• 结束进程的12种方法


    方法一针对有窗口的
    消息攻击法

    void main(int argc, char **argv)
    {
    	HWND hwnd = FindWindow(NULL, "Title");
    	SendMessage(hwnd,WM_CLOSE,0,0);
    	HWND hwnd = FindWindow(NULL, "Title");
    	SendNotifyMessage(hwnd,WM_CLOSE,0,0);
    	HWND hwnd = FindWindow(NULL, "Title");
    	SendMessageTimeout(hwnd,WM_CLOSE,0,0,SMTO_NORMAL,2000,NULL);
    	HWND hwnd = FindWindow(NULL, "Title");
    	SendMessageCallback(hwnd,WM_CLOSE,0,0,NULL,0);
    }

    上面也可以采用PostMessage,具体实现参考MSDN

    方法二针对有窗口的
    模拟键盘和鼠标攻击法,主要采用keybd_event()函数。

    HWND hwnd = FindWindow(NULL, "Title");
    SetForegroundWindow(hwnd);//设置为当前窗口
    keybd_event(VK_ESCAPE,0,0,0);//模拟键盘ESC键使其关闭
    //或者
    hWin = FindWindow(NULL,"test");
    SetForegroundWindow(hWin);
    keybd_event(VK_MENU,0,0,0); 
    keybd_event(VK_F4,0,0,0);
    keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0);
    keybd_event(VK_F4,0,KEYEVENTF_KEYUP,0);//按下alt+f4关闭程序
    //或者
    keybd_event(VK_MENU,0,0,0); 
    keybd_event(0x20,0,0,0);
    keybd_event(0x43,0,0,0);
    keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0); 
    keybd_event(0x20,0,KEYEVENTF_KEYUP,0);
    keybd_event(0x43,0,KEYEVENTF_KEYUP,0);//按下alt+空格+C使其关闭
    //或者
    hWin = FindWindow(NULL,"test");
    GetWindowRect(hWin,&Rect);
    SetForegroundWindow(hWin);   //设为当前窗口
    Sleep(100);   //这里延迟一会 
    SetCursorPos(Rect.right-7,Rect.top+7); //设置叉号的坐标
    mouse_event(MOUSEEVENTF_LEFTDOWN,0,0,0,0);
    mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);//按下左键并松开使完成关闭

    方法三
    常规API攻击进程,原理都是一样的
    1 TerminateProcess
    2 ZwTerminateProcess/NtTerminateProcess(ring3&ring0 restore ssdt/inline hook等等)
    3 WINSTA.dll WinStationTerminateProcess
    如下:

    hWnd = FindWindow(NULL, "test");
    GetWindowThreadProcessId(hWnd, &pid);
    hDll = LoadLibrary("WINSTA.dll");
    pFunc = (PWSTP)GetProcAddress(hDll, "WinStationTerminateProcess");
    if((pFunc)(NULL, pid, 0)) printf("Successful!/nProgram Terminated./n");
    FreeLibrary(hDll);

    4

    /* 需要安装最新的Platform SDK */
    #include <Wtsapi32.h>
    #pragma comment (lib, "Wtsapi32.lib")
    hWnd = FindWindow(NULL, "test");
    GetWindowThreadProcessId(hWnd, &pid);
    if (WTSTerminateProcess(NULL, pid, 0)) printf("Successful!/nProgram Terminated./n");

    注意:本人亲测下来,WinStationTerminateProcess和WTSTerminateProcess还都是调用NTAPI的NtTerminateProcess来结束进程的

    所以,已经HOOK掉(Nt)TerminateProcess的进程,这两种操作也都无效了。

    5一些vbs脚本的wmi对象
    方法四
    常规API攻击线程

    TerminateThread
    Nt/ZwTerminateThread
    EndTask

    在这里,本人要说明一下:

    不要以为带Zw的比Nt的底层一些,在应用层调用两个函数,效果一模一样。

    HWND hWnd = FindWindowA(NULL,"test");
    DWORD dwThreadId;
    dwThreadId = GetWindowThreadProcessId(hWnd,NULL);
    bSus = EndTask(hWnd,FALSE,TRUE);
    printf("EndTask :%d   LastError :%d /r/n",bSus,GetLastError()); 
    //或者
    typedef HANDLE ( _stdcall *XXXOpenThread)( DWORD Access, BOOL bInherit, DWORD dwThreadID);
    void KillThread()
    {
    	HANDLE hThread;
    	XXXOpenThread OpenThread;
    	OpenThread = (XXXOpenThread)GetProcAddress( GetModuleHandle("kernel32.dll", "OpenThread"));
    	hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, GetTid() );
    	TerminateThread( hThread, 0 );
    	CloseHandle( hThread );
    	return;
    }

    方法五
    作业对象攻击法
    CreateJobObject

    然后AssignProcessToJobObject,

    最后TerminateJobObject。

    下面给出本人的参考代码:

    #include <windows.h>
    BOOL KillProcessByJob(DWORD pid)
    {
    	HANDLE hjob = CreateJobObject(0,0);
    	HANDLE hpro = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
    	AssignProcessToJobObject(hjob,hpro);
    	TerminateJobObject(hjob,0);
    	return GetLastError() == 0;
    }

    本人亲测通过:win10

    方法六
    远程攻击线程
    1全局勾子
    首先用SetWindowsHookEx(或者SetWinEventHook(EVENT_MIN,EVENT_MAX,hMyModule,
    (WINEVENTPROC)WinEventProc,0,0,WINEVENT_INCONTEXT | WINEVENT_SKIPOWNPROCESS);
    )一个钩子
    然后广播一个消息 这样所有的窗体就被注入了(也可以用SendMessage(hwnd , WM_PAINT, 0, 0)或者PostMessage(hWnd,WM_CHAR,13,0);等触发钩子执行)
    在注入的动态库的DLL_PROCESS_ATTACH事件中判断被注入的进程名,调用ExitProcess(0)/TerminateProcess(GetCurrentProcess(),0)/PostQuitMessage(0)

    或者在钩子过程中:

    VOID CALLBACK WinEventProc(HWINEVENTHOOK hWinEventHook,
       DWORD event,
       HWND hwnd,
       LONG idObject,
       LONG idChild,
       DWORD dwEventThread,
       DWORD dwmsEventTime)
    {
    	HWND hwnd1 = FindWindow(NULL,"test");
    	DWORD Pid;
    	
    	if (hwnd1)
    	{
    		GetWindowThreadProcessId(hwnd1,&Pid);
    		if (Pid == GetCurrentProcessId()) ExitProcess(0);
    	} 
    }

    2直接远程注入一个线程ExitProcess

    void RemoteExitProcess()
    {
    	HANDLE hProcess;
    	HANDLE hThread;
    	DWORD Pid;
    	Pid = GetPid();//得到目标进程Pid
    	if ( Pid == 0 ) return;
    	hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, Pid);
    	if ( hProcess == INVALID_HANDLE_VALUE ) return;
    	hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetProcAddress( GetModuleHandle("kernel32.dll","ExitProcess" ), 0, 0, NULL );
    	CloseHandle( hThread );
    }

    3还是远程线程,不过方法霸道一些,强制让其崩溃退出
    远程线程后,

    mov fs:[0],0(去除SEH)
    mov eax,cr0(使进程崩溃)

    方法七
    ThreadContext patch法
    直接修改目标进程ThreadContext的EIP指向目标程序的kernel32.dll的ExitProcess地址

    hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, GetTid() );
    SuspendThread( hThread );
    bRet = GetThreadContext( hThread, &Context);
    Context.Eip = (DWORD)GetProcAddress( GetModuleHandle("kernel32.dll"), "ExitProcess" );
    bRet = SetThreadContext( hThread, &Context);
    ResumeThread( hThread );
    CloseHandle( hThread );

    方法八
    句柄攻击法

    hwnd=FindWindow(NULL, 'test');
    GetWindowThreadProcessId(hwnd, &pid);
    hTargetProcess=OpenProcess(PROCESS_DUP_HANDLE, false, pid);
    DuplicateHandle(hTargetProcess,-1, GetCurrentProcess(),&TargetProcessHandle, PROCESS_ALL_ACCESS, false, DUPLICATE_SAME_ACCESS);
    //将目标进程句柄复制到自身的TargetProcessHandle中
    CloseHandle(hProcess);
    TerminateProcess(TargetProcessHandle , 0);//日掉
    CloseHandle(hp_new); 

    或者ring0下想办法得到句柄等等。。。。
    另外所有的win32子系统的进程都会有一个句柄在csrss.exe进程里面,也可以在这个里面
    找到目标进程句柄


    方法九
    内存攻击法
    1Process Virtual Address Space Erasing (进程虚拟地址空间擦除)=配合句柄法得到目
    标进程句柄,然后暴力写内存(或者NtFreeVirtualMemory 等)
    2ring0附加目标进程写内存
    3直接写远程进程的内存WriteProcessMemory
    4搜出NtUnmapViewOfSection(更底层的MiUnmapViewOfSection)等等,卸掉目标进程的内存
    空间(或者卸kernel32.dll等关键dll等也可,VirtualProtectEx设kernel32.dll为不可
    读也让其崩溃),同样要配合句柄法得到目标进程句柄才行


    方法十
    调试器攻击法
    1 DebugActiveProcess-->DebugSetProcessKillOnExit
    2 ntsd -c q -p pid  借助windows WDK调试器 ntsd.exe

    代码实现:

    #define _WIN32_WINNT 0x0502
    #include <windows.h>
    #include <stdlib.h>
    BOOL KillProcessUseDebug_Routine(DWORD PID)
    {
    	DebugActiveProcess(PID);
    	DebugSetProcessKillOnExit(0);    //Exit Status
    	return NULL;
    }
    
    void Use_ntsd()
    {
           system("ntsd -c q -pn/pid");
    }
    


    方法十一
    ring0线程进程攻击法
    NtQuerySystemInformation(SystemProcessesAndThreadsInformation)
    遍历线程后做判断是否目标进程的,然后:
    1 Apc攻击结束(ring3/ring0)--->然后PsTerminateSystemThread-->最好用
    PspExitThread
    2 PspTerminateProcess(更底层的PspTerminateThreadByPointer)
    3 修改pid和tid为自身的,再插apc(防止消息死循环进程保护)

    方法十二
    伪关机法
    先提升权限得到19号关机特权,然后hook关机消息(hook NtShutdownSystem),里面过滤
    掉除了目标进程意外的所有进程的消息。
    ring3下
    ExitWindows(0,0); //第一个参数分别为0,1,2时 分别是注销,关机,重起.所以是3种
    Logs off the interactive user, shuts down the system, or shuts down and 
    restarts the system. It sends the WM_QUERYENDSESSION message to all 
    applications to determine if they can be terminated.
    ring0下NtShutdownSystem(0)为关机,NtShutdownSystem(1)为重启。
    或者再底层点NtSetSystemPowerState
    这样,目标进程接到关机消息over了,但系统不会处理关机消息

    以上所有函数原型均可在MSDN上查找到。

    如或有其他更好方法,欢迎评论!

  • 相关阅读:
    Python学习资料
    异常
    I/O
    Python3+迭代器与生成器
    python标准数据类型
    人工智能、机器学习和深度学习
    原地排序和复制排序
    序列化和Json
    登陆加密小程序
    hashlib模块加密用法
  • 原文地址:https://www.cnblogs.com/Leoleepz/p/6259413.html
Copyright © 2020-2023  润新知