//====================================内存填零杀进程===================================================== //4个函数声明 void KeAttachProcess(PEPROCESS Process); void KeDetachProcess(); NTSTATUS ObOpenObjectByPointer( IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle ); NTSTATUS ZwTerminateProcess( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus ); //进程虚拟空间填0 void DestoryProcessWithZero(ULONG eprocess) { ULONG virtualAddr; PVOID handle; KeAttachProcess((PEPROCESS)eprocess); //Attach进程虚拟空间 for(virtualAddr=0;virtualAddr<=0x7fffffff;virtualAddr+=0x1000) { //蓝屏原因:用户内存是否可写要进行验证。用ProbeForWrite函数 if(MmIsAddressValid((PVOID)virtualAddr)) { _try { ProbeForWrite((PVOID)virtualAddr,0x1000,sizeof(ULONG)); //RtlZeroMemory((PVOID)virtualAddr, 0x1000); memset((PVOID)virtualAddr,0xcc,0x1000); }_except(1) { continue; } } else { if(virtualAddr>0x1000000) //填这么多足够破坏进程数据了 break; } } KeDetachProcess(); if(ObOpenObjectByPointer((PVOID)eprocess, 0, NULL, 0, NULL, KernelMode, &handle)!=STATUS_SUCCESS) return; ZwTerminateProcess((HANDLE)handle, STATUS_SUCCESS); ZwClose((HANDLE)handle ); }