void CController::RestoreResource() { BOOL bFlag; HANDLE hSnapShot ; PROCESSENTRY32 pe32 ; HMODULE hKernel32 = LoadLibrary("Kernel32"); hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 ) ; if( hSnapShot == INVALID_HANDLE_VALUE ) { return; } pe32.dwSize = sizeof(PROCESSENTRY32); typedef BOOL (WINAPI* PROCESS32FIRST)( HANDLE hSnapshot, LPPROCESSENTRY32 lppe); PROCESS32FIRST _Process32First; typedef BOOL (WINAPI* PROCESS32NEXT)( HANDLE hSnapshot, LPPROCESSENTRY32 lppe); PROCESS32NEXT _Process32Next; _Process32First = (PROCESS32FIRST)GetProcAddress(hKernel32, "Process32First"); _Process32Next = (PROCESS32NEXT)GetProcAddress(hKernel32, "Process32Next"); bFlag = _Process32First( hSnapShot, &pe32 ) ; while( bFlag ) { if(stricmp(pe32.szExeFile, "RunBlock.exe") == 0 || stricmp(pe32.szExeFile, "BlockWindows.exe") == 0){ TerminateProcess(OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID), 0); } pe32.dwSize = sizeof(PROCESSENTRY32) ; bFlag = _Process32Next( hSnapShot, &pe32 ); } CloseHandle(hSnapShot); HKEY hKey; RegOpenKeyA(HKEY_LOCAL_MACHINE, LPCSTR("Software\\Microsoft\\Windows\\CurrentVersion\\Run"), &hKey); RegDeleteValue(hKey, "BlockWindows"); RegCloseKey(hKey); }
//--------------------------------------------------------------------------- // KillProcessTreeWinHelper // // This is a recursive helper function that terminates all the processes // started by the specified process and them terminates the process itself // // Parameters: // dwProcessId - identifier of the process to terminate // // Returns: // Win32 error code. // static BOOL WINAPI KillProcessTreeWinHelper ( IN DWORD dwProcessId ) { HINSTANCE hKernel; HANDLE (WINAPI * _CreateToolhelp32Snapshot)(DWORD, DWORD); BOOL (WINAPI * _Process32First)(HANDLE, PROCESSENTRY32 *); BOOL (WINAPI * _Process32Next)(HANDLE, PROCESSENTRY32 *); // get handle to KERNEL32.DLL hKernel = GetModuleHandle(_T("kernel32.dll")); // _ASSERTE(hKernel != NULL); // locate necessary functions in KERNEL32.DLL *(FARPROC *)&_CreateToolhelp32Snapshot = GetProcAddress(hKernel, "CreateToolhelp32Snapshot"); *(FARPROC *)&_Process32First = GetProcAddress(hKernel, "Process32First"); *(FARPROC *)&_Process32Next = GetProcAddress(hKernel, "Process32Next"); if (_CreateToolhelp32Snapshot == NULL || _Process32First == NULL || _Process32Next == NULL) return ERROR_PROC_NOT_FOUND; HANDLE hSnapshot; PROCESSENTRY32 Entry; // create a snapshot hSnapshot = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot == INVALID_HANDLE_VALUE) return GetLastError(); Entry.dwSize = sizeof(Entry); if (!_Process32First(hSnapshot, &Entry)) { DWORD dwError = GetLastError(); CloseHandle(hSnapshot); return dwError; } // kill all children first do { if (Entry.th32ParentProcessID == dwProcessId) KillProcessTreeWinHelper(Entry.th32ProcessID); Entry.dwSize = sizeof(Entry); } while (_Process32Next(hSnapshot, &Entry)); CloseHandle(hSnapshot); // kill the process itself if (!KillProcess(dwProcessId)) return GetLastError(); return ERROR_SUCCESS; }
// returns... // 0 - error DWORD GetProcessEntryPoint(DWORD PID) { HANDLE hSnap; MODULEENTRY32 ModuleInfo; PROCESSENTRY32 ProcInfo; sProcessPEInfo ProcPEInfo; CHAR ProcPath[256]; DWORD dwMemSize,dwPEHeaderAddr; VOID* pHeader; HANDLE hProc; // get ToolHelp32 addresses if (!GetTh32()) return FALSE; // I - get the process filename hSnap = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hSnap == INVALID_HANDLE_VALUE) return 0; // init the ProcInfo struct ZeroMemory(&ProcInfo,sizeof(ProcInfo)); ProcInfo.dwSize = sizeof(ProcInfo); // find the to the PID corresponding file path _Process32First(hSnap,&ProcInfo); ProcPath[0] = 0; while (_Process32Next(hSnap,&ProcInfo)) if (ProcInfo.th32ProcessID == PID) strcpy((LPTSTR)&ProcPath,ProcInfo.szExeFile); CloseHandle(hSnap); if (ProcPath[0] == 0) return 0; // II - find the ImageBase/SizeOfImage hSnap = _CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID); if (hSnap == INVALID_HANDLE_VALUE) return 0; // init the ModuleInfo and the ProcPEInfo struct ZeroMemory(&ModuleInfo,sizeof(ModuleInfo)); ModuleInfo.dwSize = sizeof(ModuleInfo); ZeroMemory(&ProcPEInfo,sizeof(ProcPEInfo)); _Module32First(hSnap,&ModuleInfo); if (stricmp((LPCTSTR)&ModuleInfo.szExePath,(LPCTSTR)&ProcPath) == 0) { ProcPEInfo.dwImageBase = (DWORD)ModuleInfo.modBaseAddr; ProcPEInfo.dwSizeOfImage = ModuleInfo.modBaseSize; } while (_Module32Next(hSnap,&ModuleInfo)) { if (stricmp((LPCTSTR)&ModuleInfo.szExePath,(LPCTSTR)&ProcPath) == 0) { ProcPEInfo.dwImageBase = (DWORD)ModuleInfo.modBaseAddr; ProcPEInfo.dwSizeOfImage = ModuleInfo.modBaseSize; } } CloseHandle(hSnap); if (ProcPEInfo.dwImageBase == 0) return 0; // get the EntryPoint if (ProcPEInfo.dwSizeOfImage < HEADER_SIZE) dwMemSize = ProcPEInfo.dwSizeOfImage; else dwMemSize = HEADER_SIZE; if (!(hProc = OpenProcess(PROCESS_VM_READ,FALSE,PID))) return 0; if (!(pHeader = GlobalAlloc(GMEM_FIXED,dwMemSize))) return 0; if (!ReadProcessMemory( hProc, (PVOID)ProcPEInfo.dwImageBase, pHeader, dwMemSize, &dwBytesRead)) { GlobalFree(pHeader); return 0; } if (((PIMAGE_DOS_HEADER)pHeader)->e_magic != IMAGE_DOS_SIGNATURE) { GlobalFree(pHeader); return 0; } dwPEHeaderAddr = ((PIMAGE_DOS_HEADER)pHeader)->e_lfanew; if (((PIMAGE_NT_HEADERS)(dwPEHeaderAddr + (DWORD)pHeader))->Signature != IMAGE_NT_SIGNATURE) { GlobalFree(pHeader); return 0; } ProcPEInfo.dwEntryPointVA = ((PIMAGE_NT_HEADERS)(dwPEHeaderAddr + (DWORD)pHeader))->OptionalHeader \ .AddressOfEntryPoint + ProcPEInfo.dwImageBase; GlobalFree(pHeader); return ProcPEInfo.dwEntryPointVA; }