使用Undocumented Native API 结束进程

微软有很多没有对外公布的Windows的API,比如NtTerminateProcess这个API,如果要调用它,该怎么办呢?

跟我来吧!

OK!假设我们得到一个进程的PID,想结束它,怎么办呢?

多数的人会调用TerminateProcess这个Win32 API,呵呵,这个是微软对外公布的。可是,真正去中止进程的却是NtTerminateProcess这个API,

因此,很多人会发现用TerminateProcess这个Win32 API不是所有的进程都能中止的。哈哈!用NtTerminateProcess这个API吧,如假包换。。。。

首先,要使用Native API,要对它进行声名:

typedef DWORD (CALLBACK* NTTERMINATEPROCESS)(HANDLE,UINT);
NTTERMINATEPROCESS NtTerminateProcess;
HMODULE hNtdll = NULL;
    hNtdll = LoadLibrary( "ntdll.dll" );
    
    //从ntdll.dll里获取函数
    if ( !hNtdll )
    {
        printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
        return false;
    }
  NtTerminateProcess = (NTTERMINATEPROCESS)
        GetProcAddress( hNtdll, "NtTerminateProcess");



呵呵!这样好了以后,就可以直接使用NtTerminateProcess(pid.nExitCode)了。。

代码我贴出来,也可以找Friddy,QQ568623要。。。

代码:



#include <iostream.h>
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
typedef DWORD (CALLBACK* NTTERMINATEPROCESS)(HANDLE,UINT);
NTTERMINATEPROCESS NtTerminateProcess;
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)
{
       BOOL bRet = FALSE;
       LUID luid;
       TOKEN_PRIVILEGES tp;
  
       bRet = LookupPrivilegeValue(NULL,lpszPrivilege,&luid);
       if(!bRet)
         return bRet;
       tp.PrivilegeCount = 1;
       if(bEnablePrivilege)
         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
       else
         tp.Privileges[0].Attributes = NULL;
       bRet = AdjustTokenPrivileges(hToken,
                     FALSE,
                         &tp,
                         sizeof(TOKEN_PRIVILEGES),
                         (PTOKEN_PRIVILEGES)NULL,
                         (PDWORD)NULL);
       if(!bRet)
         return bRet;
       return TRUE;
}
BOOL KillProcess(DWORD PID)
{
       HANDLE hProcess = NULL;
       HANDLE hToken        = NULL;
       BOOL        bKilled = FALSE;
       BOOL        bRet        = FALSE;
       bRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
       if(!bRet)
         return bRet;
       bRet = SetPrivilege(hToken,SE_DEBUG_NAME,TRUE);
       if(!bRet)
         return bRet;
       hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID);
       if(!hProcess)
         return bRet;
       bRet = NtTerminateProcess(hProcess,1);
       if(!bRet)
         return bRet;
       bKilled = TRUE;
       CloseHandle(hToken);
       CloseHandle(hProcess);
       return bKilled;
}
void killman(char *ProcessName)
{
HANDLE hProcess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
HANDLE hModule;
PROCESSENTRY32 pinfo;
MODULEENTRY32 minfo;
char shortpath[256];
pinfo.dwSize = sizeof( PROCESSENTRY32 );
BOOL report =Process32First(hProcess,&pinfo);
while(report)
{
  hModule=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pinfo.th32ProcessID);
  Module32First(hModule, &minfo);
  GetShortPathName(minfo.szExePath,shortpath,256);
  if(!(strcmp(pinfo.szExeFile,ProcessName)))
  {
   hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pinfo.th32ProcessID );
   //NtTerminateProcess(hProcess,NULL);
   KillProcess(pinfo.th32ProcessID);
  }
  // AfxMessageBox(pinfo.szExeFile);
  report =Process32Next(hProcess, &pinfo);
}

}
int main(int argc, char **argv)
{
HMODULE hNtdll = NULL;
    hNtdll = LoadLibrary( "ntdll.dll" );
    
    //从ntdll.dll里获取函数
    if ( !hNtdll )
    {
        printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
        return false;
    }
  NtTerminateProcess = (NTTERMINATEPROCESS)
        GetProcAddress( hNtdll, "NtTerminateProcess");

killman("calc.exe");
    return 0;
}



文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
评论: 0 | 引用: 0 | 查看次数: 6640
发表评论
昵 称:
密 码: 游客发言不需要密码.
内 容:
验证码: 验证码
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭