一、刚学驱动不久,利用PspTerminateProcess函数杀掉360Tray.exe,但会弹出360保护阻止,允许就能杀掉了。
二、你会这样问:360都拦截掉了,要你这有啥用,我刚学不久,用来练习获取未导出函数
//#include "ntddk.h"
#include "ntifs.h"
typedef struct _LDR_DATA_TABLE_ENTRY{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
ULONG32 DllBase;
ULONG32 EntryPoint;
ULONG32 SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32 Unknow[17];
}LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
NTSTATUS UnLoad(PDRIVER_OBJECT pdriver) {
DbgPrint("UnLoad!\r");
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING ppath) {
pdriver->DriverUnload = UnLoad;
PVOID PspTerminateProcess = 0;
UNICODE_STRING us = {0};
//10-10-12分页是ntoskrnl.exe这个内核模块
//2-9-9-12分页是ntkrnlpa.exe这个内核模块
RtlInitUnicodeString(&us,L"ntoskrnl.exe");
LDR_DATA_TABLE_ENTRY* Section = (LDR_DATA_TABLE_ENTRY*)pdriver->DriverSection;
do {
//DbgPrint("DllBase: %x SizeOfImage: %x DriverName:%wZ\n", Section->DllBase,Section->SizeOfImage, &Section->BaseDllName);
if (!RtlCompareUnicodeString(&us, &Section->BaseDllName, TRUE)) {
//计算出相对dll偏移后的地址
//0x805c9da4 - 0x804d8000通过windbg u PspTerminateProcess获取函数地址后减去当前模块基址
//后面这两个值,在10-10-12分页是这个,2-9-9-12分页还没弄
PspTerminateProcess = Section->DllBase + 0x805c9da4 - 0x804d8000;
break;
}
Section = Section->InLoadOrderLinks.Blink;
} while(Section->DllBase);
PEPROCESS hProcess;
//下面的需要自己获取PID
PsLookupProcessByProcessId((HANDLE)2248, &hProcess);
_asm {
push 0;
push hProcess;
call PspTerminateProcess;
}
return STATUS_SUCCESS;
}
| 
发表于 2021-8-23 19:33
|
发表于 2021-8-23 21:16
