1. 保护进程,结束就蓝屏
RtlSetProcessIsCritical函数可以启用或关闭开启之后变得和系统进程一样被杀系统直接蓝屏系统进程也是此函数实现的上图可以用于进程保护
设置自己为保护进程,这样结束掉就会蓝屏,蓝屏信息翻译就是 重点保护进程。
设置为保护进程:RtlSetProcessIsCritical(True,Null(或Nothing),False)
取消(关闭时记得加上去。):RtlSetProcessIsCritical(False,Null,False)
把进程做crss中止就蓝屏,防止进程被杀
这是最不占用CPU的方式了
以下为C代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| #include<stdio.h>
#include<Windows.h>
typedef (NTAPI*Rtl)(ULONG,BOOL,BOOL,PBOOL);
typedef (NTAPI*PT1)(BOOL, PBOOLEAN, BOOL);
typedef (NTAPI*PT2)(BOOL,PBOOLEAN,BOOL);
void Protect()
{
BOOL B;
ULONG SE_DEBUG_PRIVILEGE = 20;
Rtl RtlAdjustPrivilege=(Rtl)GetProcAddress(GetModuleHandleW(L"ntdll"),"RtlAdjustPrivilege");
PT1 RtlSetProcessIsCritical=(PT1)GetProcAddress(GetModuleHandleW(L"ntdll"), "RtlSetProcessIsCritical");
PT2 RtlSetThreadIsCritical=(PT2)GetProcAddress(GetModuleHandleW(L"ntdll"), "RtlSetThreadIsCritical");
RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE,TRUE,FALSE,&B);
RtlSetProcessIsCritical(TRUE,NULL,FALSE);
RtlSetThreadIsCritical(TRUE, NULL, FALSE);
}
void main()
{
Protect();
getchar();
}
|
vb代码如下:
1
2
3
4
5
6
7
8
9
10
| Option Explicit
Public Declare Function RtlAdjustPrivilege Lib "ntdll.dll" (ByVal Privilege As Long, ByVal Enable As Boolean, ByVal Client As Boolean, WasEnabled As Long) As Long
Public Declare Function RtlSetProcessIsCritical Lib "ntdll" (Optional ByVal NewValue As Boolean, Optional ByVal Value As Boolean, Optional ByVal WinLogon As Boolean = True)
Sub Main()
RtlAdjustPrivilege 20, True, False, 0
RtlSetProcessIsCritical False, False, True
End
End Sub
|
2. RtlAdjustPrivilege提权后NtRaiseHardError制造系统蓝屏
VB代码如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| Option Explicit
Public Declare Function NtRaiseHardError Lib "ntdll.dll" (ByVal ErrorStatus As Long, ByVal NumberOfParameters As Long, ByVal UnicodeStringParameterMask As Long, ByRef Parameters As Any, ByVal ValidResponseOptions As Long, ByRef Response As Long) As Long
Public Declare Function RtlAdjustPrivilege Lib "ntdll.dll" (ByVal Privilege As Long, ByVal Enable As Boolean, ByVal Client As Boolean, WasEnabled As Long) As Long
Public Declare Sub RtlInitUnicodeString Lib "ntdll.dll" (DestinationString As UNICODE_STRING, ByVal SourceString As Long)
Public Type UNICODE_STRING
Length As Long
MaximumLength As Long
Buffer As Long
End Type
Sub Main()
Dim u As UNICODE_STRING, p(3) As Long
RtlAdjustPrivilege 19, True, False, 0
RtlInitUnicodeString u, StrPtr("Session Manager")
p(0) = VarPtr(u)
p(1) = u.Length
p(2) = VarPtr(u)
p(3) = VarPtr(u)
NtRaiseHardError &HC000021A, 4, 1, p(0), 6, 0
End Sub
|
vc代码
函数原型
NTSTATUS RtlAdjustPrivilege
(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
);
NTSYSAPI NTSTATUS NTAPI NtRaiseHardError
(
IN NTSTATUS ErrorStatus,
IN ULONG NumberOfParameters,
IN PUNICODE_STRING UnicodeStringParameterMask OPTIONAL,
IN PVOID *Parameters,
IN HARDERROR_RESPONSE_OPTION ResponseOption,
OUT PHARDERROR_RESPONSE Response
);
NTHeaders.h(声明相关结构与变量):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| //======================================================================
//By TiKEY!
//E-mail:tyk5555@hotmail.com
//QQ:574436201
//======================================================================
#ifndef _NT_HDRS_
#define _NT_HDRS_
#include <windows.h>
typedef /*__success(return >= 0)*/ LONG NTSTATUS;
typedef NTSTATUS *PNTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef enum _HARDERROR_RESPONSE_OPTION {
OptionAbortRetryIgnore,
OptionOk,
OptionOkCancel,
OptionRetryCancel,
OptionYesNo,
OptionYesNoCancel,
OptionShutdownSystem
} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION;
typedef enum _HARDERROR_RESPONSE {
ResponseReturnToCaller,
ResponseNotHandled,
ResponseAbort,
ResponseCancel,
ResponseIgnore,
ResponseNo,
ResponseOk,
ResponseRetry,
ResponseYes
} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE;
#endif
|
BlueScreen.cpp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| //======================================================================
//By TiKEY!
//E-mail:tyk5555@hotmail.com
//QQ:574436201
//======================================================================
#include <Windows.h>
#include "NTHeaders.h"
HINSTANCE hInst; // 当前实例
typedef UINT (CALLBACK* NTRAISEHARDERROR)(NTSTATUS, ULONG, PUNICODE_STRING, PVOID,HARDERROR_RESPONSE_OPTION, PHARDERROR_RESPONSE);
typedef UINT (CALLBACK* RTLADJUSTPRIVILEGE)(ULONG, BOOL, BOOL, PINT);
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
HINSTANCE hDLL = LoadLibrary(TEXT("ntdll.dll"));
NTRAISEHARDERROR NtRaiseHardError;
RTLADJUSTPRIVILEGE RtlAdjustPrivilege;
int nEn = 0;
HARDERROR_RESPONSE reResponse;
if (hDLL != NULL)
{
NtRaiseHardError = (NTRAISEHARDERROR)GetProcAddress(hDLL, "NtRaiseHardError");
RtlAdjustPrivilege = (RTLADJUSTPRIVILEGE)GetProcAddress(hDLL, "RtlAdjustPrivilege");
if (!NtRaiseHardError)
{
// handle the error
FreeLibrary(hDLL);
return 0;
}
if (!RtlAdjustPrivilege)
{
// handle the error
FreeLibrary(hDLL);
return 0;
}
RtlAdjustPrivilege(0x13, TRUE, FALSE, &nEn);//0x13 = SeShutdownPrivilege
NtRaiseHardError(0xC000021A,0,0,0,OptionShutdownSystem,&reResponse);
}
return 1;
}
|
vc代码在VS2010 SP1编译通过, Win7 SP1测试有效。
