神代码，结束进程神方法

这段代码真神了，

当我还在考虑，进程创建回调里面怎么结束进程更方便的时候，

当我还在找oep、写ret的时候，

当我还在阻止进程创建的时候，

这份神代码给了一个极其简单的方法，

直接OpenProcess，然后Terminate就好了，

根本不用什么ret oep的，没有，

什么逢冲以合为应期，什么相合以冲定应期，根本没有，不需要，

直接应期就出来了

（别看它没有释放那个句柄，导致进程泄露，但是这不是重点，重点是这个结束进程的方法）

#include <ntddk.h>

//进程监视回调函数
VOID ProcessMonitorCallback(
IN HANDLE hParentId,
IN HANDLE hProcessId,
IN BOOLEAN bCreate)
{
NTSTATUS status;
HANDLE procHandle = NULL;
CLIENT_ID ClientId;

OBJECT_ATTRIBUTES Obja;
Obja.Length = sizeof(Obja);
Obja.RootDirectory = 0;
Obja.ObjectName = 0;
Obja.Attributes = 0;
Obja.SecurityDescriptor = 0;
Obja.SecurityQualityOfService = 0;

ClientId.UniqueProcess = (HANDLE)hProcessId;
ClientId.UniqueThread = 0;
//不管创建什么程序都关闭程序
if(bCreate)   //bCreate 为True表示创建程序
{
//调用函数ZwOpenProcess函数，通过进程pid号获得进程句柄

status = ZwOpenProcess(&procHandle, PROCESS_ALL_ACCESS, &Obja, &ClientId);
if(status == STATUS_INVALID_PARAMETER_MIX)
DbgPrint("STATUS_INVALID_PARAMETER_MIX\n");
else if(status == STATUS_INVALID_CID)
DbgPrint("STATUS_INVALID_CID\n");
else if(status == STATUS_INVALID_PARAMETER)
DbgPrint("STATUS_INVALID_PARAMETER\n");
else if(status == STATUS_ACCESS_DENIED)
DbgPrint("STATUS_ACCESS_DENIED\n");
else
{
DbgPrint("STATUS_SUCCESS\n");
}

if(procHandle != NULL)
{
status = ZwTerminateProcess(procHandle,1);
}
else
{
DbgPrint("failed to ZwOpenProcess...\n");
return ;
}
//这里是我来判断没有成功结束进程用的
switch(status)
{
case STATUS_SUCCESS:
DbgPrint("process %u has beed killed ...\n",hProcessId);
break;
case STATUS_OBJECT_TYPE_MISMATCH:
DbgPrint("failed to kill %u process,The specified handle is not a process handle. \n",hProcessId);
break;
case STATUS_INVALID_HANDLE:
DbgPrint("failed to kill %u process,The specified handle is not valid.\n",hProcessId);
break;
case STATUS_ACCESS_DENIED:
DbgPrint("failed to kill %u process,The driver cannot access the specified process object.\n",hProcessId);
break;
case STATUS_PROCESS_IS_TERMINATING:
DbgPrint("failed to kill %u process,The specified process is already terminating.\n",hProcessId);
break;
default:
break;
}
}
}
//驱动卸载函数
void DriverUnload(PDRIVER_OBJECT pDriveObj)
{
//取消监视
PsSetCreateProcessNotifyRoutine(ProcessMonitorCallback,TRUE);
DbgPrint("driver unloaded ...\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegisterString)
{
NTSTATUS status = STATUS_SUCCESS;
//驱动卸载处理
pDriverObj->DriverUnload = DriverUnload;
status = PsSetCreateProcessNotifyRoutine(ProcessMonitorCallback,FALSE);
return status;
}

View Code