Загрузка...

Как при помощи данных функций можно убить процесс?

Тема в разделе Программирование создана пользователем kozol 31 июл 2025 в 00:28. 53 просмотра

Сортировать
  1. kozol
    kozol Автор темы 31 июл 2025 в 00:28 BEST CRYPT - https://lolz.live/threads/8445576/ 8 15 дек 2019
    .idata:0000000000012000 ; Segment type: Externs
    .idata:0000000000012000 ; _idata
    .idata:0000000000012000 ; void (__stdcall *KeStallExecutionProcessor)(ULONG MicroSeconds)
    .idata:0000000000012000 extrn KeStallExecutionProcessor:qword
    .idata:0000000000012000 ; CODE XREF: sub_11A20+B1↑p
    .idata:0000000000012000 ; DATA XREF: sub_11A20+B1↑r ...
    .idata:0000000000012008 ; BOOLEAN (__stdcall *HalTranslateBusAddress)(INTERFACE_TYPE InterfaceType, ULONG BusNumber, PHYSICAL_ADDRESS BusAddress, PULONG AddressSpace, PPHYSICAL_ADDRESS TranslatedAddress)
    .idata:0000000000012008 extrn HalTranslateBusAddress:qword
    .idata:0000000000012008 ; CODE XREF: sub_11C30+108↑p
    .idata:0000000000012008 ; sub_11C30+12B↑p
    .idata:0000000000012008 ; DATA XREF: ...
    .idata:0000000000012010
    .idata:0000000000012018 ;
    .idata:0000000000012018 ; Imports from ntoskrnl.exe
    .idata:0000000000012018 ;
    .idata:0000000000012018 ; NTSTATUS (__stdcall *IoCreateDevice)(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PDEVICE_OBJECT *DeviceObject)
    .idata:0000000000012018 extrn IoCreateDevice:qword
    .idata:0000000000012018 ; CODE XREF: sub_11000+AB↑p
    .idata:0000000000012018 ; DATA XREF: sub_11000+AB↑r ...
    .idata:0000000000012020 ; void (__stdcall *RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString)
    .idata:0000000000012020 extrn RtlInitUnicodeString:qword
    .idata:0000000000012020 ; CODE XREF: sub_11000+77↑p
    .idata:0000000000012020 ; sub_11000+D9↑p ...
    .idata:0000000000012028 ; int (*snwprintf)(wchar_t *Dest, size_t Count, const wchar_t *Format, ...)
    .idata:0000000000012028 extrn _snwprintf:qword ; CODE XREF: sub_11000+2F↑p
    .idata:0000000000012028 ; sub_11000+4A↑p ...
    .idata:0000000000012030 ; NTSTATUS (__stdcall *IoDeleteSymbolicLink)(PUNICODE_STRING SymbolicLinkName)
    .idata:0000000000012030 extrn IoDeleteSymbolicLink:qword
    .idata:0000000000012030 ; CODE XREF: sub_111D0+3A↑p
    .idata:0000000000012030 ; DATA XREF: sub_111D0+3A↑r
    .idata:0000000000012038 ; void (__stdcall *IofCompleteRequest)(PIRP Irp, CCHAR PriorityBoost)
    .idata:0000000000012038 extrn IofCompleteRequest:qword
    .idata:0000000000012038 ; CODE XREF: sub_11270+2B4↑p
    .idata:0000000000012038 ; DATA XREF: sub_11270+2B4↑r
    .idata:0000000000012040 ; void (__stdcall *ExFreePoolWithTag)(PVOID P, ULONG Tag)
    .idata:0000000000012040 extrn ExFreePoolWithTag:qword
    .idata:0000000000012040 ; CODE XREF: sub_11740+39↑p
    .idata:0000000000012040 ; DATA XREF: sub_11740+39↑r
    .idata:0000000000012048 ; NTSTATUS (__stdcall *ZwClose)(HANDLE Handle)
    .idata:0000000000012048 extrn ZwClose:qword ; CODE XREF: sub_11C30+202↑p
    .idata:0000000000012048 ; DATA XREF: sub_11C30+202↑r
    .idata:0000000000012050 ; PVOID (__stdcall *ExAllocatePoolWithTag)(POOL_TYPE PoolType, SIZE_T NumberOfBytes, ULONG Tag)
    .idata:0000000000012050 extrn ExAllocatePoolWithTag:qword
    .idata:0000000000012050 ; CODE XREF: sub_11B10+67↑p
    .idata:0000000000012050 ; DATA XREF: sub_11B10+67↑r
    .idata:0000000000012058 ; void (__stdcall *RtlZeroMemory)(void *, SIZE_T Length)
    .idata:0000000000012058 extrn RtlZeroMemory:qword
    .idata:0000000000012058 ; CODE XREF: sub_11000+C2↑p
    .idata:0000000000012058 ; DATA XREF: sub_11000+C2↑r
    .idata:0000000000012060 ; NTSTATUS (__stdcall *ZwUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress)
    .idata:0000000000012060 extrn ZwUnmapViewOfSection:qword
    .idata:0000000000012060 ; CODE XREF: sub_11740+2E↑p
    .idata:0000000000012060 ; DATA XREF: sub_11740+2E↑r
    .idata:0000000000012068 ; NTSTATUS (__stdcall *ZwMapViewOfSection)(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect)
    .idata:0000000000012068 extrn ZwMapViewOfSection:qword
    .idata:0000000000012068 ; CODE XREF: sub_11C30+1CE↑p
    .idata:0000000000012068 ; DATA XREF: sub_11C30+1CE↑r
    .idata:0000000000012070 ; NTSTATUS (__stdcall *ObReferenceObjectByHandle)(HANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID *Object, POBJECT_HANDLE_INFORMATION HandleInformation)
    .idata:0000000000012070 extrn ObReferenceObjectByHandle:qword
    .idata:0000000000012070 ; CODE XREF: sub_11C30+D4↑p
    .idata:0000000000012070 ; DATA XREF: sub_11C30+D4↑r
    .idata:0000000000012078 ; NTSTATUS (__stdcall *ZwOpenSection)(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes)
    .idata:0000000000012078 extrn ZwOpenSection:qword
    .idata:0000000000012078 ; CODE XREF: sub_11C30+A7↑p
    .idata:0000000000012078 ; DATA XREF: sub_11C30+A7↑r
    .idata:0000000000012080 ; NTSTATUS (__stdcall *IoCreateSymbolicLink)(PUNICODE_STRING SymbolicLinkName, PUNICODE_STRING DeviceName)
    .idata:0000000000012080 extrn IoCreateSymbolicLink:qword
    .idata:0000000000012080 ; CODE XREF: sub_11000+E9↑p
    .idata:0000000000012080 ; DATA XREF: sub_11000+E9↑r
    .idata:0000000000012088 ; void (__stdcall *IoDeleteDevice)(PDEVICE_OBJECT DeviceObject)
    .idata:0000000000012088 extrn IoDeleteDevice:qword
    .idata:0000000000012088 ; CODE XREF: sub_11000+FA↑p
    .idata:0000000000012088 ; sub_111D0+43↑p
    .idata:0000000000012088 ; DATA XREF: .


    Думаем.
     
    31 июл 2025 в 00:28
  2. ring
    Кому понравилось (1)
    ring 31 июл 2025 в 00:30 133 22 дек 2019
    получить дескриптор, открыть или создать секцию памяти, выделить память, насрать в память вредоносными данными, закрыть дескриптор и высвободить память
     
    31 июл 2025 в 00:30
  3. kozol
    kozol Автор темы 31 июл 2025 в 00:30 BEST CRYPT - https://lolz.live/threads/8445576/ 8 15 дек 2019
    Address
    Ordinal Name
    0000000000012000
    KeStallExecutionProcessor
    Library
    HAL
    0000000000012008
    HalTranslateBusAddress
    HAL
    0000000000012018
    IoCreateDevice
    ntoskrnl
    0000000000012020
    RtInitUnicodeString
    ntoskrnl
    0000000000012028
    _snwprintf
    ntoskrnl
    0000000000012030
    IoDeleteSymbolicLink
    ntoskrnl
    0000000000012038
    IofCompleteRequest
    ntoskrnl
    0000000000012040
    ExFreePoolWithTag
    ntoskrnl
    0000000000012048
    ZwClose
    ntoskrnl
    0000000000012050
    ExAllocatePoolWithTag
    ntoskrnl
    0000000000012058
    RtZeroMemory
    ntoskrnl
    0000000000012060
    ZwUnmapViewOfSection
    ntoskrnl
    0000000000012068
    ZwMapViewOfSection
    ntoskrnl
    0000000000012070
    ObReferenceObjectByHandle
    ntoskrnl
    0000000000012078
    ZwOpenSection
    ntoskrnl
    0000000000012080
    IoCreateSymbolicLink
    ntoskrnl
    0000000000012088
    IoDeleteDevice
    ntoskrnl
    Более читаемый вид
     
    31 июл 2025 в 00:30
Top
Загрузка...