hi
i use this code for kill process
---------------
when set full access for code section in ollydbg dont need for disableWP_CR0(); and enableWP_CR0();
i use this code for kill process
Code: Select all
i can write in data section but can't write to code section so i use disableWP_CR0(); and enableWP_CR0(); it work well but when i kill notepad.exe cant run new notepad.exe error "NOTEPAD.EXE Has Encountered a Problem and Needs to Close" Error Message Appears When You Try to Quit Notepad"NTSTATUS KillProcess(UINT32 ProcessID)
{
PEPROCESS PEprocess=NULL;
NTSTATUS Status;
KAPC_STATE *ka_state=NULL;
PKPROCESS ProcessId;
HANDLE ProcessHanlde;
Status=PsLookupProcessByProcessId((HANDLE)ProcessID,&PEprocess);
if(!NT_SUCCESS(Status))
{
DbgPrint(" Error In PsLookupProcessByProcessId " );
return Status;
}
ka_state=(KAPC_STATE*)ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC_STATE),'trak');
if(!ka_state)
{
DbgPrint(" ka_state is null");
return STATUS_INSUFFICIENT_RESOURCES;
}
ProcessId = (PKPROCESS)((ULONG *)((ULONG)PEprocess+ 0x000));
KeStackAttachProcess(ProcessId,ka_state);
////
//// now we are in context of process
////
DbgPrint("Calling process name is: %s \r \n", PsGetProcessImageFileName(PsGetCurrentProcess()));
disableWP_CR0();
__try
{
memset((void*)0x01001000,1,0x00008000);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("EXCEPTION_EXECUTE_HANDLER \r \n");
}
enableWP_CR0();
KeUnstackDetachProcess(ka_state);
ExFreePool(ka_state);
ObDereferenceObject(PEprocess);
DbgPrint("yes \r \n");
return STATUS_SUCCESS;
}
/*disableWP_CR0();
// CLI //dissable interrupt
MOV EAX, CR0 //move CR0 register into EAX
AND EAX, NOT 10000H //disable WP bit
MOV CR0, EAX //write register back
*/
---------------
when set full access for code section in ollydbg dont need for disableWP_CR0(); and enableWP_CR0();
@R00tkitSMM
