How to turn off local and remote NT2000 system processes

How to turn off local and remote NT system processes

Killing the local process is actually very simple. After obtaining the process ID, call the OpenProcess function to open the process handle, then call the TerminateProcess function to kill the process. In some cases, you cannot directly open the process handle, such as Winlogon and other system processes because the permissions are not enough. At this time, we have to upgrade your own processes. The upgrading permission process is not complicated, first adjusting the GetCurrentProcess function to get the handle of the current process, then call OpenProcessToken to open the current process, then call the LookUpprivileGeValue function to get the value of the permissions you want to improve, and finally call the AdjustTokenPrivileges function to the current process Access to the current process The token can increase the permissions. Upon there is a SedebugPrivilege privilege, you can kill all the processes except the IDLE. OK! How do you kill a remote process? It is a bit complicated, but it is not difficult. <1> Establish an IPC connection with the remote system <2> Write a file killsrv.exe <3> call function OpenScManager in the remote system system directory admin (SCM) CONTROL Manager [SCM] <4> call to the remote system Function CreateService Creates a service in the remote system, the service pointing to the program is written in <2> killsrv.exe <5> call function startService launches the service you just created, pass the ID of the process you want to be passed as a parameter to It <6> After the service starts, Killsrv.exe runs, kills the process <7> Qingfang! In this way, we need two programs.

The source code of KillSrv.exe is as follows: / *************************************************** *************************************** MODULE: KILLSRV.C Date: 2001/4/27 Author: EY4S http://www.ey4s.org ************************************************* ******************************************* / #include #include #include " function.c "#define ServiceName" PSKILL "SERVICE_STATUS_HANDLE ssh; SERVICE_STATUS ss; / void ServiceStopped (void) {ss.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS; ss.dwCurrentState = SERVICE_STOPPED; ss.dwControlsAccepted = SERVICE_ACCEPT_STOP; ss.dwWin32ExitCode = NO_ERROR; ss .dwCheckPoint = 0; ss.dwWaitHint = 0; SetServiceStatus (ssh, & ss); return;} / void ServicePaused (void) {ss.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS; ss.dwCurrentState = SERVICE_PAUSED; ss.dwControlsAccepted = SERVICE_ACCEPT_STOP; ss. DWIN32EXITCODE = NO_ERROR; ss.dwcheckpoint = 0; ss.dwwaithint = 0; setServiceStatus (SSH, & SS); return; void serviceunning (void) {ss.dwserviceType = service_win3 2_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS; ss.dwCurrentState = SERVICE_RUNNING; ss.dwControlsAccepted = SERVICE_ACCEPT_STOP; ss.dwWin32ExitCode = NO_ERROR; ss.dwCheckPoint = 0; ss.dwWaitHint = 0; SetServiceStatus (ssh, & ss); return;} / void WINAPI servier_ctrl (DWORD Opcode) // service control program {switch (Opcode) {case SERVICE_CONTROL_STOP: // stop service ServiceStopped (); break; case SERVICE_CONTROL_INTERROGATE: SetServiceStatus (ssh, & ss); break;} return;} // // kill the process successfully set Service status is Service_Stopped // Failed Settings Service Status is Service_Paused // Void WinAPI ServiceMain (DWORD DWARGC, LPTSTR * LPSZARGV) {ssh = registerServiceCtrlHandler (serviceName, servier_ctrl);

IF (! ssh) {servicePaused (); return;} service (); Sleep (100); // Note, argv [0] is the program name, Argv [1] is pskill, parameter needs to increase 1 // argv [ 2] = target, Argv [3] = User, Argv [4] = PWD, Argv [5] = PID IF (Killps (Atoi (Lpszargv [5]))) "" "" "" / void main (dword dwargc, lptstr * lpszargv) {service_table_entry switch {service_table_entry ste [2]; ste [0] .lpServiceName = Services; STE [0] .lpserviceProc = serviceMain; Ste [1] .lpServiceName = NULL; Ste [1]. LPSERVICEPROC = NULL; StartServiceCtrlDispatcher (ste); Return;} / function.c There are two functions, one is to increase permission, one is to provide process ID, killing process.

code show as below: /********************************************** ********************************* Module: Function.c Date: 2001/4/28 Author: EY4S http: / / www.ey4s.org ************************************************************** ************************************* / #include bool setPrivilege (Handle Htoken, LPCTSTSTSZZPRIVILEGE, BOOL BENABLEPRIVILEGE) {Token_Privileges TP ; LUID luid; if {printf ( "/ nLookupPrivilegeValue error:% d", GetLastError ()); return FALSE;} tp.PrivilegeCount = 1; tp.Privileges [0] (LookupPrivilegeValue (NULL, lpszPrivilege, & luid)!). Luid = luid; if (bEnablePrivilege) tp.Privileges [0] .Attributes = SE_PRIVILEGE_ENABLED; else tp.Privileges [0] .Attributes = 0;. // Enable the privilege or disable all privileges AdjustTokenPrivileges (hToken, FALSE, & tp, sizeof (TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL); // Call GetLastError to determine whether the function succeeded if (GetLastError () = ERROR_SUCCESS) {printf (.! "AdjustTokenPrivileges failed:% u / n", GetLastError ( ))); RETURN FA LSE;} return TRUE;} BOOL KillPS (DWORD id) {HANDLE hProcess = NULL, hProcessToken = NULL; BOOL IsKilled = FALSE, bRet = FALSE; __try {if {printf (OpenProcessToken (GetCurrentProcess (), TOKEN_ALL_ACCESS, & hProcessToken)!) ("/ Nopen Current Process Token Failed:% D", getLastError ()); __leave;} // printf ("/ Nopen Current Process Token OK!); if (! setprivilege (hprocessToken, SE_Debug_name, true) {__leave PRINTF ("/ NSETPRIVILEGE!"); IF ((HProcess_Access, False, ID)) == NULL) {Printf ("/ Nopen Process% D Failed:% D", ID, getLastError () __leave;} // printf ("/ Nopen Process% D OK!", ID);

if (TerminateProcess (hProcess, 1)!) {printf ( "/ nTerminateProcess failed:% d", GetLastError ()); __leave;} IsKilled = TRUE;} __finally {if (! hProcessToken = NULL) CloseHandle (hProcessToken); if (hprocess! = null) CloseHandle (HPROCESS);} Return (iskilled);} // ok! The server is already good. Next, a client is also required. If you run the killsrv.exe copy to your remote system, you need to provide two EXE files to users, so it seems to be very professional, huh, huh. It is better to save KILLSRV.EXE's binary code as buff, so when we run, we write the contents of the buff directly, so it is possible to provide a user.

The source code of pskill.c is as follows: / *************************************************** *********************************************************** ** Moduleskill.c Create: 2001/4/28 modify: 2001/6/23 Author: EY4S http://www.ey4s.org pskill ==> local and remote process killer for Windows 2k *********************************************************** ********************************** / #include "ps.h" #define exe "killsrv.exe" #define serviceName "pskill" #pragma comment LIB, "mpr.lib") // // Define global variable service_status ssstatus; sc_handle hscmanager = null, hscservice = null; bool bkilled = false; char sztarget [52] = {0}; // bool connipc (char *, CHAR *, CHAR *); // Establish IPC Connection Functions BOOL InstallService (DWORD, LPTSTSTSTR *); // Install Service Function BOOL WaitServiceStop (); // Waiting for Service Stop Function Bool RemoveService (); // Delete Service Function / Int Main (dword dwargc, lptstr * lpszargv) {bool Bret = false, bfile = false; char TMP [52] = {0}, remotefilepath [128] = {0}, szuser [52] = {0}, Szpass [52 ] = {0}; Handle Hfile = NULL; DWORD I = 0, DWINDEX = 0, DWWRITE, DWSIZE = SIZEOF (ExeBuff); // Kill the Process IF (Dwargc == 2) {IF (Killps (atoi (Lpszargv " 1]))) PRINTF ("/ NLOACL Process% S Have Beed Killed!", LPSZARGV [1]); Else Printf ("/ NLOACL Process% S Can't Be Killed! ErrorCode:% D", LPSZARGV [1], getLastError ()); Return 0;} // User Enter Error Else if (Dwargc! = 5) {Printf ("/ Npskill ==> local and remote process killer" / npower by EY4S "/ nhttp: / / www.ey4s.org 2001/6/23 "" / N / NUSAGE:% S <== Killed Local Process "/ N% S <== Killed Remote Process / N ", LPSZARGV [0], LPSZARGV [0]); RETURN 1;

} // kill the remote machine process Strncpy (Sztarget, Lpszargv [1], SIZEOF (SZTARGET) -1); STRNCPY (Szuser, Lpszargv [2], SIZEOF (SZUSER) -1); STRNCPY (Szpass, Lpszargv [3], SIZEOF (SZPASS) -1); // will use the path of the EXE file created on the target machine sprintf (RemoteFilePath, "% s // admin $ // system32 //% s", sztarget, exe); __TRY {// Establish IPC Connection IF (! ") {Printf (" / NConnect TO% S Failed:% D ", SZTARGET, GetLastError ()); Return 1;} printf (" / nConnect TO% ! s success ", szTarget); // create exe file hFile = CreateFile (RemoteFilePath, GENERIC_ALL, FILE_SHARE_READ on the target machine | FILE_SHARE_WRIT E, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) {printf (" / ncreate file% s failed:% D ", RemoteFilePath, getLastError ()); __leave;} // write file content while (dwsize> dwindex) {if (! Writefile (HFile, & ExeBuff [dwindex], dwsize-dwindex, & dwwrite , NULL)) {Printf ("/ NWRITE FILE% S Failed:% D", RemoteFilePath, getLastError ()); __leave;} dwindex = dwwrite;} // Close file handle CloseHandle (HFile); bfile = true; // Installation Service IF (InstallService (Dwargc, Lpszargv) {// Waiting for Service End IF (WaitServiceStop ()) {//prin TF ("/ Nservice Was Stoped!");} else {// printf ("/ Nservice can't be stoped.try to delete it.");} Sleep (500); // Delete service RemoveService (); } __finally {// Remove the left file if (bfile) deletefile (RemoteFilePath); // If the file handle is not closed, close ~ if (hfile! = null) CloseHandle (HFILE); // Close Service Handle IF (HSCService ! = NULL) CloseServiceHandle (HSCService); // Close The Service Control Manager Handle if (HscManager! = NULL) ClosESERVICEHANDLE (HSCMANAGER); / / Disconnect IPC connection WSPrintf (TMP, "% s // ipc $", sztarget) WnetcancelConnection2 (TMP, Connect_Update_profile, true); if (bkilled) Printf ("/ nprocess% s on% s have been killed! / N", lpszargv [4], lpszargv [1]); else printf ("

/ nprocess% s on% s can't be killed! / n ", lpszargv [4], lpszargv [1]);} return 0;} // Bool Connip (Char * Remotename, Char * User, char * pass) {NetResource NR; CHAR RN [50] = ""; STRCAT (RN, Remotename); strcat (RN, "// IPC $"); nr.dwtype = resourcetype_any; nr.lplocalname = null; nr.lpremotename = rn; nr.lpProvider = NULL; if (WNetAddConnection2 (& nr, Pass, User, FALSE) == NO_ERROR) return TRUE; else return FALSE;} / BOOL InstallService (DWORD dwArgc, LPTSTR * lpszArgv) {BOOL bRet = FALSE; __try {/ / Open Service Control Manager on Local or Remote machine hSCManager = OpenSCManager (szTarget, NULL, SC_MANAGER_ALL_ACCESS); if (hSCManager == NULL) {printf ( "/ nOpen Service Control Manage failed:% d", GetLastError ()); __leave; } // printf ( "/ nOpen Service Control Manage ok!"); // Create Service hSCService = CreateService (hSCManager, // handle to SCM database ServiceName, // name of service to start ServiceName, // display name SERVICE_ALL_ACCESS, / / TYPE OF Access To Service Service_WIN32_OWN_PROCESS, // Type of Service Service_AUTO_START, / / when to start service SERVICE_ERROR_IGNORE, // severity of service failure EXE, // name of binary file NULL, // name of load ordering group NULL, // tag identifier NULL, // array of dependency names NULL, // account name NULL ); // Account password // crete service failed if (hscservice == null) {// If the service already exists, turn it on (getLastError () == error_service_exists) {// printf ("/ Nservice% s already exists ", ServiceName); // open service hscservice = OpenService (hscmanager, serviceename, service_all_access); if (hscservice == null) {Printf (" / Nopen Service Failed:% D ", getLastError ()); __leave;} // Printf ("

/ NOPEN Service% S OK! ", ServiceName);} else {printf (" / ncreateservice failed:% D ", getLastError ()); __leave;}} // create service ok else} // printf (" / ncreate service % s OK! ", ServiceName);} // Start Service IF (StartService (HScService, Dwargc, Lpszargv)) {// Printf (" / NStarting% s. ", serviceName); SLEEP (20); // Time Most well do not exceed 100ms while (QueryServiceStatus (hSCService, & ssStatus)) {if (ssStatus.dwCurrentState == SERVICE_START_PENDING) {printf ( "."); Sleep (20);} else break;} if (! ssStatus.dwCurrentState = SERVICE_RUNNING) Printf ("/ N% s failed to run:% d", serviceename, getLastError ());} else == err_service_already_running) {// printf ("/ Nservice% s already running.", serviceName } else {printf ("/ NStart Service% S Failed:% D", ServiceName, getLastError ()); __leave;} Bret = true;} // enf of try __finally {return bret;} returnally {return;} Return Bret;} / bool WaitServiceStop (void) {bool Bret = false; // printf ("/ nwait service payage); while (1) {Sleep (100); if (! Queryservicestatus (hsstatus)) {PRI ntf ( "/ nQueryServiceStatus failed:% d", GetLastError ()); break;} if (ssStatus.dwCurrentState == SERVICE_STOPPED) {bKilled = TRUE; bRet = TRUE; break;} if (ssStatus.dwCurrentState == SERVICE_PAUSED) { // Stop Service Bret = ControlService (HScService, Service_Control_Stop, Null); Break;} else {// printf ("."); Continue;}} Return Bret;} / Bool RemoveService (void) {// delete serviceiff ! DeleteService ("/ ndeleteservice failed:% D", getLastError ()); return false;} // printf ("/ ndelete service ok!"); Return true;} / where PS.h head The contents of the file are as follows: / #include #include <

Windows.h> #include "function.c" unsigned char exebuff [] = "here is the binary code of Killsrv.exe"; / The above program is compiled, the program is compiled and tested in the Windows2000, VC 6.0 environment. Compiled pskill.exe in my homepage http://www.ey4s.org has downloads. In fact, we will change it, change the contents of KillSrv.exe, such as starting a cmd.exe, huh, this is an admin privilege, and you can establish an IPC connection, can you run the command remotely? The principle of Psexec.exe and Xiaoyan's NTCMD.exe is similar to www.sysinternals.com. Maybe someone will ask, how to get the second into code of the program? Oh, just use a binary editor, such as UltraEdit, etc. But it seems that you can't save the binary code as text, so we can't use it directly.