首页 > 程序开发 > 综合编程 > 安全编程 >

一段杀线程的代码

2008-04-17

大家仔细看看吧! /*        TerminateThread.c                */ #include "ntddk.h"#include "LDasm.h" //网上很

大家仔细看看吧!

/*
TerminateThread.c

*/

#include "ntddk.h"
#include "LDasm.h" //网上很多的,自己找一个好了。

typedef enum _KAPC_ENVIRONMENT {
originalApcEnvironment,
AttachedApcEnvironment,
CurrentApcEnvironment,
InsertApcEnvironment
} KAPC_ENVIRONMENT;

NTKERNELAPI
VOID
KeInitializeApc (
PKAPC Apc,
PETHREAD Thread,
KAPC_ENVIRONMENT Environment,
PKKERNEL_ROUTINE KernelRoutine,
PKRUNDOWN_ROUTINE RundownRoutine,
PKNORMAL_ROUTINE NormalRoutine,
KPROCESSOR_MODE ProcessorMode,
PVOID NormalContext
);

NTKERNELAPI
BOOLEAN
KeInsertQueueApc (
PKAPC Apc,
PVOID SystemArgument1,
PVOID SystemArgument2,
KPRIORITY Increment
);

#define PS_CROSS_THREAD_FLAGS_SYSTEM 0x00000010UL

ULONG GetThreadFlagsOffset()
{
UCHAR *cPtr, *pOpcode;
ULONG Length;
USHORT Offset;

for (cPtr = (PUCHAR)PsTerminateSystemThread;
cPtr < (PUCHAR)PsTerminateSystemThread + 0x100;
cPtr += Length)
{
Length = SizeOfCode(cPtr, &pOpcode);

if (!Length) break;
if (*(USHORT *)pOpcode == 0x80F6) //f6804802000010 test byte ptr [eax+248h],10h
{
Offset=*(USHORT *)((ULONG)pOpcode+2);
return Offset;
//break;
}
}
return 0;
}

VOID KernelTerminateThreadRoutine(
IN PKAPC Apc,
IN OUT PKNORMAL_ROUTINE *NormalRoutine,
IN OUT PVOID *NormalContext,
IN OUT PVOID *SystemArgument1,
IN OUT PVOID *SystemArgument2
)
{
ULONG ThreadFlagsOffset=GetThreadFlagsOffset();
PULONG ThreadFlags;
DbgPrint("[TerminateThread] KernelTerminateThreadRoutine. ");
ExFreePool(Apc);
if (ThreadFlagsOffset)
{
ThreadFlags=(ULONG *)((ULONG)(PsGetCurrentThread())+ThreadFlagsOffset);
*ThreadFlags=(*ThreadFlags)|PS_CROSS_THREAD_FLAGS_SYSTEM;
PsTerminateSystemThread(STATUS_SUCCESS); //o(∩_∩)o
}
else
{
//failed
}
return; //never be here
}

BOOLEAN TerminateThread(PETHREAD Thread)
{
PKAPC Apc=NULL;
BOOLEAN blnSucceed=FALSE;
if (!MmIsAddressValid(Thread)) return FALSE; //error.
Apc=ExAllocatePool(NonPagedPool,sizeof(KAPC));
KeInitializeApc(Apc,
Thread,
originalApcEnvironment,
KernelTerminateThreadRoutine,
NULL,
NULL,
KernelMode,
NULL); //special apc - whether alertable or not makes no difference..
blnSucceed=KeInsertQueueApc(Apc,
NULL,
NULL,
0);
//add some code works like KeForceResumeThread here.
return blnSucceed;
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
DbgPrint("[TerminateThread] Unloaded ");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
DbgPrint("[TerminateThread] DriverEntry. ");
TerminateThread((PETHREAD)0xff6f3c70); // for test
pDriverObj->DriverUnload = DriverUnload;
return STATUS_SUCCESS; //do NOT return an unsuccessful value here, or you need to wait for apc routine return.
}

相关文章
最新文章
热点推荐