static NTSTATUS NTAPI TerminatorTT2( _In_ HANDLE ProcessId ) { NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; ULONG i; CONTEXT context; PVOID exitProcess; exitProcess = GetExitProcessFunction(); if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) return status; process = PhFindProcessInformation(processes, ProcessId); if (!process) { PhFree(processes); return STATUS_INVALID_CID; } for (i = 0; i < process->NumberOfThreads; i++) { HANDLE threadHandle; if (NT_SUCCESS(PhOpenThread( &threadHandle, THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, process->Threads[i].ClientId.UniqueThread ))) { #ifdef _M_IX86 context.ContextFlags = CONTEXT_CONTROL; PhGetThreadContext(threadHandle, &context); context.Eip = (ULONG)exitProcess; PhSetThreadContext(threadHandle, &context); #else context.ContextFlags = CONTEXT_CONTROL; PhGetThreadContext(threadHandle, &context); context.Rip = (ULONG64)exitProcess; PhSetThreadContext(threadHandle, &context); #endif NtClose(threadHandle); } } PhFree(processes); return STATUS_SUCCESS; }
HRESULT STDMETHODCALLTYPE DnCLRDataTarget_GetThreadContext( __in ICLRDataTarget *This, __in ULONG32 threadID, __in ULONG32 contextFlags, __in ULONG32 contextSize, __out BYTE *context ) { NTSTATUS status; HANDLE threadHandle; CONTEXT buffer; if (contextSize < sizeof(CONTEXT)) return E_INVALIDARG; memset(&buffer, 0, sizeof(CONTEXT)); buffer.ContextFlags = contextFlags; if (NT_SUCCESS(status = PhOpenThread(&threadHandle, THREAD_GET_CONTEXT, ULongToHandle(threadID)))) { status = PhGetThreadContext(threadHandle, &buffer); NtClose(threadHandle); } if (NT_SUCCESS(status)) { memcpy(context, &buffer, sizeof(CONTEXT)); return S_OK; } else { return HRESULT_FROM_WIN32(RtlNtStatusToDosError(status)); } }