网上有很多关于ring3下清零结束进程的c代码,不完整,所以用Delphi重写,提供给喜欢Delphi的朋友。
unit Clear0;
interface
uses
windows,SysUtils,TLHelp32;
const
STATUS_SUCCESS = $00000000;
STATUS_ACCESS_VIOLATION = $C0000005;
STATUS_UNSUCCESSFUL = $C0000001;
SystemSessionProcessesInformation = 53;
type
NTSTATUS = DWORD;
PVOID = Pointer;
PPVOID = PPointer;
SYSTEM_INFORMATION_CLASS = ULONG;
ULONG_PTR = PULONG;
PLARGE_INTEGER = ^_LARGE_INTEGER;
_LARGE_INTEGER = record
LowPart: ULONG;
HighPart: ULONG;
end;
PUnicodeString = ^TUnicodeString;
TUnicodeString = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;
PIoStatusBlock=^TIoStatusBlock;
TIoStatusBlock=packed record
Status:NTSTATUS;
Information:Cardinal; //ULONG_PTR
end;
IO_STATUS_BLOCK=TIoStatusBlock;
PIO_STATUS_BLOCK=^IO_STATUS_BLOCK;
PObjectAttributes=^TObjectAttributes;
TObjectAttributes=packed record
Length:Cardinal;
RootDirectory:THandle;
ObjectName:PUnicodeString;
Attributes:Cardinal;
SecurityDescriptor:Pointer;
SecurityQualityOfService:Pointer;
end;
OBJECT_ATTRIBUTES=^TObjectAttributes;
POBJECT_ATTRIBUTES=^OBJECT_ATTRIBUTES;
PClientId=^TClientId;
TClientId=packed record
UniqueProcess:Cardinal;
UniqueThread:Cardinal;
end;
CLIENT_ID=TClientId;
PCLIENT_ID=^CLIENT_ID;
PROCESS_BASIC_INFORMATION=^TPROCESS_BASIC_INFORMATION;
TPROCESS_BASIC_INFORMATION =packed record
ExitStatus:NTSTATUS;
PebBaseAddress:ULONG;
AffinityMask:ULONG;
BasePriority:ULONG;
UniqueProcessId:ULONG;
InheritedFromUniqueProcessId:ULONG;
end;
PSYSTEM_HANDLE_INFORMATION=^TSYSTEM_HANDLE_INFORMATION;
TSYSTEM_HANDLE_INFORMATION=packed record
ProcessID:ULONG; //进程的标识ID
ObjectTypeNumber:UCHAR; //对象类型
Flags:UCHAR; //0x01 = PROTECT_FROM_CLOSE,0x02 = INHERIT
Handle:WORD; //对象句柄的数值
PObject:PVOID ; //对象句柄所指的内核对象地址
GrantedAccess:ACCESS_MASK; //创建句柄时所准许的对象的访问权
end;
function ZwQuerySystemInformation(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation: PVOID; SystemInformationLength: ULONG; lpReturnLength: PULONG): NTSTATUS;stdcall; external 'ntdll.dll';
function ZwOpenProcess(ProcessHandle:PHandle;DesiredAccess:ACCESS_MASK;ObjectAttributes:PObjectAttributes;ClientId:PClientId):NTSTATUS; stdcall; external 'ntdll.dll';
function ZwDuplicateObject(SourceProcessHandle:THANDLE; SourceHandle:THANDLE; TargetProcessHandle:THANDLE; TargetHandle: PHANDLE; DesiredAccess: ACCESS_MASK; Attributes: ULONG; Options: ULONG): NTSTATUS; stdcall;external 'ntdll.dll';
function ZwQueryInformationProcess(ProcessHandle:THANDLE; ProcessInformationClass: ULONG; ProcessInformation: PVOID; ProcessInformationLength: ULONG; ReturnLength: PULONG): NTSTATUS; stdcall;external 'ntdll.dll';
function ZwAllocateVirtualMemory(ProcessHandle:THANDLE; BaseAddress: PPVOID; ZeroBits: ULONG; RegionSize: PULONG; AllocationType: ULONG; Protect: ULONG): NTSTATUS; stdcall;external 'ntdll.dll';
function ZwProtectVirtualMemory(ProcessHandle:THANDLE; BaseAddress: PPVOID; ProtectSize: PULONG; NewProtect: ULONG; OldProtect: PULONG): NTSTATUS; stdcall;external 'ntdll.dll';
function ZwWriteVirtualMemory(ProcessHandle:THANDLE;BaseAddress:PVOID;Buffer:PVOID;BufferLength:ULONG;ReturnLength: PULONG):NTSTATUS;stdcall;external 'ntdll.dll';
function ZwFreeVirtualMemory(rocessHandle:THANDLE;BaseAddress:PPVOID;FreeSize:PULONG;FreeType:ULONG):NTSTATUS;stdcall;external 'ntdll.dll';
function ZwClose(Handle: THandle): NTSTATUS; stdcall;external 'ntdll.dll';
//要用到函数
function EnablePrivilege(hToken: Cardinal; PrivName: string; bEnable: Boolean): Boolean;
function GetPidByName (szName:pchar):DWORD;
function KillProcess (dwProcessId:ULONG):BOOL;
implementation
function EnablePrivilege(hToken: Cardinal; PrivName: string; bEnable: Boolean): Boolean;
var
tp: TOKEN_PRIVILEGES;
Dummy: Cardinal;
begin
result:=false;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
begin
tp.PrivilegeCount := 1;
LookupPrivilegeValue(nil, PAnsichar(PrivName), tp.Privileges[0].Luid);
if bEnable then
tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
tp.Privileges[0].Attributes := 0;
Dummy:=0;
AdjustTokenPrivileges(hToken, False, TP, SizeOf(TP), nil, Dummy);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hToken);
end;
end;
function GetPidByName (szName:pchar):DWORD;
var
hProcessSnap:THANDLE;
pe32:TProcessEntry32;
dwRet:DWORD;
begin
hProcessSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcessSnap = INVALID_HANDLE_VALUE) then
begin
Result:=0;
Exit;
end;
pe32.dwSize:=sizeof(pe32);
dwRet:=0;
if Process32First(hProcessSnap,pe32) then
begin
repeat
if UpperCase(strpas(szName))=UpperCase(pe32.szExeFile) then
begin
dwRet:=pe32.th32ProcessID;
break;
end;
until (Process32Next(hProcessSnap,pe32)=FALSE);
end;
CloseHandle(hProcessSnap);
Result:=dwRet;
end;
function KillProcess (dwProcessId:ULONG):BOOL;
label send;
var
ph, h_dup:THANDLE;
client_id:TClientId;
csrss_id:THANDLE;
h_info:PSYSTEM_HANDLE_INFORMATION ;
pbi:TPROCESS_BASIC_INFORMATION ;
attr:TObjectAttributes;
buf:PVOID;
bytesIO,NumOfHandle:ULONG;
i:integer;
pAddress0,pAddress1 :pvoid;
sz,oldp:ULONG;
begin
csrss_id:=THANDLE(GetPidByName ('csrss.exe'));
client_id.UniqueProcess:= csrss_id;
client_id.UniqueThread:=0;
attr.Length:=24;
attr.RootDirectory:=0;
attr.ObjectName:= nil;
attr.Attributes:= 0;
attr.SecurityDescriptor:= nil;
attr.SecurityQualityOfService:= nil;
//打开CSRSS.EXE,获得其句柄
ZwOpenProcess(@ph,PROCESS_ALL_ACCESS,@attr,@client_id);
bytesIO:=$400000;
buf:=0;
ZwAllocateVirtualMemory(GetCurrentProcess(), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE);
ZwQuerySystemInformation(16,buf,$400000,@bytesIO);
NumOfHandle:=ULONG(buf);
h_info:=PSYSTEM_HANDLE_INFORMATION(DWORD(buf)+4);
i:=0;
while (i< NumOfHandle) do
begin
if( (h_info.ProcessID=ULONG(csrss_id)) and (h_info.ObjectTypeNumber=5) ) then
begin
if (ZwDuplicateObject(ph,THANDLE(h_info.Handle),THANDLE(-1),@h_dup,0,0,DUPLICATE_SAME_ACCESS)=STATUS_SUCCESS) then
ZwQueryInformationProcess(h_dup, 0, @pbi, sizeof(pbi), @bytesIO);
//找到该进程的内存位置 ,开始清0
if ( pbi.UniqueProcessId = dwProcessId ) then
begin
MessageBox(0, '要结束的进程目标已确定!', '提示', MB_OK);
i:=$1000;
while(i<$80000000) do
begin
pAddress0 := PVOID(i);
pAddress1:=pAddress0;
sz:=$1000;
if (ZwProtectVirtualMemory (h_dup, @pAddress1, @sz, PAGE_EXECUTE_READWRITE, @oldp) = STATUS_SUCCESS)then
ZwWriteVirtualMemory(h_dup, pAddress0, buf, $1000, @oldp);
i:=i+$1000;
end;
MessageBox(0, '任务已完成!','提示', 0);
ZwClose(h_dup);
goto send;
end;
end;
inc(i);
h_info:=PSYSTEM_HANDLE_INFORMATION(DWORD(h_info)+sizeof(TSYSTEM_HANDLE_INFORMATION));
end;
send:
bytesIO:= 0;
ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE);
end;
end.
- 标 题:用Delphi写的ring3下清零结束进程
- 作 者:liukeblue
- 时 间:2010-05-12 14:55:05
- 链 接:http://bbs.pediy.com/showthread.php?t=112838