Ring3 下结束进程的技巧

公布一些 Ring3 下结束进程的技巧
所有的 OpenProcess/ZwOpenProcess/OpenThread/ZwOpenThread 都可以替换为 ZwQuerySystemInformation->ZwOpenProcess->ZwDuplicateObject 。具体是为什么请自己研究。

(Zw)OpenProcess(PID+0/1/2/3)->(Zw)TerminateProcess

(Zw)OpenProcess->CreateRemoteThread(ZwCreateThread)->ExitProcess(ZwTerminateProcess)

(Zw)OpenProcess->VirtualProtect(ZwProtectVirtualMemory)->WriteProcessMemory(ZwWriteVirtualMemory)

Thread32First/Thread32Next(ZwQuerySystemInformation)->(Zw)OpenThread->(Zw)TerminateThread

DebugActiveProcess

(Zw)OpenProcess->DbgUiDebugActiveProcess

(Zw)OpenProcess->(Zw)AssignProcessToJobObject->(Zw)TerminateJobObject

(Zw)OpenProcess->ZwUnmapViewOfSection

(Zw)OpenProcess->(Zw)SetContextThread

(Zw)OpenProcess->QueueUserAPC(ZwQueueApcThread)

/* Window Attacking */

PostMessage(SendMessage) WM_CLOSE/WM_QUIT/NC_DESTORY

SetParent->DestoryWindow

EndTask // Will make a direct call to the Win32 subsystem

PostMessage(SendMessage) 0x19 // by MJ0011, for MFC Application

for (int i=0; i<65536; i++)
{
PostMessage(HWND, i, 0, 0); // Message Flood
}

SetWindowLong(HWND, GWL_WNDPROC, (WNDPROC)YourDeadLock_Or_Crash_Function);