- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
原理:1. 将进程的所有线程的线程CrossThreadFlags标志位设置成Terminated或者System.效果:任务管理器,WSYSCheck,ICESWORD无法结束进程。。但PCHunter 可以结束受保护的进程。但PCHunter无法用普通方法结束受保护的线程,必须使用强制结束线程才可结束线程。。代码:VOID SetThreadFlagToTerminatedByThreadID(ULONG dwThreadID)
{
ULONG ulFlagOffset;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PULONG pFlag;
PETHREAD eThead;
HANDLE threadHandle;
__try{
threadHandle = (HANDLE)dwThreadID;
ulFlagOffset = GetCrossThreadFlagOffset();
//dprintf("[ProtectProcess]GetCrossThreadFlagOffset: 0X%08X\r\n", ulFlagOffset);
status = PsLookupThreadByThreadId(threadHandle, &eThead);
if(!NT_SUCCESS(status))
{
dprintf("PsLookupThreadByThreadId ERRORid:0X%08X, TID: 0X%08X\r\n", status, dwThreadID);
return status;
}
//dprintf("ETHREAD:0X%08X\n", eThead);
pFlag = (ULONG*)((PUCHAR)eThead + ulFlagOffset);
//dprintf("ulFlag address:0X%08X value:0x%08X\n", pFlag, *pFlag);
*pFlag |= PS_CROSS_THREAD_FLAGS_TERMINATED;
dprintf("new ulFlag address:0X%08X value:0x%08X\n", pFlag, *pFlag);
}__except(EXCEPTION_EXECUTE_HANDLER)
{
dprintf("EXCEPTION ON set thread cross flags!");
return status;
}
}ring3程序与ring0程序下载地址:http://download.csdn.net/detail/xiaocaiju/8192897 |
|
发表于 2017-6-2 13:31:15