一段杀线程的代码

灬无名灬 · 发表于 2008-4-17 14:26:33

大家仔细看看吧！

/*
      TerminateThread.c

*/

#include "ntddk.h"
#include "LDasm.h" //网上很多的，自己找一个好了。

typedef enum _KAPC_ENVIRONMENT {
  originalApcEnvironment,
  AttachedApcEnvironment,
  CurrentApcEnvironment,
  InsertApcEnvironment
} KAPC_ENVIRONMENT;

NTKERNELAPI
VOID
KeInitializeApc (
      PKAPC Apc,
      PETHREAD Thread,
      KAPC_ENVIRONMENT Environment,
      PKKERNEL_ROUTINE KernelRoutine,
      PKRUNDOWN_ROUTINE RundownRoutine,
      PKNORMAL_ROUTINE NormalRoutine,
      KPROCESSOR_MODE ProcessorMode,
      PVOID NormalContext
      );

NTKERNELAPI
BOOLEAN
KeInsertQueueApc (
      PKAPC Apc,
      PVOID SystemArgument1,
      PVOID SystemArgument2,
      KPRIORITY Increment
      );

#define PS_CROSS_THREAD_FLAGS_SYSTEM 0x00000010UL

ULONG GetThreadFlagsOffset()
{
  UCHAR *cPtr, *pOpcode;
  ULONG Length;
  USHORT Offset;

  for (cPtr = (PUCHAR)PsTerminateSystemThread;
cPtr < (PUCHAR)PsTerminateSystemThread + 0x100;
cPtr += Length)
  {
Length = SizeOfCode(cPtr, &pOpcode);

if (!Length) break;
if (*(USHORT *)pOpcode == 0x80F6) //f6804802000010 test byte ptr [eax+248h],10h
{
   Offset=*(USHORT *)((ULONG)pOpcode+2);
   return Offset;
   //break;
}
  }
  return 0;
}

VOID KernelTerminateThreadRoutine(
               IN PKAPC Apc,
               IN OUT PKNORMAL_ROUTINE *NormalRoutine,
               IN OUT PVOID *NormalContext,
               IN OUT PVOID *SystemArgument1,
               IN OUT PVOID *SystemArgument2
               )
{
  ULONG ThreadFlagsOffset=GetThreadFlagsOffset();
  PULONG ThreadFlags;
  DbgPrint("[TerminateThread] KernelTerminateThreadRoutine.\n");
  ExFreePool(Apc);
  if (ThreadFlagsOffset)
  {
ThreadFlags=(ULONG *)((ULONG)(PsGetCurrentThread())+ThreadFlagsOffset);
*ThreadFlags=(*ThreadFlags)|PS_CROSS_THREAD_FLAGS_SYSTEM;
PsTerminateSystemThread(STATUS_SUCCESS); //o(∩_∩)o
  }
  else
  {
//failed
  }
  return; //never be here
}

BOOLEAN TerminateThread(PETHREAD Thread)
{
  PKAPC Apc=NULL;
  BOOLEAN blnSucceed=FALSE;
  if (!MmIsAddressValid(Thread)) return FALSE; //error.
  Apc=ExAllocatePool(NonPagedPool,sizeof(KAPC));
  KeInitializeApc(Apc,
Thread,
originalApcEnvironment,
KernelTerminateThreadRoutine,
NULL,
NULL,
KernelMode,
NULL); //special apc - whether alertable or not makes no difference..
  blnSucceed=KeInsertQueueApc(Apc,
NULL,
NULL,
0);
  //add some code works like KeForceResumeThread here.
  return blnSucceed;
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
  DbgPrint("[TerminateThread] Unloaded\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
  DbgPrint("[TerminateThread] DriverEntry.\n");
  TerminateThread((PETHREAD)0xff6f3c70); // for test
  pDriverObj->DriverUnload = DriverUnload;
  return STATUS_SUCCESS; //do NOT return an unsuccessful value here, or you need to wait for apc routine return.
}

dai5200 · 发表于 2009-4-14 20:38:00

不懂··

stephen · 发表于 2009-4-18 20:35:50

写的不错，辛苦了~ :hug:

whylyh · 发表于 2009-4-19 16:01:31

饿....怎么用么。。。。好想知道我学过C语言。。。但是看不太懂

ahkugua · 发表于 2009-4-19 16:03:31

不懂,,来学习下

logosxiang · 发表于 2009-5-7 08:48:04

好东西，感谢楼主分享。。。学习啦~:)

whitemanwu · 发表于 2010-3-14 00:47:55

这个太高难度了吧

273455446 · 发表于 2010-3-14 11:25:30

这个全看不懂囧

aaa1616 · 发表于 2010-3-14 12:41:54

写的非常好
但是杂用- -！

602112759 · 发表于 2010-3-18 12:20:31

写的非常好
. u2 w! l+ ]* l5 i, c3 R) s4 k但是杂用- -！

Kaija · 发表于 2010-5-11 00:03:15

谢谢老大了，完全看不懂……:D;:
楼上的别复制9楼的发言！:P;:

nada · 发表于 2010-6-16 13:38:11

谢谢分享````

账号		自动登录	找回密码
密码			注册[Register]