16,551
社区成员
发帖
与我相关
我的任务
分享高手帮帮忙,谢谢
找了段进程保护代码,调试时候发现不能实现保护功能,任务管理器照样结束掉进程,为什么会这样?我的系统为xp pack2.
BOOL CKillMeDlg::WriteMemory()
{
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
NTSYSTEMDEBUGCONTROL NtSystemDebugControl = NULL;
HANDLE hThread = NULL;
DWORD dwPID = GetCurrentProcessId();
DWORD dwTID = GetCurrentThreadId();
PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL;
ULONG uObjCnt = 0;
NTSTATUS status;
DWORD dwBufLen = 1024*800;
DWORD dwRetLen = 1024*800;
DWORD dwETHREAD = 0;
BOOL bRet = FALSE;
EnableDebugPrivilege(TRUE);
ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwQuerySystemInformation");
NtSystemDebugControl = (NTSYSTEMDEBUGCONTROL)GetProcAddress(LoadLibrary("ntdll.dll"),"NtSystemDebugControl");
//先创建一个线程对象
GetProcAddress(LoadLibrary("kernel32.dll"),"OpenThread");
__asm
{
push dwTID
push 0
push THREAD_ALL_ACCESS
call eax
mov hThread,eax
}
//获得进程对象的地址
BYTE * pBuf = new BYTE[dwBufLen];
ZeroMemory(pBuf,dwBufLen);
status = ZwQuerySystemInformation(SystemHandleInformation,pBuf,dwBufLen,&dwRetLen);
uObjCnt = (ULONG)*(ULONG*)pBuf;
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)(pBuf+sizeof(ULONG));
if(NT_SUCCESS(status))
{
for(int i=0;i<uObjCnt;i++)
{
if(pHandleInfo->ProcessId==dwPID
&&pHandleInfo->Handle==(USHORT)hThread)
{
dwETHREAD = (DWORD)pHandleInfo->Object;
break;
}
pHandleInfo++;
}
//patch 内核
MEMORY_CHUNKS datas;
datas.Address = dwETHREAD+0x248;
datas.Data = &m_dwFixData;
datas.Length = 4;
status = NtSystemDebugControl(0x9,&datas,sizeof(MEMORY_CHUNKS),NULL,0,&dwRetLen);
// status = NtSystemDebugControl(0x8,&datas,sizeof(MEMORY_CHUNKS),NULL,0,&dwRetLen);
if(NT_SUCCESS(status))
bRet = TRUE;
}
delete [] pBuf;
CloseHandle(hThread);
return TRUE;
}
BOOL CKillMeDlg::WriteMemory()
{
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
NTSYSTEMDEBUGCONTROL NtSystemDebugControl = NULL;
HANDLE hThread = NULL;
DWORD dwPID = GetCurrentProcessId();
DWORD dwTID = GetCurrentThreadId();
PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL;
ULONG uObjCnt = 0;
NTSTATUS status;
DWORD dwBufLen = 1024*800;
DWORD dwRetLen = 1024*800;
DWORD dwETHREAD = 0;
BOOL bRet = FALSE;
EnableDebugPrivilege(TRUE);
ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwQuerySystemInformation");
NtSystemDebugControl = (NTSYSTEMDEBUGCONTROL)GetProcAddress(LoadLibrary("ntdll.dll"),"NtSystemDebugControl");
//先创建一个线程对象
GetProcAddress(LoadLibrary("kernel32.dll"),"OpenThread");
__asm
{
push dwTID
push 0
push THREAD_ALL_ACCESS
call eax
mov hThread,eax
}
//获得进程对象的地址
BYTE * pBuf = new BYTE[dwBufLen];
ZeroMemory(pBuf,dwBufLen);
status = ZwQuerySystemInformation(SystemHandleInformation,pBuf,dwBufLen,&dwRetLen);
uObjCnt = (ULONG)*(ULONG*)pBuf;
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)(pBuf+sizeof(ULONG));
if(NT_SUCCESS(status))
{
for(int i=0;i<uObjCnt;i++)
{
if(pHandleInfo->ProcessId==dwPID
&&pHandleInfo->Handle==(USHORT)hThread)
{
dwETHREAD = (DWORD)pHandleInfo->Object;
break;
}
pHandleInfo++;
}
//patch 内核
MEMORY_CHUNKS datas;
datas.Address = dwETHREAD+0x248;
datas.Data = &m_dwFixData;
datas.Length = 4;
status = NtSystemDebugControl(0x9,&datas,sizeof(MEMORY_CHUNKS),NULL,0,&dwRetLen);
// status = NtSystemDebugControl(0x8,&datas,sizeof(MEMORY_CHUNKS),NULL,0,&dwRetLen);
if(NT_SUCCESS(status))
bRet = TRUE;
}
delete [] pBuf;
CloseHandle(hThread);
return TRUE;
}
...全文
请发表友善的回复…
发表回复
XX0boy 2009-06-06
- 打赏
- 举报
没有人知道这个问题吗?高人何来啊?是什么原因导致了这段代码不起作用?太穷没分,见谅啊~~~~~~
对了,管理员老大,我回帖子为什么不给加分呢?而且每发一次总是显示发了两次的内容,好长时间了就是这个样子,也不知道什么原因.
对了,管理员老大,我回帖子为什么不给加分呢?而且每发一次总是显示发了两次的内容,好长时间了就是这个样子,也不知道什么原因.
XX0boy 2009-06-05
- 打赏
- 举报
还有个函数如下:
BOOL CKillMeDlg::EnableDebugPrivilege(BOOL bEnable)
{
BOOL bOk = FALSE;
HANDLE hToken;
if(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
LUID uID;
::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID);
//
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = uID;
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
bOk = (::GetLastError() == ERROR_SUCCESS);
//
::CloseHandle(hToken);
}
return bOk;
}
BOOL CKillMeDlg::EnableDebugPrivilege(BOOL bEnable)
{
BOOL bOk = FALSE;
HANDLE hToken;
if(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
LUID uID;
::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID);
//
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = uID;
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
bOk = (::GetLastError() == ERROR_SUCCESS);
//
::CloseHandle(hToken);
}
return bOk;
}
