黑客编程教程（十）查杀进程

                第十节 查杀进程

 我们在编写木马和后门程序时,列出和查杀进程是非常重要的.

列出进程我们使用palist函数:
void pslist(void)
{
 HANDLE hProcessSnap = NULL;
 PROCESSENTRY32 pe32= {0};
 hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 if (hProcessSnap == (HANDLE)-1)
 {
  printf("\nCreateToolhelp32Snapshot() failed:%d",GetLastError());
  return ;
 }
 pe32.dwSize = sizeof(PROCESSENTRY32);
 printf("\nProcessName　　　　 ProcessID");
 if (Process32First(hProcessSnap, &pe32))
 {
  char a[5];
  do
  {
   itoa(pe32.th32ProcessID,a,10);
   printf("\n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
  }
  while (Process32Next(hProcessSnap, &pe32));
 }
 else
 {
   printf("\nProcess32Firstt() failed:%d",GetLastError());
 }
 CloseHandle (hProcessSnap);
 return;
}

上边的代码列出了进程的PID,有了PID我们就可以使用PSKILL杀进程:

BOOL killps(DWORD id)
{
 HANDLE hProcess=NULL,hProcessToken=NULL;
 BOOL IsKilled=FALSE,bRet=FALSE;
 try
 {

  if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
  {
   printf("\nOpen Current Process Token failed:%d",GetLastError());
   leave;
  }
  //printf("\nOpen Current Process Token ok!");
  if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
  {
   leave;
  }
  printf("\nSetPrivilege ok!");

  if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
  {
   printf("\nOpen Process %d failed:%d",id,GetLastError());
   leave;
  }
  //printf("\nOpen Process %d ok!",id);
  if(!TerminateProcess(hProcess,1))
  {
   printf("\nTerminateProcess failed:%d",GetLastError());
   leave;
  }
  IsKilled=TRUE;
 }
 finally
 {
  if(hProcessToken!=NULL) CloseHandle(hProcessToken);
  if(hProcess!=NULL) CloseHandle(hProcess);
 }
 return(IsKilled);
}

BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)     //提升权限
{
 TOKEN_PRIVILEGES tp;
 LUID luid;

 if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
 {
  printf("\nLookupPrivilegeValue error:%d", GetLastError() );
  return FALSE;
 }
 tp.PrivilegeCount = 1;
 tp.Privileges[0].Luid = luid;
 if (bEnablePrivilege)
  tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 else
  tp.Privileges[0].Attributes = 0;
 AdjustTokenPrivileges(
    hToken,
    FALSE,
    &tp,
    sizeof(TOKEN_PRIVILEGES),
    (PTOKEN_PRIVILEGES) NULL,
    (PDWORD) NULL);
 if (GetLastError() != ERROR_SUCCESS)
 {
  printf("AdjustTokenPrivileges failed: %u\n", GetLastError() );
  return FALSE;
 }
 return TRUE;
}

补充：综合编程 , 安全编程 ,

上一个：Asp.Net HttpModule初探与简单应用
下一个：黑客编程教程（九）进程创建