { 77 //取消监视 78 PsSetCreateProcessNotifyRoutine(ProcessMonitorCallback,TRUE); 79 DbgPrint("driver unloaded ... "); 80 } 81 82 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegisterString) 83 { 84 NTSTATUS status = STATUS_SUCCESS; 85 //驱动卸载处理 86 pDriverObj->DriverUnload = DriverUnload; 87 status = PsSetCreateProcessNotifyRoutine(ProcessMonitorCallback,FALSE); 88 return status; 89 }