ntsd杀进程利用程序(开源代码)
不长叶子的树:刚刚完成的很简单的一个程序。里面用到了Windows管道技术,另外还有几个小技巧,希望能给大家一点启示,抛砖引玉,呵呵。以前在别的地方见过用C和ASM完成的,这里用Delphi完成,一并整理C及ASM代码: C代码,个人认为这是实现最简单的,如果没有人写C的,我也就写个C的给大家了,呵呵。dream2fly:
/*
*只有System、SMSS.EXE和CSRSS.EXE不能杀。前两个是纯内核态的,最后那个是Win32子系统,ntsd本身需要它。
*ntsd从2000开始就是系统自带的用户态调试工具。被调试器附着(attach)的进程会随调试器一起退出,所以可以用
*来在命令行下终止进程。使用ntsd自动就获得了debug权限,从而能杀掉大部分的进程。ntsd会新开一个调试窗口,
*本来在纯命令行下无法控制,但如果只是简单的命令,比如退出(q),用-c参数从命令行传递就行了。
*用法:开个cmd.exe窗口,输入:ntsd -c q -p PID
*xp下还有两个好东东tasklist和tskill。tasklist能列出所有的进程,和相应的信息。
*tskill能查杀进程,语法很简单:tskill 程序名!!
*/
#include <iostream>
#include <string>
using namespace::std;
int main (int argc,char **argv)
{
string note="ntsd -c q -p ";
string pid;
string tskill;
system("cls");
cout<<"ntsd杀进程利用程序,可以杀死taskmgr不能干掉的程序(只有System、SMSS.EXE和CSRSS.EXE不能杀)。"<<endl;
system("tasklist");
cout<<"请输入要杀死的进程PID:";
cin>>pid;
tskill=note+pid;
system(tskill.c_str());
cout<<endl<<"Oh,My god,you kill the PID "<<pid<<"!!"<<endl;
cout<<"欢迎访问C++/STL 交流圈 http://www.dream2fly.net ,88"<<endl;
cout<<"Note:若有问题,请重新启动你的系统即可。"<<endl;
cin>>note;
return 0;
}
chenxxxx:
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
int main (void)
{
char PID;
char killfun;
system("cls");
puts("\t\t你可以使用这个工具结束一个麻烦的进程.\n");
puts("\n请输入PID:\n");
printf("PID:");
scanf("%s",&PID);
puts("看见效果了吗?");
strcpy(killfun,"ntsd -c q -p ");
strcat(killfun,PID);
system(killfun);
system("PAUSE");
return 0;
} 以下为ASM实现方法
作者也是asm:
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
ICO_MAIN equ 1000h ;图标
DLG_MAIN equ 1
IDC_EDIT equ 1001
IDC_Kill equ 1002
.data?
hInstance dd ?
.data
szFileName db 'C:\windows\system32\tasklist.exe',0
szCmdLine db 'tasklist.exe > C:\asm.log',0
szFileLook db 'C:\asm.log',0
szPid db 156 dup(0)
szNtsd db 'ntsd -c q -p ',0
sz1 db 156 dup(0)
szOK db 'Kill The Process Success',0
szYes db 'OK',0
.const
MEMORYSIZE equ 65535
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ChenLook proc
local hMemory:DWORD
local pMemory:DWORD
local ReadSize:DWORD
local hFile:DWORD
invoke CreateFile, addr szFileLook, GENERIC_READ, FILE_SHARE_READ,\
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
mov hFile, eax
invoke GlobalAlloc, GMEM_MOVEABLE or GMEM_ZEROINIT, MEMORYSIZE
mov hMemory, eax
invoke GlobalLock, hMemory
mov pMemory, eax
invoke ReadFile, hFile, pMemory, MEMORYSIZE-1, addr ReadSize, NULL
invoke MessageBox,NULL,pMemory,NULL,MB_OK
invoke GlobalUnlock, pMemory
invoke GlobalFree, hMemory
invoke CloseHandle, hFile
invoke DeleteFile,addr szFileLook
ret
_ChenLook endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Process proc
local stStartUp:STARTUPINFO
local stProcInfo:PROCESS_INFORMATION
invoke GetStartupInfo,addr stStartUp
invoke CreateProcess,NULL,addr szCmdLine,NULL,NULL,NULL,\
CREATE_NO_WINDOW,NULL,NULL,addr stStartUp,addr stProcInfo
ret
_Process endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_KillProcess proc
local stStartUp:STARTUPINFO
local stProcInfo:PROCESS_INFORMATION
invoke lstrcat,addr sz1,addr szNtsd
invoke lstrcat,addr sz1,addr szPid
invoke GetStartupInfo,addr stStartUp
invoke CreateProcess,NULL,addr sz1,NULL,NULL,NULL,\
CREATE_NO_WINDOW,NULL,NULL,addr stStartUp,addr stProcInfo
invoke MessageBox,NULL,addr szOK,addr szYes,MB_OK
ret
_KillProcess endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcDlgMain proc uses ebx edi esi hWnd,wMsg,wParam,lParam
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax == WM_INITDIALOG
invoke LoadIcon,hInstance,ICO_MAIN
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if ax == IDOK
call _Process
call _ChenLook
.elseif ax == IDC_Kill
invoke GetDlgItemText,hWnd,IDC_EDIT,addr szPid,sizeof szPid
call _KillProcess
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlgMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#include <resource.h>
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#define ICO_MAIN 0x1000 //图标
#define DLG_MAIN 1
#define IDC_EDIT 1001
#define IDC_Kill 1002
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ICO_MAIN ICON "Main.ico"
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DLG_MAIN DIALOG 50, 50, 263, 57
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "Kill Process By Asm"
FONT 9, "宋体"
STYLE 0x14CA0000
EXSTYLE 0x00000001
{
GROUPBOX "Kill", -1,7,2,249,48
PUSHBUTTON "Get The PID All Of Processes",IDOK,14,12,120,14
LTEXT "Please Enter The PID end Kill The Process:", -1,15,30,174,12
EDITTEXT IDC_EDIT,188,28,29,13,ES_AUTOHSCROLL | WS_BORDER | WS_TABSTOP
PUSHBUTTON "Kill It",IDC_Kill,220,28,33,12
}
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 调用系统命令,原理一样,写法不同,呵呵!!!
页:
[1]