NtTerminateProcess 终止进程

用NtTerminateProcess真正终止进程.

首先,要使用Native API,要对它进行声名:

typedef DWORD (CALLBACK* NTTERMINATEPROCESS)(HANDLE,UINT);
NTTERMINATEPROCESS NtTerminateProcess;
HMODULE hNtdll = NULL;
    hNtdll = LoadLibrary( "ntdll.dll" );
   
    //从ntdll.dll里获取函数
    if ( !hNtdll )
    {
        printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
        return false;
    }
  NtTerminateProcess = (NTTERMINATEPROCESS)
        GetProcAddress( hNtdll, "NtTerminateProcess");

代码:

#include <iostream.h>
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
typedef DWORD (CALLBACK* NTTERMINATEPROCESS)(HANDLE,UINT);
NTTERMINATEPROCESS NtTerminateProcess;
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)
{
       BOOL bRet = FALSE;
       LUID luid;
       TOKEN_PRIVILEGES tp;
 
       bRet = LookupPrivilegeValue(NULL,lpszPrivilege,&luid);
       if(!bRet)
         return bRet;
       tp.PrivilegeCount = 1;
       if(bEnablePrivilege)
         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
       else
         tp.Privileges[0].Attributes = NULL;
       bRet = AdjustTokenPrivileges(hToken,
                     FALSE,
                         &tp,
                         sizeof(TOKEN_PRIVILEGES),
                         (PTOKEN_PRIVILEGES)NULL,
                         (PDWORD)NULL);
       if(!bRet)
         return bRet;
       return TRUE;
}
BOOL KillProcess(DWORD PID)
{
       HANDLE hProcess = NULL;
       HANDLE hToken        = NULL;
       BOOL        bKilled = FALSE;
       BOOL        bRet        = FALSE;
       bRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
       if(!bRet)
         return bRet;
       bRet = SetPrivilege(hToken,SE_DEBUG_NAME,TRUE);
       if(!bRet)
         return bRet;
       hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID);
       if(!hProcess)
         return bRet;
       bRet = NtTerminateProcess(hProcess,1);
       if(!bRet)
         return bRet;
       bKilled = TRUE;
       CloseHandle(hToken);
       CloseHandle(hProcess);
       return bKilled;
}
void killman(char *ProcessName)
{
HANDLE hProcess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
HANDLE hModule;
PROCESSENTRY32 pinfo;
MODULEENTRY32 minfo;
char shortpath[256];
pinfo.dwSize = sizeof( PROCESSENTRY32 );
BOOL report =Process32First(hProcess,&pinfo);
while(report)
{
  hModule=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pinfo.th32ProcessID);
  Module32First(hModule, &minfo);
  GetShortPathName(minfo.szExePath,shortpath,256);
  if(!(strcmp(pinfo.szExeFile,ProcessName)))
  {
   hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pinfo.th32ProcessID );
   //NtTerminateProcess(hProcess,NULL);
   KillProcess(pinfo.th32ProcessID);
  }
  // AfxMessageBox(pinfo.szExeFile);
  report =Process32Next(hProcess, &pinfo);
}

}
int main(int argc, char **argv)
{
HMODULE hNtdll = NULL;
    hNtdll = LoadLibrary( "ntdll.dll" );
   
    //从ntdll.dll里获取函数
    if ( !hNtdll )
    {
        printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
        return false;
    }
  NtTerminateProcess = (NTTERMINATEPROCESS)
        GetProcAddress( hNtdll, "NtTerminateProcess");

killman("calc.exe");
    return 0;
}

posted @ 2012-12-07 09:23  小金马  阅读(3010)  评论(0编辑  收藏  举报