方法一针对有窗口的
消息攻击法
void main(int argc, char **argv)
{
HWND hwnd = FindWindow(NULL, "Title");
SendMessage(hwnd,WM_CLOSE,0,0);
HWND hwnd = FindWindow(NULL, "Title");
SendNotifyMessage(hwnd,WM_CLOSE,0,0);
HWND hwnd = FindWindow(NULL, "Title");
SendMessageTimeout(hwnd,WM_CLOSE,0,0,SMTO_NORMAL,2000,NULL);
HWND hwnd = FindWindow(NULL, "Title");
SendMessageCallback(hwnd,WM_CLOSE,0,0,NULL,0);
}
上面也可以采用PostMessage,具体实现参考MSDN
方法二针对有窗口的
模拟键盘和鼠标攻击法,主要采用keybd_event()函数。
HWND hwnd = FindWindow(NULL, "Title"); SetForegroundWindow(hwnd);//设置为当前窗口 keybd_event(VK_ESCAPE,0,0,0);//模拟键盘ESC键使其关闭 //或者 hWin = FindWindow(NULL,"test"); SetForegroundWindow(hWin); keybd_event(VK_MENU,0,0,0); keybd_event(VK_F4,0,0,0); keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0); keybd_event(VK_F4,0,KEYEVENTF_KEYUP,0);//按下alt+f4关闭程序 //或者 keybd_event(VK_MENU,0,0,0); keybd_event(0x20,0,0,0); keybd_event(0x43,0,0,0); keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0); keybd_event(0x20,0,KEYEVENTF_KEYUP,0); keybd_event(0x43,0,KEYEVENTF_KEYUP,0);//按下alt+空格+C使其关闭 //或者 hWin = FindWindow(NULL,"test"); GetWindowRect(hWin,&Rect); SetForegroundWindow(hWin); //设为当前窗口 Sleep(100); //这里延迟一会 SetCursorPos(Rect.right-7,Rect.top+7); //设置叉号的坐标 mouse_event(MOUSEEVENTF_LEFTDOWN,0,0,0,0); mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);//按下左键并松开使完成关闭
方法三
常规API攻击进程,原理都是一样的
1 TerminateProcess
2 ZwTerminateProcess/NtTerminateProcess(ring3&ring0
restore ssdt/inline hook等等)
3 WINSTA.dll WinStationTerminateProcess
如下:
hWnd = FindWindow(NULL, "test");
GetWindowThreadProcessId(hWnd, &pid);
hDll = LoadLibrary("WINSTA.dll");
pFunc = (PWSTP)GetProcAddress(hDll, "WinStationTerminateProcess");
if((pFunc)(NULL, pid, 0)) printf("Successful!/nProgram Terminated./n");
FreeLibrary(hDll);
4
/* 需要安装最新的Platform SDK */
#include <Wtsapi32.h>
#pragma comment (lib, "Wtsapi32.lib")
hWnd = FindWindow(NULL, "test");
GetWindowThreadProcessId(hWnd, &pid);
if (WTSTerminateProcess(NULL, pid, 0)) printf("Successful!/nProgram Terminated./n");
注意:本人亲测下来,WinStationTerminateProcess和WTSTerminateProcess还都是调用NTAPI的NtTerminateProcess来结束进程的
所以,已经HOOK掉(Nt)TerminateProcess的进程,这两种操作也都无效了。
5一些vbs脚本的wmi对象
方法四
常规API攻击线程
TerminateThread
Nt/ZwTerminateThread
EndTask
在这里,本人要说明一下:
不要以为带Zw的比Nt的底层一些,在应用层调用两个函数,效果一模一样。
HWND hWnd = FindWindowA(NULL,"test");
DWORD dwThreadId;
dwThreadId = GetWindowThreadProcessId(hWnd,NULL);
bSus = EndTask(hWnd,FALSE,TRUE);
printf("EndTask :%d LastError :%d /r/n",bSus,GetLastError());
//或者
typedef HANDLE ( _stdcall *XXXOpenThread)( DWORD Access, BOOL bInherit, DWORD dwThreadID);
void KillThread()
{
HANDLE hThread;
XXXOpenThread OpenThread;
OpenThread = (XXXOpenThread)GetProcAddress( GetModuleHandle("kernel32.dll", "OpenThread"));
hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, GetTid() );
TerminateThread( hThread, 0 );
CloseHandle( hThread );
return;
}
方法五
作业对象攻击法
CreateJobObject
然后AssignProcessToJobObject,
最后TerminateJobObject。
下面给出本人的参考代码:
#include <windows.h>
BOOL KillProcessByJob(DWORD pid)
{
HANDLE hjob = CreateJobObject(0,0);
HANDLE hpro = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
AssignProcessToJobObject(hjob,hpro);
TerminateJobObject(hjob,0);
return GetLastError() == 0;
}
本人亲测通过:win10
方法六
远程攻击线程
1全局勾子
首先用SetWindowsHookEx(或者SetWinEventHook(EVENT_MIN,EVENT_MAX,hMyModule,
(WINEVENTPROC)WinEventProc,0,0,WINEVENT_INCONTEXT
| WINEVENT_SKIPOWNPROCESS);
)一个钩子
然后广播一个消息 这样所有的窗体就被注入了(也可以用SendMessage(hwnd , WM_PAINT, 0, 0)或者PostMessage(hWnd,WM_CHAR,13,0);等触发钩子执行)
在注入的动态库的DLL_PROCESS_ATTACH事件中判断被注入的进程名,调用ExitProcess(0)/TerminateProcess(GetCurrentProcess(),0)/PostQuitMessage(0)
或者在钩子过程中:
VOID CALLBACK WinEventProc(HWINEVENTHOOK hWinEventHook,
DWORD event,
HWND hwnd,
LONG idObject,
LONG idChild,
DWORD dwEventThread,
DWORD dwmsEventTime)
{
HWND hwnd1 = FindWindow(NULL,"test");
DWORD Pid;
if (hwnd1)
{
GetWindowThreadProcessId(hwnd1,&Pid);
if (Pid == GetCurrentProcessId()) ExitProcess(0);
}
}
2直接远程注入一个线程ExitProcess
void RemoteExitProcess()
{
HANDLE hProcess;
HANDLE hThread;
DWORD Pid;
Pid = GetPid();//得到目标进程Pid
if ( Pid == 0 ) return;
hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, Pid);
if ( hProcess == INVALID_HANDLE_VALUE ) return;
hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetProcAddress( GetModuleHandle("kernel32.dll","ExitProcess" ), 0, 0, NULL );
CloseHandle( hThread );
}
3还是远程线程,不过方法霸道一些,强制让其崩溃退出
远程线程后,
mov fs:[0],0(去除SEH)
mov eax,cr0(使进程崩溃)
方法七
ThreadContext patch法
直接修改目标进程ThreadContext的EIP指向目标程序的kernel32.dll的ExitProcess地址
hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, GetTid() );
SuspendThread( hThread );
bRet = GetThreadContext( hThread, &Context);
Context.Eip = (DWORD)GetProcAddress( GetModuleHandle("kernel32.dll"), "ExitProcess" );
bRet = SetThreadContext( hThread, &Context);
ResumeThread( hThread );
CloseHandle( hThread );
方法八
句柄攻击法
hwnd=FindWindow(NULL, 'test'); GetWindowThreadProcessId(hwnd, &pid); hTargetProcess=OpenProcess(PROCESS_DUP_HANDLE, false, pid); DuplicateHandle(hTargetProcess,-1, GetCurrentProcess(),&TargetProcessHandle, PROCESS_ALL_ACCESS, false, DUPLICATE_SAME_ACCESS); //将目标进程句柄复制到自身的TargetProcessHandle中 CloseHandle(hProcess); TerminateProcess(TargetProcessHandle , 0);//日掉 CloseHandle(hp_new);
或者ring0下想办法得到句柄等等。。。。
另外所有的win32子系统的进程都会有一个句柄在csrss.exe进程里面,也可以在这个里面
找到目标进程句柄
方法九
内存攻击法
1Process Virtual Address Space Erasing (进程虚拟地址空间擦除)=配合句柄法得到目
标进程句柄,然后暴力写内存(或者NtFreeVirtualMemory
等)
2ring0附加目标进程写内存
3直接写远程进程的内存WriteProcessMemory
4搜出NtUnmapViewOfSection(更底层的MiUnmapViewOfSection)等等,卸掉目标进程的内存
空间(或者卸kernel32.dll等关键dll等也可,VirtualProtectEx设kernel32.dll为不可
读也让其崩溃),同样要配合句柄法得到目标进程句柄才行
方法十
调试器攻击法
1 DebugActiveProcess-->DebugSetProcessKillOnExit
2 ntsd -c q -p pid 借助windows WDK调试器 ntsd.exe
代码实现:
#define _WIN32_WINNT 0x0502
#include <windows.h>
#include <stdlib.h>
BOOL KillProcessUseDebug_Routine(DWORD PID)
{
DebugActiveProcess(PID);
DebugSetProcessKillOnExit(0); //Exit Status
return NULL;
}
void Use_ntsd()
{
system("ntsd -c q -pn/pid");
}
方法十一
ring0线程进程攻击法
NtQuerySystemInformation(SystemProcessesAndThreadsInformation)
遍历线程后做判断是否目标进程的,然后:
1 Apc攻击结束(ring3/ring0)--->然后PsTerminateSystemThread-->最好用
PspExitThread
2 PspTerminateProcess(更底层的PspTerminateThreadByPointer)
3 修改pid和tid为自身的,再插apc(防止消息死循环进程保护)
方法十二
伪关机法
先提升权限得到19号关机特权,然后hook关机消息(hook NtShutdownSystem),里面过滤
掉除了目标进程意外的所有进程的消息。
ring3下
ExitWindows(0,0); //第一个参数分别为0,1,2时 分别是注销,关机,重起.所以是3种
Logs off the interactive user, shuts down the
system, or shuts down and
restarts the system. It sends the
WM_QUERYENDSESSION message to all
applications to determine if they can be
terminated.
ring0下NtShutdownSystem(0)为关机,NtShutdownSystem(1)为重启。
或者再底层点NtSetSystemPowerState
这样,目标进程接到关机消息over了,但系统不会处理关机消息
以上所有函数原型均可在MSDN上查找到。
如或有其他更好方法,欢迎评论!