📄 ntshell.c
字号:
}
if (!NT_SUCCESS(status))
{
prs->ErrorCode = LsaNtStatusToWinError(status);
goto End;
}
EnablePrivilege(SE_DEBUG_NAME, TRUE);
EnablePrivilege(SE_SECURITY_NAME, TRUE);
EnablePrivilege(SE_BACKUP_NAME, TRUE);
for (pptInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;;)
{
pi.BasePriority = pptInfo->BasePriority;
pi.ProcessId = pptInfo->ProcessId;
pi.ParentProcessId = pptInfo->InheritedFromProcessId;
pi.ProcessCreateTime = pptInfo->CreateTime;
pi.ProcessCpuTime.QuadPart = pptInfo->UserTime.QuadPart + pptInfo->KernelTime.QuadPart;
pi.TotalPrivateBytes = pptInfo->TotalPrivateBytes;
pi.TotalVirtualSizeBytes = pptInfo->VmCounters.VirtualSize;
szProcessName[0] = '\0';
szUserName[0] = '\0';
szImagePath[0] = '\0';
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pi.ProcessId);
if (hProcess != NULL)
{
//获取进程所属用户
if (OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))
{
for (nRetSize = 0x1000;;)
{
pTokenUser = LocalAlloc(LPTR, nRetSize);
if (pTokenUser == NULL)
break;
if (!GetTokenInformation(hToken, TokenUser, pTokenUser, nRetSize, &nRetSize) &&
GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
LocalFree(pTokenUser);
continue;
}
cbUserName = sizeof(szUserName);
cbDomainName = sizeof(szDomainName);
LookupAccountSid(NULL, (DWORD *)(*(DWORD *)pTokenUser), szUserName, &cbUserName, szDomainName, &cbDomainName, &use);
LocalFree(pTokenUser);
break;
}
CloseHandle(hToken);
}
nRetSize = GetLastError();
//获取进程模块路径
if (GetModuleFileNameEx != NULL && EnumProcessModules != NULL)
{
if (EnumProcessModules(hProcess, &hModule, sizeof(hModule), &nRetSize))
{
GetModuleFileNameEx(hProcess, hModule, szImagePath, sizeof(szImagePath));
}
}
CloseHandle(hProcess);
}
WideCharToMultiByte(CP_OEMCP, 0, pptInfo->ProcessName.Buffer, -1, szProcessName, sizeof(szProcessName), NULL, FALSE);
pi.OffsetOfProcessName = sizeof(pi);
pi.OffsetOfUserName = pi.OffsetOfProcessName + strlen(szProcessName) + 1;
pi.OffsetOfImagePath = pi.OffsetOfUserName + strlen(szUserName) + 1;
pi.OffsetOfNextEntry = pi.OffsetOfImagePath + strlen(szImagePath) + 1;
prs->NumberOfResults++;
ObOutputBinary(pob, &pi, sizeof(pi));
ObOutputString(pob, szProcessName);
ObOutputString(pob, szUserName);
ObOutputString(pob, szImagePath);
if (pptInfo->NextEntryDelta == 0)
break;
(PBYTE)pptInfo += pptInfo->NextEntryDelta;
}
EnablePrivilege(SE_DEBUG_NAME, FALSE);
End:
if (pBuffer != NULL)
LocalFree(pBuffer);
FreeLibrary(hPsapiLib);
return TRUE;
}
BOOL ProcMgrKillProcess(PPROCMGR_PROCESSKILL ppKill, PNTSHELL_RESULTSET prs)
{
HANDLE hProcess;
BOOL bResult = FALSE;
prs->ResultClass = PROCMGR_KILLPROCESS;
prs->MessageCode = MSG_NONE;
prs->ErrorCode = ERROR_SUCCESS;
prs->NumberOfResults = 0;
EnablePrivilege(SE_DEBUG_NAME, TRUE);
hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, ppKill->ProcessId);
prs->ErrorCode = GetLastError();
EnablePrivilege(SE_DEBUG_NAME, FALSE);
if (hProcess == NULL)
return FALSE;
bResult = TerminateProcess(hProcess, 0);
prs->ErrorCode = GetLastError();
CloseHandle(hProcess);
return bResult;
}
BOOL ProcMgrRun(PPROCMGR_PROCESSRUN pRun, PNTSHELL_RESULTSET prs)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
BOOL bResult;
prs->ResultClass = PROCMGR_RUN;
prs->MessageCode = MSG_NONE;
prs->ErrorCode = ERROR_SUCCESS;
prs->NumberOfResults = 0;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.wShowWindow = pRun->ShowWindow;
si.lpDesktop = "winsta0\\default";
bResult = CreateProcess(pRun->ImagePath, NULL, NULL, NULL, 1, 0, NULL, NULL, &si, &pi);
prs->ErrorCode = GetLastError();
if (bResult)
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
return bResult;
}
BOOL ProcMgrForceKillProcess(PPROCMGR_PROCESSKILL ppKill, PNTSHELL_RESULTSET prs)
{
NTSTATUS status;
PVOID pBuffer;
ULONG i, nRetSize;
PSYSTEM_PROCESS_INFORMATION pptInfo;
PRING0_KILLTHREAD pThreadId = NULL;
prs->ResultClass = PROCMGR_FORCEKILLPROCESS;
prs->MessageCode = MSG_NONE;
prs->ErrorCode = ERROR_SUCCESS;
prs->NumberOfResults = 0;
if (!(ConfigFlags & FLAG_ALLOW_RING0))
{
prs->MessageCode = MSG_RING0_DISABLED;
return FALSE;
}
for (nRetSize = 0x1000;;)
{
pBuffer = LocalAlloc(LPTR, nRetSize);
if (pBuffer == NULL)
{
prs->ErrorCode = GetLastError();
return FALSE;
}
//列出系统中所有可见进程
status = ZwQuerySystemInformation(5, pBuffer, nRetSize, &nRetSize); //SystemProcessesAndThreadsInformation
if (status != 0xC0000004) //STATUS_INFO_LENGTH_MISMATCH
break;
LocalFree(pBuffer);
}
if (!NT_SUCCESS(status))
{
LocalFree(pBuffer);
prs->ErrorCode = LsaNtStatusToWinError(status);
return FALSE;
}
for (pptInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;;)
{
if (pptInfo->ProcessId == ppKill->ProcessId) //查找要结束的进程
{
if (pptInfo->ThreadCount == 0) //可能是对ZwQuerySystemInformation做的过滤,得不到线程列表
{
pThreadId = LocalAlloc(LPTR, 1024 * sizeof(ULONG)); //假设线程数量不会超过1023
if (pThreadId == NULL)
{
prs->ErrorCode = GetLastError();
LocalFree(pBuffer);
return FALSE;
}
//尝试内核级的线程枚举
if (EnumAllThreads(ppKill->ProcessId, pThreadId))
break;
else
{
LocalFree(pThreadId);
LocalFree(pBuffer);
return FALSE;
}
}
else
{
pThreadId = LocalAlloc(LPTR, (pptInfo->ThreadCount + 1) * sizeof(ULONG));
if (pThreadId == NULL)
{
prs->ErrorCode = GetLastError();
LocalFree(pBuffer);
return FALSE;
}
pThreadId->ThreadCount = pptInfo->ThreadCount;
for (i = 0; i < pptInfo->ThreadCount; i++) //记录下该进程所有线程的ID
{
DbgPrint(("%d tid=%d\n", i, (ULONG)pptInfo->Threads[i].ClientId.UniqueThread));
pThreadId->ThreadArray[i] = (ULONG)pptInfo->Threads[i].ClientId.UniqueThread;
}
break;
}
}
if (pptInfo->NextEntryDelta == 0)
break;
(PBYTE)pptInfo += pptInfo->NextEntryDelta;
}
LocalFree(pBuffer);
if (pThreadId == NULL)
return FALSE;
LocalLock(pBuffer);
status = Ring0Call(Ring0KillThread, pThreadId); //进Ring0杀掉进程的所有线程,进程就会自动退出
LocalUnlock(pBuffer);
LocalFree(pThreadId);
if (!NT_SUCCESS(status))
{
prs->ErrorCode = LsaNtStatusToWinError(status);
return FALSE;
}
return TRUE;
}
DWORD WINAPI ProcessManagerThread(LPVOID lpParam)
{
SOCKET master_sock = (SOCKET)lpParam;
int ret;
OUTPUT_BUFFER ob;
NTSHELL_RESULTSET rs;
BOOL bResult;
PNTSHELL_REQUEST req;
if (!ObInitOutput(&ob, 0x80000))
{
closesocket(master_sock);
return 0;
}
for (;;)
{
ob.Pointer = sizeof(NTSHELL_RESULTSET);
ret = RecvFromMaster(master_sock, (char **)&req, -1);
if (ret == -1)
break;
if (req->ClientVersion != 1) //不支持的客户端
{
HeapFree(GetProcessHeap(), 0, req);
break;
}
switch (req->RequestClass)
{
case PROCMGR_LISTPROCESS:
bResult = ProcMgrListProcess(&ob, &rs);
break;
case PROCMGR_KILLPROCESS:
bResult = ProcMgrKillProcess((PPROCMGR_PROCESSKILL)(req->Request), &rs);
break;
case PROCMGR_RUN:
bResult = ProcMgrRun((PPROCMGR_PROCESSRUN)(req->Request), &rs);
break;
case PROCMGR_FORCEKILLPROCESS:
bResult = ProcMgrForceKillProcess((PPROCMGR_PROCESSKILL)(req->Request), &rs);
break;
default:
bResult = FALSE;
rs.ErrorCode = -1;
rs.NumberOfResults = 0;
break;
}
rs.ServerVersion = NTSHELL_VERSION;
rs.Reserved = 0;
rs.ResultClass = req->RequestClass;
HeapFree(GetProcessHeap(), 0, req);
memcpy(ob.Buffer, &rs, sizeof(NTSHELL_RESULTSET));
if (bResult)
{
ret = SendToMaster(master_sock, ob.Buffer, ob.Pointer);
}
else
{
ret = SendToMaster(master_sock, ob.Buffer, sizeof(NTSHELL_RESULTSET));
}
if (ret == -1)
break;
}
ObFreeOutput(&ob);
closesocket(master_sock);
return 0;
}
BOOLEAN RemoveSubDirectoryAndFile(LPTSTR FilePath, PWIN32_FIND_DATA Wfd, PVOID CallbackArgument)
{
TCHAR szFilePath[MAX_PATH];
strcpy(szFilePath, FilePath);
strcat(szFilePath, Wfd->cFileName);
if (Wfd->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (!RemoveDirectory(szFilePath))
{
*(ULONG *)CallbackArgument = GetLastError();
return FALSE;
}
}
else
{
if (!DeleteFile(szFilePath))
{
*(ULONG *)CallbackArgument = GetLastError();
return FALSE;
}
}
return TRUE;
}
BOOL FileMgrListDrive(POUTPUT_BUFFER pob, PNTSHELL_RESULTSET prs)
{
char driveType[26];
int i, temp = '\\:C';
FILEMGR_DRIVEINFO dInfo;
prs->ResultClass = FILEMGR_LISTDRIVE;
prs->MessageCode = MSG_NONE;
prs->NumberOfResults = 0;
prs->ErrorCode = ERROR_SUCCESS;
for (i = 2; i < 26; i++, temp++)
{
driveType[i] = GetDriveType((char *)&temp);
if (driveType[i] == DRIVE_REMOVABLE ||
driveType[i] == DRIVE_FIXED ||
driveType[i] == DRIVE_CDROM)
{
strcpy(dInfo.RootPathName, (char *)&temp);
if (driveType[i] == DRIVE_REMOVABLE)
{
memset(&dInfo.TotalNumberOfBytes, sizeof(dInfo.TotalNumberOfBytes), 0);
memset(&dInfo.TotalNumberOfFreeBytes, sizeof(dInfo.TotalNumberOfFreeBytes), 0);
}
else
{
GetDiskFreeSpaceEx(dInfo.RootPathName, NULL, &dInfo.TotalNumberOfBytes, &dInfo.TotalNumberOfFreeBytes);
}
if (!GetVolumeInformation( dInfo.RootPathName,
dInfo.VolumeName,
sizeof(dInfo.VolumeName),
&dInfo.VolumeSerialNumber,
NULL,
NULL,
dInfo.FileSystemName,
sizeof(dInfo.FileSystemName)))
{
dInfo.VolumeName[0] = '\0';
dInfo.VolumeSerialNumber = 0;
dInfo.FileSystemName[0] = '\0';
}
prs->NumberOfResults++;
ObOutputBinary(pob, &dInfo, sizeof(dInfo));
}
}
return TRUE;
}
BOOL FileMgrListFile(POUTPUT_BUFFER pob, PFILEMGR_FILENAME pfn, PNTSHELL_RESULTSET prs)
{
WIN32_FIND_DATA wfd;
HANDLE hFind;
FILEMGR_FILEINFO fInfo;
prs->ResultClass = FILEMGR_LISTFILE;
prs->MessageCode = MSG_NONE;
prs->NumberOfResults = 0;
prs->ErrorCode = ERROR_SUCCESS;
hFind = FindFirstFile(pfn->PathName, &wfd);
if (hFind == INVALID_HANDLE_VALUE)
{
prs->ErrorCode = GetLastError();
return FALSE;
}
do
{
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (wfd.cFileName[0] == '.' && (*(short *)(wfd.cFileName + 1) == '.' || !wfd.cFileName[1]))
continue;
}
fInfo.FileAttributes = wfd.dwFileAttributes;
fInfo.CreationTime = wfd.ftCreationTime;
fInfo.LastWriteTime = wfd.ftLastWriteTime;
fInfo.FileSizeLow = wfd.nFileSizeLow;
fInfo.FileSizeHigh = wfd.nFileSizeHigh;
prs->NumberOfResults++;
ObOutputBinary(pob, &fInfo, sizeof(fInfo));
ObOutputString(pob, wfd.cFileName);
} while (FindNextFile(hFind, &wfd));
FindClose(hFind);
return TRUE;
}
BOOL FileMgrGetFileIcon(POUTPUT_BUFFER pob, PFILEMGR_FILENAME pfn, PNTSHELL_RESULTSET prs)
{
/**/ICONINFO info;
HDC hDC;
int ret;
BITMAPINFOHEADER bih;
BITMAP bmpInfo;
SHFILEINFO sfi;
PFILEMGR_FILEICON pfi;
prs->ResultClass = FILEMGR_GETFILEICON;
prs->MessageCode = MSG_NONE;
prs->NumberOfResults = 0;
prs->ErrorCode = ERROR_SUCCESS;
ret = SHGetFileInfo(pfn->PathName, 0, &sfi, sizeof(SHFILEINFO), SHGFI_USEFILEATTRIBUTES | SHGFI_ICON | SHGFI_SMALLICON);
//icon = ExtractIcon(GetModuleHandle(NULL), path, 0);
if (ret)
{
GetIconInfo(sfi.hIcon, &info);
GetObject(info.hbmColor, sizeof(BITMAP), &bmpInfo);
pfi = HeapAlloc(GetProcessHeap(), 0, sizeof(PFILEMGR_FILEICON) + bmpInfo.bmWidth * bmpInfo.bmHeight * bmpInfo.bmBitsPixel / 8);
if (pfi == NULL)
{
prs->ErrorCode = GetLastError();
return FALSE;
}
bih.biSize = sizeof(BITMAPINFOHEADER);
bih.biWidth = bmpInfo.bmWidth;
bih.biHeight = bmpInfo.bmHeight;
bih.biPlanes = 1;
bih.biBitCount = bmpInfo.bmBitsPixel;
bih.biCompression = BI_RGB;
bih.biSizeImage = 0;
bih.biXPelsPerMeter = 0;
bih.biYPelsPerMeter = 0;
bih.biClrUsed = 0;
bih.biClrImportant = 0;
pfi->Width = (WORD)bmpInfo.bmWidth;
pfi->Height = (WORD)bmpInfo.bmHeight;
pfi->BitCount = b⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -