黑客编程教程（十）查杀进程

 第十节 查杀进程

 我们在编写木马和后门程序时,列出和查杀进程是非常重要的.

列出进程我们使用palist函数:
void pslist(void)
 {
  HANDLE hProcessSnap = NULL;
  PROCESSENTRY32 pe32= {0};
  hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if (hProcessSnap == (HANDLE)-1)
  {
   printf("
CreateToolhelp32Snapshot() failed:%d",GetLastError());
   return ;
  }
  pe32.dwSize = sizeof(PROCESSENTRY32);
  printf("
ProcessName　　　　 ProcessID");
  if (Process32First(hProcessSnap, &pe32))
  {
   char a[5];
   do
   {
    itoa(pe32.th32ProcessID,a,10);
    printf("
%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
   }
   while (Process32Next(hProcessSnap, &pe32));
  }
  else
  {
    printf("
Process32Firstt() failed:%d",GetLastError());
  }
  CloseHandle (hProcessSnap);
  return;
 }

上边的代码列出了进程的PID,有了PID我们就可以使用PSKILL杀进程:

BOOL killps(DWORD id)
 {
  HANDLE hProcess=NULL,hProcessToken=NULL;
  BOOL IsKilled=FALSE,bRet=FALSE;
  try
  {

  if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
   {
    printf("
Open Current Process Token failed:%d",GetLastError());
    leave;
   }
   //printf("
Open Current Process Token ok!");
   if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
   {
    leave;
   }
   printf("
SetPrivilege ok!");

  if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
   {
    printf("
Open Process %d failed:%d",id,GetLastError());
    leave;
   }
   //printf("
Open Process %d ok!",id);
   if(!TerminateProcess(hProcess,1))
   {
    printf("
TerminateProcess failed:%d",GetLastError());
    leave;
   }
   IsKilled=TRUE;
  }
  finally
  {
   if(hProcessToken!=NULL) CloseHandle(hProcessToken);
   if(hProcess!=NULL) CloseHandle(hProcess);
  }
  return(IsKilled);
 }

BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)     //提升权限
{
  TOKEN_PRIVILEGES tp;
  LUID luid;

 if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
  {
   printf("
LookupPrivilegeValue error:%d", GetLastError() );
   return FALSE;
  }
  tp.PrivilegeCount = 1;
  tp.Privileges[0].Luid = luid;
  if (bEnablePrivilege)
   tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  else
   tp.Privileges[0].Attributes = 0;
  AdjustTokenPrivileges(
     hToken,
     FALSE,
     &tp,
     sizeof(TOKEN_PRIVILEGES),
     (PTOKEN_PRIVILEGES) NULL,
     (PDWORD) NULL);
  if (GetLastError() != ERROR_SUCCESS)
  {
   printf("AdjustTokenPrivileges failed: %u
", GetLastError() );
   return FALSE;
  }
  return TRUE;
 }