PspTerminateProcess 结束冰刃进程

#include <ntddk.h>

typedef  NTSTATUS  (*PSPTERPROC) ( PEPROCESS Process, NTSTATUS ExitStatus );
PSPTERPROC MyPspTerminateProcess ;
NTSTATUS
PsLookupProcessByProcessId(
                        IN HANDLE ProcessId,
                        OUT PEPROCESS *Process
                        );

void Unload(PDRIVER_OBJECT pDriverObj)
{
        DbgPrint("Driver Stop/n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
        PEPROCESS hProcess;
        MyPspTerminateProcess =(PSPTERPROC)0x805c8642;

        //比如冰刃的进程ID为1732
        if(PsLookupProcessByProcessId(1732,&hProcess)==STATUS_SUCCESS)
        {
                     MyPspTerminateProcess(hProcess,0);
        }
        pDriverObj->DriverUnload = Unload;
        return STATUS_SUCCESS;
}

#include <ntddk.h>

typedef NTSTATUS (*PSPTERPROC) ( PEPROCESS Process, NTSTATUS ExitStatus );

PSPTERPROC MyPspTerminateProcess ;

NTSTATUS

PsLookupProcessByProcessId(

IN HANDLE ProcessId,

OUT PEPROCESS *Process

);

void Unload(PDRIVER_OBJECT pDriverObj)

{

DbgPrint("Driver Stop/n");

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)

{

PEPROCESS hProcess;

MyPspTerminateProcess =(PSPTERPROC)0x805c8642;

//比如冰刃的进程ID为1732

if(PsLookupProcessByProcessId(1732,&hProcess)==STATUS_SUCCESS)

{

MyPspTerminateProcess(hProcess,0);

}

pDriverObj->DriverUnload = Unload;

return STATUS_SUCCESS;

}

以上代码使用了系统未导出函数 PspTerminateProcess 结束了冰刃，
函数的地址是我用WinDbg看到的，所以可能在不同的系统里地址不同。

转载请注明：exchen's blog » PspTerminateProcess 结束冰刃进程

PspTerminateProcess 结束冰刃进程

与本文相关的文章

Hi，您需要填写昵称和邮箱！