进程保护--CrossThreadFlags标志位
原理:
1. 将进程的所有线程的线程CrossThreadFlags标志位设置成Terminated或者System.
效果:任务管理器,WSYSCheck,ICESWORD无法结束进程。。
但PCHunter 可以结束受保护的进程。
但PCHunter无法用普通方法结束受保护的线程,必须使用强制结束线程才可结束线程。。
代码:
VOID SetThreadFlagToTerminatedByThreadID(ULONG dwThreadID)
{
ULONG ulFlagOffset;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PULONG pFlag;
PETHREAD eThead;
HANDLE threadHandle;
__try{
threadHandle = (HANDLE)dwThreadID;
ulFlagOffset = GetCrossThreadFlagOffset();
//dprintf("GetCrossThreadFlagOffset: 0X%08X\r\n", ulFlagOffset);
status = PsLookupThreadByThreadId(threadHandle, &eThead);
if(!NT_SUCCESS(status))
{
dprintf("PsLookupThreadByThreadId ERRORid:0X%08X, TID: 0X%08X\r\n", status, dwThreadID);
return status;
}
//dprintf("ETHREAD:0X%08X\n", eThead);
pFlag = (ULONG*)((PUCHAR)eThead + ulFlagOffset);
//dprintf("ulFlag address:0X%08X value:0x%08X\n", pFlag, *pFlag);
*pFlag |= PS_CROSS_THREAD_FLAGS_TERMINATED;
dprintf("new ulFlag address:0X%08X value:0x%08X\n", pFlag, *pFlag);
}__except(EXCEPTION_EXECUTE_HANDLER)
{
dprintf("EXCEPTION ON set thread cross flags!");
return status;
}
}
页:
[1]