none
Mr. Sheng Jiang you can help me please RRS feed

  • Pergunta

  • hi  sheng

    I am trying really hard to finish a college project,
    and I having problems with a NT process terminate,
     and all the sites I tried to consult it on the asia side of the world.
    What I really need to do I am not able to do. 
    I found a software called icesword http://www.antirootkit.com/software/IceSword.htm  and this software
    acess the  PSP terminate process instead of NT terminate process,
     so I was able to find *.ccp that is based on the same logic of that software.
    But I am having a big trouble with the header files and packages.
     I sending you the sample attached,
    sould you please help me with this?
     As soon as you can?
       

     

    include <ntddk.h>

    #define NT_DEVICE_NAME                    L"\\Device\\KillProcess"
    #define DOS_DEVICE_NAME          L"\\DosDevices\\KillProcess"

    UNICODE_STRING                                         DeviceNameString;
    UNICODE_STRING                                         LinkDeviceNameString;

    #define        IOCTL_GETFUNCTION        CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
    #define IOCTL_STARTRUN                CTL_CODE(FILE_DEVICE_UNKNOWN,0x905,METHOD_BUFFERED,FILE_ANY_ACCESS)

    //??????
    NTKERNELAPI
    NTSTATUS
    PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS         *pEProcess);

    typedef NTSTATUS NTKERNELAPI(*PSPTERMINATETHREADBYPOINTER)(PETHREAD Thread,NTSTATUS ExitStatus);
    typedef PETHREAD NTKERNELAPI(*PSGETNEXTPROCESSTHREAD)(PEPROCESS Process,PETHREAD Thread);
    typedef NTSTATUS NTKERNELAPI(*PSPTERMINATEPROCESS)(PEPROCESS Process,NTSTATUS ExitStatus);

    PSPTERMINATEPROCESS                 PspTerminateProcess;
    PSPTERMINATETHREADBYPOINTER PspTerminateThreadByPointer;
    PSGETNEXTPROCESSTHREAD                 PsGetNextProcessThread;

    //????PspTerminateProcess
    NTSTATUS MyPspTerminateProcess(PEPROCESS Process,NTSTATUS ExitStatus);

    typedef struct _tagFuncAddrGet
    {
            ULONG Func_PspTerminateProcess;
            ULONG Func_PspTerminateThreadByPointer;
            ULONG Func_PsGetNextProcessThread;
    }FuncAddrGet,*PFuncAddrGet;

    NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
    {
                      NTSTATUS                        nStatus                 = STATUS_SUCCESS;
                             ULONG                        IoControlCode         = 0;
    PIO_STACK_LOCATION                        IrpStack                 = NULL;               
                            PUCHAR                        inBufByte                = NULL;
                            UCHAR                        outBuf[20];
                           
                            FuncAddrGet*         pstr_GetFunAddr;
                            ULONG                        ulPid;
                            PEPROCESS                 pEprocess = NULL;
                           
            Irp->IoStatus.Status                =         STATUS_SUCCESS;
            Irp->IoStatus.Information        =         0;
            IrpStack                                        =        IoGetCurrentIrpStackLocation(Irp);

            switch(IrpStack->MajorFunction)
            {
                    case IRP_MJ_CREATE:
                            break;
                    case IRP_MJ_CLOSE :
                            break;
                    case IRP_MJ_DEVICE_CONTROL:

                    IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
                           
                    switch(IoControlCode)
                    {
                            case IOCTL_GETFUNCTION:
                            inBufByte = (PUCHAR)Irp->AssociatedIrp.SystemBuffer;
                            pstr_GetFunAddr = (FuncAddrGet*)inBufByte;
                            PspTerminateProcess
                            = (PSPTERMINATEPROCESS)pstr_GetFunAddr->Func_PspTerminateProcess;
                           
                            PspTerminateThreadByPointer
                            = (PSPTERMINATETHREADBYPOINTER)pstr_GetFunAddr->Func_PspTerminateThreadByPointer;
                           
                            PsGetNextProcessThread
                            = (PSGETNEXTPROCESSTHREAD)pstr_GetFunAddr->Func_PsGetNextProcessThread;
                            break;
                           
                            case IOCTL_STARTRUN:
                            inBufByte = (PUCHAR)Irp->AssociatedIrp.SystemBuffer;
                            ulPid = *(PULONG)inBufByte;
                            DbgPrint("PspTerminateProcess: 0x0.8X ",PspTerminateProcess);
                            DbgPrint("The Process You Want to Kill is %d",ulPid);
                            PsLookupProcessByProcessId(ulPid,&pEprocess);
                            PspTerminateProcess(pEprocess,STATUS_SUCCESS);
                    //        MyPspTerminateProcess(pEprocess,STATUS_SUCCESS);
                            break;
                                   
                            default:
                            break;
                    }
                            break;
                            default:        DbgPrint("???????");
                                                    break;
            }               
            nStatus = Irp->IoStatus.Status;
            IoCompleteRequest(Irp,IO_NO_INCREMENT);
            return nStatus;
    }

    VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
    {
            PDEVICE_OBJECT deviceObject;       
            //????
        deviceObject= DriverObject->DeviceObject;
        IoDeleteSymbolicLink(&LinkDeviceNameString);
        ASSERT(!deviceObject->AttachedDevice);
        if ( deviceObject != NULL )
        {
            IoDeleteDevice( deviceObject );
        }
    }

    NTSTATUS DriverEntry(PDRIVER_OBJECT theDriverObject, PUNICODE_STRING pRegistryString)
    {
            NTSTATUS                         status;
            PDEVICE_OBJECT           deviceObject;
           
            //???????????
        RtlInitUnicodeString( &DeviceNameString,    NT_DEVICE_NAME );
        RtlInitUnicodeString( &LinkDeviceNameString,DOS_DEVICE_NAME );
       
        status = IoCreateDevice(
                                    theDriverObject,
                                    0,                     
                                    &DeviceNameString,
                                    FILE_DEVICE_DISK_FILE_SYSTEM,
                                    FILE_DEVICE_SECURE_OPEN,
                                    FALSE,
                                    & deviceObject );
                                   
            if (!NT_SUCCESS( status ))
        {
            KdPrint(("DriverEntry: Error creating control device object, status=%08x\n", status));
            return status;
        }
        status = IoCreateSymbolicLink(
                                    (PUNICODE_STRING) &LinkDeviceNameString,
                    (PUNICODE_STRING) &DeviceNameString
                                                                     );
            if (!NT_SUCCESS(status))
            {
                    IoDeleteDevice(deviceObject);
                    return status;
            }
           
            //????
        theDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchDeviceControl;
            theDriverObject->MajorFunction[IRP_MJ_CLOSE]  = DispatchDeviceControl;
            theDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;        
            theDriverObject->DriverUnload = UnloadDriver;        //??????
            return STATUS_SUCCESS;
    }

    NTSTATUS
    MyPspTerminateProcess(PEPROCESS Process,NTSTATUS ExitStatus)
    {
        PETHREAD Thread;
        NTSTATUS st;
    //        PS_SET_BITS (&Process->Flags,0x00000008ul);
                for (Thread = PsGetNextProcessThread (Process, NULL);
            Thread != NULL;
            Thread = PsGetNextProcessThread (Process, Thread)) {
            st = STATUS_SUCCESS;
            PspTerminateThreadByPointer(Thread,ExitStatus);
        }
        return STATUS_SUCCESS;
    }

    quinta-feira, 12 de maio de 2011 01:36