Kernel Mode Terminate Process

OSR_Community_User · February 6, 2003, 9:58am

Hi, is there an equivalent to TerminateProcess in KernelMode?
Thanks.

Alexey_Logachyov · February 6, 2003, 11:29am

NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Thursday, February 06, 2003 7:56 PM
Subject: [ntfsd] Kernel Mode Terminate Process

Hi, is there an equivalent to TerminateProcess in KernelMode?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 6, 2003, 3:46pm

Sorry, how do I get the ProcessHandle from the ProcessID?
Thanks again.
----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Thursday, February 06, 2003 8:31 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Thursday, February 06, 2003 7:56 PM
Subject: [ntfsd] Kernel Mode Terminate Process

Hi, is there an equivalent to TerminateProcess in KernelMode?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to xxxxx@lists.osr.com

Alexey_Logachyov · February 6, 2003, 5:37pm

NTSTATUS
NTAPI
ZwOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

Try using OSR search engine. It helps!

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Friday, February 07, 2003 1:44 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

Sorry, how do I get the ProcessHandle from the ProcessID?
Thanks again.
----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Thursday, February 06, 2003 8:31 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Thursday, February 06, 2003 7:56 PM
Subject: [ntfsd] Kernel Mode Terminate Process

Hi, is there an equivalent to TerminateProcess in KernelMode?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 7, 2003, 12:02pm

I have followed your advice. I have search in OSR and Internet as well. ZwOpenProcess needs objects attributes, but that requires a name, how do i call a certain process. I have considered ObOpenObjectByPointer to get the handle from the process pointer but I don't that function's declaration. Does anyone knows?
Thanks.
----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Thursday, February 06, 2003 2:37 PM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

NTSTATUS
NTAPI
ZwOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

Try using OSR search engine. It helps!

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Friday, February 07, 2003 1:44 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

Sorry, how do I get the ProcessHandle from the ProcessID?
Thanks again.
----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Thursday, February 06, 2003 8:31 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Thursday, February 06, 2003 7:56 PM
Subject: [ntfsd] Kernel Mode Terminate Process

Hi, is there an equivalent to TerminateProcess in KernelMode?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to xxxxx@lists.osr.com

Alexey_Logachyov · February 7, 2003, 4:05pm

Initialize object name as NULL in object attributes. You need objectattributes here only to specify flags like OBJ_KERNEL_HANDLE. Anyway, here's proto for ObOpenObjectByPointer:

NTKERNELAPI
NTSTATUS
ObOpenObjectByPointer (
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);

Note, that you cannot open process having its ID, like you requested in prevoius post. ZwOpenProcess can.

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Friday, February 07, 2003 10:02 PM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

I have followed your advice. I have search in OSR and Internet as well. ZwOpenProcess needs objects attributes, but that requires a name, how do i call a certain process. I have considered ObOpenObjectByPointer to get the handle from the process pointer but I don't that function's declaration. Does anyone knows?
Thanks.
----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Thursday, February 06, 2003 2:37 PM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

NTSTATUS
NTAPI
ZwOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

Try using OSR search engine. It helps!

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Friday, February 07, 2003 1:44 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

Sorry, how do I get the ProcessHandle from the ProcessID?
Thanks again.
----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Thursday, February 06, 2003 8:31 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Thursday, February 06, 2003 7:56 PM
Subject: [ntfsd] Kernel Mode Terminate Process

Hi, is there an equivalent to TerminateProcess in KernelMode?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2003, 11:49am

#include "ntdll.h"

#define PROCESS_TERMINATE (0x0001)
#define PROCESS_VM_READ (0x0010)
#define INVALID_HANDLE_VALUE (HANDLE)-1
typedef NTSTATUS (NTAPI *_NtTerminateProcess)(HANDLE, NTSTATUS);
typedef NTSTATUS (NTAPI *_NtOpenProcess)(PHANDLE, ACCESS_MASK,
POBJECT_ATTRIBUTES, PCLIENT_ID);

/********************************************************************
Method Name : FindNT
Synopsis :
Parameters :
Description :
Returns :
Comments :
*********************************************************************/
PVOID FindNT()
{
ULONG n;
NT::ZwQuerySystemInformation(NT::SystemModuleInformation,&n, 0, &n);
PULONG q = PULONG(ExAllocatePool(PagedPool, n));
NT::ZwQuerySystemInformation(NT::SystemModuleInformation,q, n * sizeof *q,
0);
NT::PSYSTEM_MODULE_INFORMATION p = NT::PSYSTEM_MODULE_INFORMATION(q + 1);
PVOID ntdll = 0;
for (ULONG i = 0; i < *q; i++)
if (_stricmp(p[i].ImageName + p[i].ModuleNameOffset,"ntdll.dll") == 0)
ntdll = p[i].Base;
ExFreePool(q);
return ntdll;
}
/********************************************************************
Method Name : FindFunc
Synopsis :
Parameters :
Description :
Returns :
Comments :
*********************************************************************/
PVOID FindFunc(PVOID Base, PCSTR Name)
{
PIMAGE_DOS_HEADER dos = PIMAGE_DOS_HEADER(Base);
PIMAGE_NT_HEADERS nt = PIMAGE_NT_HEADERS(PCHAR(Base) + dos->e_lfanew);
PIMAGE_DATA_DIRECTORY expdir = nt->OptionalHeader.DataDirectory +
IMAGE_DIRECTORY_ENTRY_EXPORT;
ULONG size = expdir->Size;
ULONG addr = expdir->VirtualAddress;
PIMAGE_EXPORT_DIRECTORY exports = PIMAGE_EXPORT_DIRECTORY(PCHAR(Base) +
addr);
PULONG functions = PULONG(PCHAR(Base) + exports->AddressOfFunctions);
PSHORT ordinals= PSHORT(PCHAR(Base) + exports->AddressOfNameOrdinals);
PULONG names = PULONG(PCHAR(Base) + exports->AddressOfNames);
PVOID func = 0;
for (ULONG i = 0; i < exports->NumberOfNames; i++)
{
ULONG ord = ordinals[i];
if (functions[ord] < addr || functions[ord] >= addr + size)
{
if (strcmp(PSTR(PCHAR(Base) + names[i]), Name) == 0)
func = PCHAR(Base) + functions[ord];
}
}
return func;
}
/********************************************************************
Method Name :
Synopsis :
Parameters :
Description :
Returns :
Comments :
*********************************************************************/
NTSTATUS CMKernelUtil::KillProcess(ULONG dwProcessID)
{
if (dwProcessID == 0)
return STATUS_INVALID_PARAMETER;
NTSTATUS ntTerminateStatus;
HANDLE hProcessHandle;
ACCESS_MASK DesiredAccess = PROCESS_TERMINATE;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
ObjectAttributes.Length = 0x18;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
ClientId.UniqueProcess = (HANDLE)dwProcessID;
ClientId.UniqueThread = 0;
ntTerminateStatus = _NtOpenProcess(FindFunc(FindNT(), "ZwOpenProcess"))
(&hProcessHandle, DesiredAccess, &ObjectAttributes, &ClientId);
if (NT_SUCCESS(ntTerminateStatus))
{
ntTerminateStatus = _NtTerminateProcess(FindFunc(FindNT(),
"ZwTerminateProcess")) (hProcessHandle, 0);
}
return ntTerminateStatus;
}

----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Friday, February 07, 2003 11:05 PM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

Initialize object name as NULL in object attributes. You need objectattributes here only to specify flags like OBJ_KERNEL_HANDLE. Anyway, here's proto for ObOpenObjectByPointer:

NTKERNELAPI
NTSTATUS
ObOpenObjectByPointer (
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);

Note, that you cannot open process having its ID, like you requested in prevoius post. ZwOpenProcess can.

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Friday, February 07, 2003 10:02 PM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

I have followed your advice. I have search in OSR and Internet as well. ZwOpenProcess needs objects attributes, but that requires a name, how do i call a certain process. I have considered ObOpenObjectByPointer to get the handle from the process pointer but I don't that function's declaration. Does anyone knows?
Thanks.
----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Thursday, February 06, 2003 2:37 PM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

NTSTATUS
NTAPI
ZwOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

Try using OSR search engine. It helps!

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Friday, February 07, 2003 1:44 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

Sorry, how do I get the ProcessHandle from the ProcessID?
Thanks again.
----- Original Message -----
From: Alexey Logachyov
To: File Systems Developers
Sent: Thursday, February 06, 2003 8:31 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process

NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);

----- Original Message -----
From: Ratmil Torres
To: File Systems Developers
Sent: Thursday, February 06, 2003 7:56 PM
Subject: [ntfsd] Kernel Mode Terminate Process

Hi, is there an equivalent to TerminateProcess in KernelMode?
Thanks.

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@hotmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 12, 2003, 5:01pm

What functions are those?
NT::ZwQuerySystemInformation & NT::SystemModuleInformation?
----- Original Message -----
From: osmlist
To: File Systems Developers
Sent: Sunday, February 09, 2003 8:51 AM
Subject: [ntfsd] Re: Kernel Mode Terminate Process