mirror of
https://github.com/ufrisk/pcileech.git
synced 2026-05-08 14:36:25 +08:00
86 lines
3.3 KiB
C
86 lines
3.3 KiB
C
// wx64_pskill.c : kernel code to terminate running processes.
|
|
// Compatible with Windows x64.
|
|
//
|
|
// (c) Ulf Frisk, 2016
|
|
// Author: Ulf Frisk, pcileech@frizk.net
|
|
//
|
|
// compile with:
|
|
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
|
|
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_pskill.c
|
|
// ml64.exe wx64_common_a.asm /Fewx64_pskill.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_pskill.obj wx64_common.obj
|
|
// shellcode64.exe -o wx64_pskill.exe "TERMINATE/KILL PROCESS \n===============================================================\nREQUIRED OPTIONS: \n -0 : Process PID to terminate. Example '-0 0x0fe0'. \nOPTIONAL OPTIONS: \n -1 : Process exit status. Default: 0. Example: '-0 0x01'. \n===== RESULT OF TERMINATE/KILL OPERATION ======================%s\nNTSTATUS : 0x%08X \n===============================================================\n"
|
|
//
|
|
#include "wx64_common.h"
|
|
|
|
typedef struct _CLIENT_ID {
|
|
HANDLE UniqueProcess;
|
|
HANDLE UniqueThread;
|
|
} CLIENT_ID;
|
|
typedef CLIENT_ID *PCLIENT_ID;
|
|
|
|
//----------------------------------------------------------------------------------------------------------
|
|
|
|
#define H_ZwClose 0x5d044c61
|
|
#define H_ZwOpenProcess 0xf0d09d60
|
|
#define H_ZwTerminateProcess 0x792cbc53
|
|
|
|
typedef struct tdKERNEL_FUNCTIONS2 {
|
|
NTSTATUS(*ZwClose)(
|
|
_In_ HANDLE Handle
|
|
);
|
|
NTSTATUS(*ZwOpenProcess)(
|
|
_Out_ PHANDLE ProcessHandle,
|
|
_In_ ACCESS_MASK DesiredAccess,
|
|
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|
_In_opt_ PCLIENT_ID ClientId
|
|
);
|
|
NTSTATUS(*ZwTerminateProcess)(
|
|
_In_opt_ HANDLE ProcessHandle,
|
|
_In_ NTSTATUS ExitStatus
|
|
);
|
|
} KERNEL_FUNCTIONS2, *PKERNEL_FUNCTIONS2;
|
|
|
|
VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUNCTIONS2 fnk2)
|
|
{
|
|
QWORD FUNC2[][2] = {
|
|
{ &fnk2->ZwClose, H_ZwClose },
|
|
{ &fnk2->ZwOpenProcess, H_ZwOpenProcess },
|
|
{ &fnk2->ZwTerminateProcess, H_ZwTerminateProcess }
|
|
};
|
|
for(QWORD j = 0; j < (sizeof(FUNC2) / sizeof(QWORD[2])); j++) {
|
|
*(PQWORD)FUNC2[j][0] = PEGetProcAddressH(qwNtosBase, (DWORD)FUNC2[j][1]);
|
|
}
|
|
}
|
|
|
|
//----------------------------------------------------------------------------------------------------------
|
|
|
|
VOID c_EntryPoint(_In_ PKMDDATA pk)
|
|
{
|
|
NTSTATUS nt;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
KERNEL_FUNCTIONS fnk;
|
|
KERNEL_FUNCTIONS2 fnk2;
|
|
HANDLE ZwProcessHandle;
|
|
CLIENT_ID ClientId;
|
|
// validate indata and create function maps
|
|
if(!pk->dataIn[0]) {
|
|
pk->dataOut[0] = STATUS_INVALID_PARAMETER;
|
|
return;
|
|
}
|
|
InitializeKernelFunctions(pk->AddrKernelBase, &fnk);
|
|
InitializeKernelFunctions2(pk->AddrKernelBase, &fnk2);
|
|
// open process handle
|
|
fnk.RtlZeroMemory(&ObjectAttributes, sizeof(OBJECT_ATTRIBUTES));
|
|
fnk.RtlZeroMemory(&ClientId, sizeof(CLIENT_ID));
|
|
ClientId.UniqueThread = 0;
|
|
ClientId.UniqueProcess = (HANDLE)pk->dataIn[0];
|
|
nt = fnk2.ZwOpenProcess(&ZwProcessHandle, PROCESS_ALL_ACCESS, &ObjectAttributes, &ClientId);
|
|
if(NT_ERROR(nt)) {
|
|
pk->dataOut[0] = nt;
|
|
return;
|
|
}
|
|
// terminate process and exit
|
|
pk->dataOut[0] = fnk2.ZwTerminateProcess(ZwProcessHandle, (NTSTATUS)pk->dataIn[1]);
|
|
fnk2.ZwClose(ZwProcessHandle);
|
|
}
|