• 进程保护--CrossThreadFlags标志位

    原理:

    1. 将进程的所有线程的线程CrossThreadFlags标志位设置成Terminated或者System.

    效果:任务管理器,WSYSCheck,ICESWORD无法结束进程。。

    但PCHunter 可以结束受保护的进程。但PCHunter无法用普通方法结束受保护的线程,必须使用强制结束线程才可结束线程。。

     

    代码:

    [cpp] view plain copy
    print?
    1. VOID SetThreadFlagToTerminatedByThreadID(ULONG dwThreadID)  
    2. {  
    3.     ULONG ulFlagOffset;  
    4.     NTSTATUS status = STATUS_UNSUCCESSFUL;  
    5.     PULONG pFlag;  
    6.     PETHREAD eThead;  
    7.     HANDLE threadHandle;  
    8.   
    9.   
    10.     __try{  
    11.         threadHandle = (HANDLE)dwThreadID;  
    12.         ulFlagOffset = GetCrossThreadFlagOffset();  
    13.         //dprintf("[ProtectProcess]GetCrossThreadFlagOffset: 0X%08X ", ulFlagOffset);  
    14.   
    15.         status = PsLookupThreadByThreadId(threadHandle, &eThead);  
    16.         if(!NT_SUCCESS(status))  
    17.         {  
    18.   
    19.             dprintf("PsLookupThreadByThreadId ERRORid:0X%08X, TID: 0X%08X ", status, dwThreadID);  
    20.             return status;  
    21.         }  
    22.         //dprintf("ETHREAD:0X%08X ", eThead);  
    23.   
    24.         pFlag = (ULONG*)((PUCHAR)eThead + ulFlagOffset);  
    25.         //dprintf("ulFlag address:0X%08X value:0x%08X ", pFlag, *pFlag);  
    26.   
    27.         *pFlag |= PS_CROSS_THREAD_FLAGS_TERMINATED;  
    28.         dprintf("new ulFlag address:0X%08X value:0x%08X ", pFlag, *pFlag);  
    29.     }__except(EXCEPTION_EXECUTE_HANDLER)  
    30.     {  
    31.         dprintf("EXCEPTION ON set thread cross flags!");  
    32.         return status;  
    33.     }  
    34. }  
    VOID SetThreadFlagToTerminatedByThreadID(ULONG dwThreadID)
{
	ULONG ulFlagOffset;
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	PULONG pFlag;
	PETHREAD eThead;
	HANDLE threadHandle;


	__try{
		threadHandle = (HANDLE)dwThreadID;
		ulFlagOffset = GetCrossThreadFlagOffset();
		//dprintf("[ProtectProcess]GetCrossThreadFlagOffset: 0X%08X
", ulFlagOffset);

		status = PsLookupThreadByThreadId(threadHandle, &eThead);
		if(!NT_SUCCESS(status))
		{

			dprintf("PsLookupThreadByThreadId ERRORid:0X%08X, TID: 0X%08X
", status, dwThreadID);
			return status;
		}
		//dprintf("ETHREAD:0X%08X
", eThead);

		pFlag = (ULONG*)((PUCHAR)eThead + ulFlagOffset);
		//dprintf("ulFlag address:0X%08X value:0x%08X
", pFlag, *pFlag);

		*pFlag |= PS_CROSS_THREAD_FLAGS_TERMINATED;
		dprintf("new ulFlag address:0X%08X value:0x%08X
", pFlag, *pFlag);
	}__except(EXCEPTION_EXECUTE_HANDLER)
	{
		dprintf("EXCEPTION ON set thread cross flags!");
		return status;
	}
}

    ring3程序与ring0程序下载地址:

    http://download.csdn.net/detail/xiaocaiju/8192897

    jpg改rar 
  • 相关阅读:
    org.json里实现XML和JSON之间对象互转
    Rhino-- JavaScript
    XStream -- a simple library to serialize objects to XML and back again
    [Groovy]转:Groovy 通过 isCase 方法进行分类
    [Groovy]static typing
    JavaScript Succinctly 读后笔记
    [Groovy] Private fields and methods are not private in groovy
    Android 学习之路和App开发框架
    Android自定义xml解析
    Android 动态生成对话框和EditText
  • 原文地址:https://www.cnblogs.com/kuangke/p/7590790.html
Copyright © 2020-2023  润新知