findpspterminateprocess.cpp

利用PspTerminateProcess结束进程

extern "C"
{
#include "ntddk.h"
	typedef NTSTATUS (*NTQUERYSYSTEMINFORMATION)(
		
		IN ULONG                        SystemInformationClass,
		OUT PVOID                        SystemInformation,
		IN ULONG                        SystemInformationLength,
		OUT PULONG                        ReturnLength OPTIONAL  );
	
	NTQUERYSYSTEMINFORMATION NtQuerySystemInformation;
	typedef enum _SYSTEM_INFORMATION_CLASS     //    Q S
	{
			SystemBasicInformation,                // 00 Y N
			SystemProcessorInformation,            // 01 Y N
			SystemPerformanceInformation,          // 02 Y N
			SystemTimeOfDayInformation,            // 03 Y N
			SystemNotImplemented1,                 // 04 Y N
			SystemProcessesAndThreadsInformation,  // 05 Y N
			SystemCallCounts,                      // 06 Y N
			SystemConfigurationInformation,        // 07 Y N
			SystemProcessorTimes,                  // 08 Y N
			SystemGlobalFlag,                      // 09 Y Y
			SystemNotImplemented2,                 // 10 Y N
			SystemModuleInformation,               // 11 Y N
			SystemLockInformation,                 // 12 Y N
			SystemNotImplemented3,                 // 13 Y N
			SystemNotImplemented4,                 // 14 Y N
			SystemNotImplemented5,                 // 15 Y N
			SystemHandleInformation,               // 16 Y N
			SystemObjectInformation,               // 17 Y N
			SystemPagefileInformation,             // 18 Y N
			SystemInstructionEmulationCounts,      // 19 Y N
			SystemInvalidInfoClass1,               // 20
			SystemCacheInformation,                // 21 Y Y
			SystemPoolTagInformation,              // 22 Y N
			SystemProcessorStatistics,             // 23 Y N
			SystemDpcInformation,                  // 24 Y Y
			SystemNotImplemented6,                 // 25 Y N
			SystemLoadImage,                       // 26 N Y
			SystemUnloadImage,                     // 27 N Y
			SystemTimeAdjustment,                  // 28 Y Y
			SystemNotImplemented7,                 // 29 Y N
			SystemNotImplemented8,                 // 30 Y N
			SystemNotImplemented9,                 // 31 Y N
			SystemCrashDumpInformation,            // 32 Y N
			SystemExceptionInformation,            // 33 Y N
			SystemCrashDumpStateInformation,       // 34 Y Y/N
			SystemKernelDebuggerInformation,       // 35 Y N
			SystemContextSwitchInformation,        // 36 Y N
			SystemRegistryQuotaInformation,        // 37 Y Y
			SystemLoadAndCallImage,                // 38 N Y
			SystemPrioritySeparation,              // 39 N Y
			SystemNotImplemented10,                // 40 Y N
			SystemNotImplemented11,                // 41 Y N
			SystemInvalidInfoClass2,               // 42
			SystemInvalidInfoClass3,               // 43
			SystemTimeZoneInformation,             // 44 Y N
			SystemLookasideInformation,            // 45 Y N
			SystemSetTimeSlipEvent,                // 46 N Y
			SystemCreateSession,                   // 47 N Y
			SystemDeleteSession,                   // 48 N Y
			SystemInvalidInfoClass4,               // 49
			SystemRangeStartInformation,           // 50 Y N
			SystemVerifierInformation,             // 51 Y Y
			SystemAddVerifier,                     // 52 N Y
			SystemSessionProcessesInformation      // 53 Y N
	} SYSTEM_INFORMATION_CLASS;
	
	typedef struct _SYSTEM_MODULE_INFORMATION  // Information Class 11
	{
		ULONG  Reserved[2];
		PVOID  Base;
		ULONG  Size;
		ULONG  Flags;
		USHORT Index;
		USHORT Unknown;
		USHORT LoadCount;
		USHORT ModuleNameOffset;
		CHAR   ImageName[256];
	} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
	ULONG GetFunctionAddr( IN PCWSTR FunctionName);
	ULONG FindPspTerminateProcessAddr(ULONG sysmajorVer,ULONG sysminorVer,ULONG sysSPVer);
	//ULONG DoFind(ULONG sysmajorVer,ULONG sysminorVer,ULONG sysSPVer);
	VOID DoFind(IN PVOID pContext);
	ULONG retAddr1=0;
	ULONG sysmajorVer;ULONG sysminorVer;ULONG sysSPVer;
	
	ULONG GetFunctionAddr( IN PCWSTR FunctionName)
	{
		UNICODE_STRING UniCodeFunctionName;
		
		RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
		return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );    
		
	}
	ULONG FindPspTerminateProcessAddr(ULONG sysmajorV,ULONG sysminorV,ULONG sysSPV)
	{
		retAddr1=0;
		sysmajorVer=sysmajorV;
		sysminorVer=sysminorV;
		sysSPVer=sysSPV;
		HANDLE hThread;
		//PKSTART_ROUTINE sr;
		//sr->StartContext=(PVOID)DoFind;
		NTSTATUS dwStatus = 
			PsCreateSystemThread(
			&hThread,
	        0,
		    NULL,
			(HANDLE)0,
	        NULL,
		    DoFind,
			NULL
			);
		NTSTATUS st;
		if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
		{
			st=KfRaiseIrql(PASSIVE_LEVEL);
			//DbgPrint("KfRaiseIrql st=0x%X",st);
		}
		if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
		{
			//DbgPrint("Error IRQL=%d!",KeGetCurrentIrql);
			return 0;
		}
		PVOID objtowait=0;
		ObReferenceObjectByHandle(
			hThread,
			THREAD_ALL_ACCESS,
			NULL,
			KernelMode,
			&objtowait,
			NULL
			); 

		st=KeWaitForSingleObject(objtowait,Executive,KernelMode,FALSE,NULL); //NULL表示无限期等待.
		//DbgPrint("st=0x%X",st);
		return retAddr1;
	}
	VOID DoFind(IN PVOID pContext)
	{
		NTSTATUS ret;
		PSYSTEM_MODULE_INFORMATION  module = NULL;
		ULONG n=0;
		void                       *buf    = NULL;
		ULONG ntosknlBase;
		ULONG ntosknlEndAddr;
		ULONG curAddr;
		ULONG code1_sp0=0x24A16456,code2_sp0=0x8B000001,code3_sp0=0x3B082474;
		ULONG code1_sp2=0x8B55FF8B,code2_sp2=0xA16456EC,code3_sp2=0x00000124,code4_sp2=0x3B08758B;
		ULONG i;
		ULONG retAddr;
		//DbgPrint("GetFunctionAddr ret=0x%X",GetFunctionAddr(L"PspTerminateProcess"));
		if ((sysmajorVer!=5)||(sysminorVer!=1)||(sysSPVer>2)) goto Ret;
		NtQuerySystemInformation=(NTQUERYSYSTEMINFORMATION)GetFunctionAddr(L"NtQuerySystemInformation");
		if (!NtQuerySystemInformation) 
		{
			DbgPrint("Find NtQuerySystemInformation faild!");
			goto Ret;
		}
		ret=NtQuerySystemInformation(SystemModuleInformation,&n,0,&n);
		if (NULL==( buf=ExAllocatePool(NonPagedPool, n)))
		{
			DbgPrint("ExAllocatePool() failed\n" );
			goto Ret;
		}
		ret=NtQuerySystemInformation(SystemModuleInformation,buf,n,NULL);
		if (!NT_SUCCESS(ret))	{
			DbgPrint("NtQuerySystemInformation faild!");
			goto Ret;
		} 
		module=(PSYSTEM_MODULE_INFORMATION)((PULONG)buf+1);
		ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size;
		ntosknlBase=(ULONG)module->Base;
		curAddr=ntosknlBase;
		//DbgPrint("Ntoskrnl Base=0x%X",ntosknlBase);
		//DbgPrint("sysSPVer=%d",sysSPVer);
		ExFreePool(buf);
		goto StartFind;
StartFind:
		if (sysSPVer=2) goto SP02;
		goto SP00;
SP00:
		for (i=curAddr;i<=ntosknlEndAddr;i++)
		{
			if (*((ULONG *)i)==code1_sp0) 
			{
				if (*((ULONG *)(i+4))==code2_sp0) 
				{
					if (*((ULONG *)(i+8))==code3_sp0) 
					{
						retAddr=i;
						retAddr1=retAddr;
						goto Ret;
					}
				}
			}
		}
		goto Ret;
SP02:
		for (i=curAddr;i<=ntosknlEndAddr;i++)
		{
			if (*((ULONG *)i)==code1_sp2) 
			{
				if (*((ULONG *)(i+4))==code2_sp2) 
				{
					if (*((ULONG *)(i+8))==code3_sp2) 
					{
						if (*((ULONG *)(i+12))==code4_sp2) 
						{
							retAddr=i;
							retAddr1=retAddr;
							goto Ret;
						}
					}
				}
			}
		}
		goto Ret;
Ret:
	//DbgPrint("0x%X",retAddr1);
	PsTerminateSystemThread(STATUS_SUCCESS);
    DbgPrint("Never be here ?");
	}
}