最简单的delphi驱动结束进程

2018-10-31

弄了一天,用dddk编译的,主要是native api的声明不好转

unit ring0kill;

interface

uses
nt_status, ntoskrnl;

function _DriverEntry(pDriverObject:PDRIVER_OBJECT; pusRegistryPath:PUNICODE_STRING): NTSTATUS; stdcall;

implementation

function _DriverEntry(pDriverObject:PDRIVER_OBJECT; pusRegistryPath:PUNICODE_STRING): NTSTATUS;
var
hProcess:thandle;
cid: CLIENT_ID;
oa :OBJECT_ATTRIBUTES;
hJob: DWORD;
begin
oa.Length := sizeof(OBJECT_ATTRIBUTES);
oa.RootDirectory := 0;
oa.ObjectName := nil;
oa.Attributes := 0;
oa.SecurityDescriptor := nil;
oa.SecurityQualityOfService := nil;
cid.UniqueProcess := 1076;//呵呵,进程pid
cid.UniqueThread := 0;
ZwOpenProcess(@hProcess, $001F0FFF , @oa, @cid);

ZwTerminateProcess(hProcess, 0);
ZwClose(hProcess);
DbgPrint('SystemModules: Leaving DriverEntry');
result := STATUS_DEVICE_CONFIGURATION_ERROR;
end;

end.

阅读43