form1.frm

使用底层技术结束进程。The use of the underlying technology end of the process.

VERSION 5.00
Begin VB.Form Form1 
   Caption         =   "Form1"
   ClientHeight    =   3120
   ClientLeft      =   60
   ClientTop       =   420
   ClientWidth     =   4680
   LinkTopic       =   "Form1"
   ScaleHeight     =   3120
   ScaleWidth      =   4680
   StartUpPosition =   3  '窗口缺省
   Begin VB.TextBox Text1 
      Height          =   270
      Left            =   480
      TabIndex        =   1
      Text            =   "Text1"
      Top             =   960
      Width           =   2295
   End
   Begin VB.CommandButton Command1 
      Caption         =   "Command1"
      Height          =   375
      Left            =   480
      TabIndex        =   0
      Top             =   360
      Width           =   1575
   End
End
Attribute VB_Name = "Form1"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Option Explicit
Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByRef Destination As Any, ByRef Source As Any, ByVal Length As Long)
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32.dll" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long

Dim bytknl() As Byte
Dim retv() As SYSTEM_MODULE_INFORMATION
Dim kernelbase As Long
 
Private Sub restoreinlinehook(ByVal funcname As String)
Dim addr As Long, tmpbyt(1 To 10) As Byte
addr = GetSSDTFuncRealAddr(GetSSDTFuncOrdinal(funcname))
CopyMemory tmpbyt(1), bytknl(0 + addr - kernelbase), 10
ModifyKernelMemory addr, 10, tmpbyt
End Sub

Private Sub Command1_Click()
restoreinlinehook ("NtOpenProcess")
restoreinlinehook ("NtOpenThread")
restoreinlinehook ("NtTerminateProcess")
restoreinlinehook ("NtTerminateThread")
Dim hProcess&
hProcess = OpenProcess(1, 0, Val(Text1))
Call TerminateProcess(hProcess, 0)
End Sub

Private Sub Form_Load()
OpenPhysicalMemory
InitSSDTModule
retv = mEnumKernelModule.EnumKernelModule
ReDim bytknl(retv(0).Size)
Call MapFile(Replace(Environ("SystemRoot") & "\system32\" & Right(StrConv(retv(0).ImageName, vbUnicode), Len(StrConv(retv(0).ImageName, vbUnicode)) - retv(0).ModuleNameOffset), "\\", "\"), bytknl)
kernelbase = retv(0).Base
End Sub

Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
ClosePhysicalMemory
End Sub