Re: [Question] how can i kill the process in driver?

#include “ntdll.h”

#define PROCESS_TERMINATE (0x0001)
#define PROCESS_VM_READ (0x0010)
#define INVALID_HANDLE_VALUE (HANDLE)-1
typedef NTSTATUS (NTAPI *_NtTerminateProcess)(HANDLE, NTSTATUS);
typedef NTSTATUS (NTAPI *_NtOpenProcess)(PHANDLE, ACCESS_MASK,
POBJECT_ATTRIBUTES, PCLIENT_ID);

/********************************************************************
Method Name : FindNT
Synopsis :
Parameters :
Description :
Returns :
Comments :
*********************************************************************/
PVOID FindNT()
{
ULONG n;
NT::ZwQuerySystemInformation(NT::SystemModuleInformation,&n, 0, &n);
PULONG q = PULONG(ExAllocatePool(PagedPool, n));
NT::ZwQuerySystemInformation(NT::SystemModuleInformation,q, n * sizeof *q,
0);
NT::PSYSTEM_MODULE_INFORMATION p = NT::PSYSTEM_MODULE_INFORMATION(q + 1);
PVOID ntdll = 0;
for (ULONG i = 0; i < *q; i++)
if (_stricmp(p[i].ImageName + p[i].ModuleNameOffset,“ntdll.dll”) == 0)
ntdll = p[i].Base;
ExFreePool(q);
return ntdll;
}
/********************************************************************
Method Name : FindFunc
Synopsis :
Parameters :
Description :
Returns :
Comments :
*********************************************************************/
PVOID FindFunc(PVOID Base, PCSTR Name)
{
PIMAGE_DOS_HEADER dos = PIMAGE_DOS_HEADER(Base);
PIMAGE_NT_HEADERS nt = PIMAGE_NT_HEADERS(PCHAR(Base) + dos->e_lfanew);
PIMAGE_DATA_DIRECTORY expdir = nt->OptionalHeader.DataDirectory +
IMAGE_DIRECTORY_ENTRY_EXPORT;
ULONG size = expdir->Size;
ULONG addr = expdir->VirtualAddress;
PIMAGE_EXPORT_DIRECTORY exports = PIMAGE_EXPORT_DIRECTORY(PCHAR(Base) +
addr);
PULONG functions = PULONG(PCHAR(Base) + exports->AddressOfFunctions);
PSHORT ordinals= PSHORT(PCHAR(Base) + exports->AddressOfNameOrdinals);
PULONG names = PULONG(PCHAR(Base) + exports->AddressOfNames);
PVOID func = 0;
for (ULONG i = 0; i < exports->NumberOfNames; i++)
{
ULONG ord = ordinals[i];
if (functions[ord] < addr || functions[ord] >= addr + size)
{
if (strcmp(PSTR(PCHAR(Base) + names[i]), Name) == 0)
func = PCHAR(Base) + functions[ord];
}
}
return func;
}
/********************************************************************
Method Name :
Synopsis :
Parameters :
Description :
Returns :
Comments :
*********************************************************************/
NTSTATUS CMKernelUtil::KillProcess(ULONG dwProcessID)
{
if (dwProcessID == 0)
return STATUS_INVALID_PARAMETER;
NTSTATUS ntTerminateStatus;
HANDLE hProcessHandle;
ACCESS_MASK DesiredAccess = PROCESS_TERMINATE;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
ObjectAttributes.Length = 0x18;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
ClientId.UniqueProcess = (HANDLE)dwProcessID;
ClientId.UniqueThread = 0;
ntTerminateStatus = _NtOpenProcess(FindFunc(FindNT(), “ZwOpenProcess”))
(&hProcessHandle, DesiredAccess, &ObjectAttributes, &ClientId);
if (NT_SUCCESS(ntTerminateStatus))
{
ntTerminateStatus = _NtTerminateProcess(FindFunc(FindNT(),
“ZwTerminateProcess”)) (hProcessHandle, 0);
}
return ntTerminateStatus;
}

----- Original Message -----
From: “frode”
To: “File Systems Developers”
Sent: Wednesday, January 22, 2003 9:21 AM
Subject: [ntfsd] Re: [Question] how can i kill the process in driver?

> hi:
> try to use ObDereferenceObject and ObReferenceObjectByHandle.
>
> frode chen
>
> ----- Original Message -----
> From: “Kim Byeong-Kyun”
> To: “File Systems Developers”
> Sent: Wednesday, January 22, 2003 11:08 AM
> Subject: [ntfsd] [Question] how can i kill the process in driver?
>
>
> > hi, all…
> >
> > hwo can i kill the process in driver?
> > i know id of the process(pid) what i want to kill.
> > i don’t know how to kill the process.
> >
> > advise to me…
> > thanks…
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@farstone.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> b­®¶¹®vµjš¶™r¢¹®±ižj¢½~ã–