ProcessHacker工具中对于进程结束的具体实现代码:

2024年1月23日发(作者：)

NtClose(processHandle); } return status;}static NTSTATUS NTAPI TerminatorTTGeneric( __in HANDLE ProcessId, __in BOOLEAN UseKph, __in BOOLEAN UseKphDangerous ){ NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; ULONG i; if ((UseKph || UseKphDangerous) && !KphIsConnected()) return STATUS_NOT_SUPPORTED; if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) return status; process = PhFindProcessInformation(processes, ProcessId); if (!process) { PhFree(processes); return STATUS_INVALID_CID; } for (i = 0; i < process->NumberOfThreads; i++) { HANDLE threadHandle; if (NT_SUCCESS(PhOpenThread( &threadHandle, THREAD_TERMINATE, process->Threads[i].Thread ))) { if (UseKphDangerous) KphTerminateThreadUnsafe(threadHandle, STATUS_SUCCESS); else if (UseKph) KphTerminateThread(threadHandle, STATUS_SUCCESS); else NtTerminateThread(threadHandle, STATUS_SUCCESS); NtClose(threadHandle); } } PhFree(processes); return STATUS_SUCCESS;}

}static NTSTATUS NTAPI TerminatorTT1( __in HANDLE ProcessId ){ return TerminatorTTGeneric(ProcessId, FALSE, FALSE);}static NTSTATUS NTAPI TerminatorTT2( __in HANDLE ProcessId ){ NTSTATUS status; PVOID processes; PSYSTEM_PROCESS_INFORMATION process; ULONG i; CONTEXT context; PVOID exitProcess; exitProcess = GetExitProcessFunction(); if (!NT_SUCCESS(status = PhEnumProcesses(&processes))) return status; process = PhFindProcessInformation(processes, ProcessId); if (!process) { PhFree(processes); return STATUS_INVALID_CID; } for (i = 0; i < process->NumberOfThreads; i++) { HANDLE threadHandle; if (NT_SUCCESS(PhOpenThread( &threadHandle, THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, process->Threads[i].Thread ))) {#ifdef _M_IX86 tFlags = CONTEXT_CONTROL; PhGetThreadContext(threadHandle, &context); = (ULONG)exitProcess; PhSetThreadContext(threadHandle, &context);#else tFlags = CONTEXT_CONTROL; PhGetThreadContext(threadHandle, &context); = (ULONG64)exitProcess; PhSetThreadContext(threadHandle, &context);#endif NtClose(threadHandle);

NtClose(threadHandle); } } PhFree(processes); return STATUS_SUCCESS;}static NTSTATUS NTAPI TerminatorTP1a( __in HANDLE ProcessId ){ NTSTATUS status; HANDLE processHandle = NtCurrentProcess(); ULONG i; if (!NtGetNextProcess) return STATUS_NOT_SUPPORTED; if (!NT_SUCCESS(status = NtGetNextProcess( NtCurrentProcess(), ProcessQueryAccess | PROCESS_TERMINATE, 0, 0, &processHandle ))) return status; for (i = 0; i < 1000; i++) // make sure we don't go into an infinite loop or something { HANDLE newProcessHandle; PROCESS_BASIC_INFORMATION basicInfo; if (NT_SUCCESS(PhGetProcessBasicInformation(processHandle, &basicInfo))) { if (ProcessId == ProcessId) { PhTerminateProcess(processHandle, STATUS_SUCCESS); break; } } if (NT_SUCCESS(status = NtGetNextProcess( processHandle, ProcessQueryAccess | PROCESS_TERMINATE, 0, 0, &newProcessHandle ))) { NtClose(processHandle); processHandle = newProcessHandle; } else {

{ NtClose(processHandle); break; } } return status;}static NTSTATUS NTAPI TerminatorTT1a( __in HANDLE ProcessId ){ NTSTATUS status; HANDLE processHandle; HANDLE threadHandle; ULONG i; if (!NtGetNextThread) return STATUS_NOT_SUPPORTED; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION, // NtGetNextThread actually requires this access for some reason ProcessId ))) { if (!NT_SUCCESS(status = NtGetNextThread( processHandle, NULL, THREAD_TERMINATE, 0, 0, &threadHandle ))) { NtClose(processHandle); return status; } for (i = 0; i < 1000; i++) { HANDLE newThreadHandle; PhTerminateThread(threadHandle, STATUS_SUCCESS); if (NT_SUCCESS(NtGetNextThread( processHandle, threadHandle, THREAD_TERMINATE, 0, 0, &newThreadHandle ))) { NtClose(threadHandle);

NtClose(threadHandle); threadHandle = newThreadHandle; } else { NtClose(threadHandle); break; } } NtClose(processHandle); } return status;}static NTSTATUS NTAPI TerminatorCH1( __in HANDLE ProcessId ){ NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_DUP_HANDLE, ProcessId ))) { ULONG i; for (i = 0; i < 0x1000; i += 4) { PhDuplicateObject( processHandle, (HANDLE)i, NULL, NULL, 0, 0, DUPLICATE_CLOSE_SOURCE ); } NtClose(processHandle); } return status;}static BOOL CALLBACK DestroyProcessWindowsProc( __in HWND hwnd, __in LPARAM lParam ){ ULONG processId;

ULONG processId; GetWindowThreadProcessId(hwnd, &processId); if (processId == (ULONG)lParam) { PostMessage(hwnd, WM_DESTROY, 0, 0); } return TRUE;}static NTSTATUS NTAPI TerminatorW1( __in HANDLE ProcessId ){ EnumWindows(DestroyProcessWindowsProc, (LPARAM)ProcessId); return STATUS_SUCCESS;}static BOOL CALLBACK QuitProcessWindowsProc( __in HWND hwnd, __in LPARAM lParam ){ ULONG processId; GetWindowThreadProcessId(hwnd, &processId); if (processId == (ULONG)lParam) { PostMessage(hwnd, WM_QUIT, 0, 0); } return TRUE;}static NTSTATUS NTAPI TerminatorW2( __in HANDLE ProcessId ){ EnumWindows(QuitProcessWindowsProc, (LPARAM)ProcessId); return STATUS_SUCCESS;}static BOOL CALLBACK CloseProcessWindowsProc( __in HWND hwnd, __in LPARAM lParam ){ ULONG processId; GetWindowThreadProcessId(hwnd, &processId); if (processId == (ULONG)lParam) {

{ PostMessage(hwnd, WM_CLOSE, 0, 0); } return TRUE;}static NTSTATUS NTAPI TerminatorW3( __in HANDLE ProcessId ){ EnumWindows(CloseProcessWindowsProc, (LPARAM)ProcessId); return STATUS_SUCCESS;}static NTSTATUS NTAPI TerminatorTJ1( __in HANDLE ProcessId ){ NTSTATUS status; HANDLE processHandle; // TODO: Check if the process is already in a job. if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SET_QUOTA | PROCESS_TERMINATE, ProcessId ))) { HANDLE jobHandle; status = NtCreateJobObject(&jobHandle, JOB_OBJECT_ALL_ACCESS, NULL); if (NT_SUCCESS(status)) { status = NtAssignProcessToJobObject(jobHandle, processHandle); if (NT_SUCCESS(status)) status = NtTerminateJobObject(jobHandle, STATUS_SUCCESS); NtClose(jobHandle); } NtClose(processHandle); } return status;}static NTSTATUS NTAPI TerminatorTD1( __in HANDLE ProcessId ){ NTSTATUS status; HANDLE processHandle;

HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SUSPEND_RESUME, ProcessId ))) { HANDLE debugObjectHandle; OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, 0, NULL, NULL ); if (NT_SUCCESS(NtCreateDebugObject( &debugObjectHandle, DEBUG_PROCESS_ASSIGN, &objectAttributes, DEBUG_KILL_ON_CLOSE ))) { NtDebugActiveProcess(processHandle, debugObjectHandle); NtClose(debugObjectHandle); } NtClose(processHandle); } return status;}static NTSTATUS NTAPI TerminatorTP3( __in HANDLE ProcessId ){ NTSTATUS status; HANDLE processHandle; if (!KphIsConnected()) return STATUS_NOT_SUPPORTED; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, SYNCHRONIZE, // KPH doesn't require any access for this operation ProcessId ))) { status = KphTerminateProcess(processHandle, STATUS_SUCCESS); NtClose(processHandle); }

} return status;}static NTSTATUS NTAPI TerminatorTT3( __in HANDLE ProcessId ){ return TerminatorTTGeneric(ProcessId, TRUE, FALSE);}static NTSTATUS NTAPI TerminatorTT4( __in HANDLE ProcessId ){ return TerminatorTTGeneric(ProcessId, FALSE, TRUE);}static NTSTATUS NTAPI TerminatorM1( __in HANDLE ProcessId ){ NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE, ProcessId ))) { PVOID pageOfGarbage; SIZE_T pageSize; PVOID baseAddress; MEMORY_BASIC_INFORMATION basicInfo; pageOfGarbage = NULL; pageSize = PAGE_SIZE; if (!NT_SUCCESS(NtAllocateVirtualMemory( NtCurrentProcess(), &pageOfGarbage, 0, &pageSize, MEM_COMMIT, PAGE_READONLY ))) { NtClose(processHandle); return STATUS_NO_MEMORY; } baseAddress = (PVOID)0; while (NT_SUCCESS(NtQueryVirtualMemory(

while (NT_SUCCESS(NtQueryVirtualMemory( processHandle, baseAddress, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { ULONG i; // Make sure we don't write to views of mapped files. That // could possibly corrupt files! if ( == MEM_PRIVATE) { for (i = 0; i < Size; i += PAGE_SIZE) { PhWriteVirtualMemory( processHandle, PTR_ADD_OFFSET(baseAddress, i), pageOfGarbage, PAGE_SIZE, NULL ); } } baseAddress = PTR_ADD_OFFSET(baseAddress, Size); } // Size needs to be zero if we're freeing. pageSize = 0; NtFreeVirtualMemory( NtCurrentProcess(), &pageOfGarbage, &pageSize, MEM_RELEASE ); NtClose(processHandle); } return status;}static NTSTATUS NTAPI TerminatorM2( __in HANDLE ProcessId ){ NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION, ProcessId

ProcessId ))) { PVOID baseAddress; MEMORY_BASIC_INFORMATION basicInfo; ULONG oldProtect; baseAddress = (PVOID)0; while (NT_SUCCESS(NtQueryVirtualMemory( processHandle, baseAddress, MemoryBasicInformation, &basicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL ))) { SIZE_T regionSize; regionSize = Size; NtProtectVirtualMemory( processHandle, &dress, ®ionSize, PAGE_NOACCESS, &oldProtect ); baseAddress = PTR_ADD_OFFSET(baseAddress, Size); } NtClose(processHandle); } return status;}