ModifyHandleObject实现方法就不发了 流程是这样的 先取出自身进程的句柄表，然后取TableCode, 枚举Handle, 枚举到之后，再修改HandleTableEntry->Object值为对象的eprocess指针 HandleTableEntry->Object的值并不等价于eprocess指针 需要抹去最后一位，然后加上HandleTableList在HANDLE_TABLE里的偏移
经测试，可以直接干掉NP的进程，读写内存应该也不是问题

NTSTATUS ForceTerminateProcess(IN HANDLE Processid)
{
  NTSTATUS status;
  HANDLE hProcess;
  PEPROCESS MyProcess;
  PEPROCESS TargetProcess;
  MyProcess = PsGetCurrentProcess();//先取得自身的eprocess
  status = PsLookupProcessByProcessId(Processid,&TargetProcess);
  if(!NT_SUCCESS(status))
  {
    KdPrint(("PsLookupProcessByProcessId 失败 pid[%d] error 0x%08X\r\n",Processid,status));
    return status;
  }
  //先打开自身
  status = ObOpenObjectByPointer(
    MyProcess,
    0,
    NULL,
    PROCESS_ALL_ACCESS,
    * PsProcessType,
    KernelMode,
    &hProcess
    );
  if(!NT_SUCCESS(status))
  {
    ObDereferenceObject (MyProcess);
    KdPrint(("ObOpenObjectByPointer 失败 error 0x%08X\r\n",status));
    return status;
  }
  //接下来，修改在自身进程中找出hProcess的HandleTable,修改其Object指针为目标进程指针
  //改掉句柄里指向的Object
  ModifyHandleObject(MyProcess, TargetProcess, hProcess);
  //然后，结束吧
  status = ZwTerminateProcess(hProcess,0);
  if(!NT_SUCCESS(status))
  {
    KdPrint(("ZwTerminateProcess 失败 error 0x%08X\r\n",status));
  }
  //结束完，把句柄恢复回去
  ModifyHandleObject(MyProcess, MyProcess, hProcess);
  NtClose(hProcess);
  return status;
}

 

本文链接:https://it72.com/9002.htm