用vc编写任务管理器杀不掉的进程

来源：互联网发布：二维数组先定义再赋值编辑：程序博客网时间：2024/05/01 01:18

记得自己上高中的时候，我们上微机课，那时候每个机子都有个监控程序，很麻烦，老师上课了机子就被锁住了，什么也做不了，很不爽，那时候大家都知道用任务管理器结束进程，但是偏偏这个进程结束不了，后来我找到了个方法，在cmd下运行ntsd -c q -p 进程ID，这样这个监控程序就会结束了。那时候只知道这个方法，但不知道为什么任务管理器无法结束那个进程。现在我们也来写一个任务管理器杀不掉的进程吧。

#include "stdafx.h"#include<iostream>#include "tlhelp32.h"using namespace std;#pragma data_seg("YCIShared")DWORD id=0;HHOOK h=0;#pragma data_seg()HMODULE hh;typedef int (WINAPI *msg)(HWND,LPCSTR,LPCSTR,UINT);typedef FARPROC (WINAPI *gpa)(HMODULE,LPCSTR);PROC gmsg=(PROC)MessageBoxA;PROC ggpa=(PROC)GetProcAddress;int WINAPI a(HWND h,LPCSTR l1,LPCSTR l2,UINT i){return ((msg)gmsg)(0,"win","win",0);}PROC op=(PROC)GetProcAddress(GetModuleHandle("Kernel32.dll"),"OpenProcess");typedef HANDLE (WINAPI *myopenprocess)(DWORD,BOOL,DWORD);HANDLE WINAPI mop(DWORD dw,BOOL flag,DWORD pid){if(pid==id){return 0;}else{return ((myopenprocess)op)(dw,flag,pid);}}FARPROC WINAPI a1(HMODULE h,LPCSTR l){if(stricmp(l,"openprocess")==0){return (PROC)mop;}else{return ((gpa)ggpa)(h,l);}}LRESULT CALLBACK hook(int code,WPARAM w,LPARAM l){returnCallNextHookEx(h,code,w,l);} static HMODULE ModuleFromAddress(PVOID pv) { MEMORY_BASIC_INFORMATION mbi; return((VirtualQuery(pv, &mbi, sizeof(mbi)) != 0) ? (HMODULE) mbi.AllocationBase : NULL);}class hookapi{public:hookapi(char* _module,char* _oldfunstr,PROC _oldfun,PROC _newfun);staticvoid init(char* _module,char* _oldfunstr,PROC _oldfun,PROC _newfun,bool flag=true);staticvoid _hookapi(HMODULE hm,char* _module,char* _oldfunstr,PROC _oldfun,PROC _newfun,bool flag);~hookapi();private:char* module;char* oldfunstr;PROC oldfun;PROC newfun;};hookapi::hookapi(char* _module,char* _oldfunstr,PROC _oldfun,PROC _newfun){module=new char[strlen(_module)+1];strcpy(module,_module);oldfunstr=new char[strlen(_oldfunstr)+1];strcpy(oldfunstr,_oldfunstr);oldfun=_oldfun;newfun=_newfun;init(module,oldfunstr,oldfun,newfun,true);}void hookapi::init(char* _module,char* _oldfunstr,PROC _oldfun,PROC _newfun,bool flag){HMODULEhthis=ModuleFromAddress(init);HANDLE hs=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId());MODULEENTRY32 me={sizeof(MODULEENTRY32)};bool ok=Module32First(hs,&me);while(ok){if(me.hModule!=hthis){_hookapi(me.hModule, _module, _oldfunstr, _oldfun, _newfun,flag);}ok=Module32Next(hs,&me);}CloseHandle(hs);}void hookapi::_hookapi(HMODULE hm,char* module,char* oldfunstr,PROC oldfun,PROC newfun,bool flag){IMAGE_DOS_HEADER* pdos=(IMAGE_DOS_HEADER*)hm;IMAGE_OPTIONAL_HEADER* po=(IMAGE_OPTIONAL_HEADER*)((BYTE*)hm+pdos->e_lfanew+24);IMAGE_IMPORT_DESCRIPTOR* pimg=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hm+po->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);if(pimg==0){return;}while(pimg->Name){char* dllname=(char*)((BYTE*)hm+pimg->Name);if(lstrcmpiA(dllname,module)==0){break;}pimg++;}if(pimg->Name==0){return;}IMAGE_THUNK_DATA* pt=(IMAGE_THUNK_DATA*)((BYTE*)hm+pimg->OriginalFirstThunk);int n=0;while(pt->u1.Function){if ((pt->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG){char *pfn=(char*)((BYTE*)hm+(DWORD)pt->u1.AddressOfData+2);PDWORD lpaddr=(DWORD*)((BYTE*)hm+pimg->FirstThunk)+n;try{if(stricmp(pfn,oldfunstr)==0){//MessageBox(0,oldfunstr,oldfunstr,0);DWORD dw;MEMORY_BASIC_INFORMATION mbi;VirtualQuery(lpaddr,&mbi,sizeof(mbi));VirtualProtect(lpaddr,sizeof(DWORD),PAGE_EXECUTE_READWRITE,&dw);if(flag){WriteProcessMemory(GetCurrentProcess(),lpaddr,&newfun,sizeof(DWORD),0);//*lpaddr=(DWORD)(DWORD*)newfun;}else{WriteProcessMemory(GetCurrentProcess(),lpaddr,&oldfun,sizeof(DWORD),0);//*lpaddr=(DWORD)oldfun;}VirtualProtect(lpaddr,sizeof(DWORD),dw,0);break;}}catch(...){}}n++;pt++;}}hookapi::~hookapi(){init(module,oldfunstr,oldfun,newfun,false);delete[] module;delete[] oldfunstr;}hookapi *aa,*aaa;BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){switch(ul_reason_for_call){case DLL_PROCESS_ATTACH://MessageBox(0,"a","a",0);//init("user32.dll","messageboxw",(PROC)MessageBoxW,(PROC)a,true);hh=(HMODULE)hModule;aa=new hookapi("Kernel32.dll","openprocess",(PROC)OpenProcess,(PROC)mop);//aaa=new hookapi(hh);//aaa->init("Kernel32.dll","getprocaddress",ggpa,(PROC)a1);break;case DLL_PROCESS_DETACH://init("user32.dll","messageboxa",gmsg,(PROC)a,false);//init("user32.dll","messageboxw",(PROC)MessageBoxW,(PROC)a,false);delete aa;//delete aaa;break;} return TRUE;}void sethook(bool f,DWORD pid){if(f){h=SetWindowsHookEx(WH_SHELL,hook,hh,0);id=pid;}else{UnhookWindowsHookEx(h);}}

上面的代码是在我前一篇的基础上，做了些修改，让它更容易使用，并且修正了一些错误。大家可以写个exe调用上面的dll，看看效果啊。

当然，ring0级的工具结束上面的程序还是很easy的。其实上面的程序只是给大家做了个演示，告诉那些杀不掉的进程是怎么样实现的，不论是ring0还是ring3，都离不开api的hook。

实验中也发现ring3下的IAT hook不是很稳定，容易使程序崩溃，而且如果对方程序事先获得了调用函数的真实地址，你修改了IAT是没用的，（即便你hook了getprocaddress，当然inline hook除外）。有可能是我代码的问题吧，这只是我个人的一些观点。（感觉那些成熟的安全软件都是写驱动的，估计是自己认识太少吧）

文章有哪些不足之处，还望大家多多指正。