From fcfe947c8a7211fc756a20a1949b62f6da8c4026 Mon Sep 17 00:00:00 2001 From: maxowner <62410571+wgetnz@users.noreply.github.com> Date: Tue, 29 Jun 2021 15:23:18 +0800 Subject: [PATCH 1/3] Update main.cpp add -name --- offensiveph/offensiveph/main.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/offensiveph/offensiveph/main.cpp b/offensiveph/offensiveph/main.cpp index fb628cb..bbeb243 100644 --- a/offensiveph/offensiveph/main.cpp +++ b/offensiveph/offensiveph/main.cpp @@ -65,6 +65,8 @@ int wmain(int argc, wchar_t* argv[]) { if (!wcscmp(argv[1], L"-kill")) status = OphTerminateProcess(_wtoi(argv[2])); + else if (!wcscmp(argv[1], L"-name")) + status = OphTerminateProcessByName(argv[2]); else if (!wcscmp(argv[1], L"-peb")) status = OphReadProcessPEB(_wtoi(argv[2])); else if (!wcscmp(argv[1], L"-hijack")) From ab48dda69560fa39dbd2ece7ae98c405b58c107c Mon Sep 17 00:00:00 2001 From: maxowner <62410571+wgetnz@users.noreply.github.com> Date: Tue, 29 Jun 2021 15:26:03 +0800 Subject: [PATCH 2/3] Update offensive.cpp add -name --- offensiveph/offensiveph/offensive.cpp | 150 ++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) diff --git a/offensiveph/offensiveph/offensive.cpp b/offensiveph/offensiveph/offensive.cpp index 1aeb7db..df02e83 100644 --- a/offensiveph/offensiveph/offensive.cpp +++ b/offensiveph/offensiveph/offensive.cpp @@ -24,6 +24,156 @@ TO DO: There are lots of info can be gathered * OphProtectObject(HANDLE hProc, HANDLE hObj); */ +#include +#include +BOOL IsWow64_Native() +{ + SYSTEM_INFO si; + typedef VOID(WINAPI* LPFN_GetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo); + LPFN_GetNativeSystemInfo fnGetNativeSystemInfo = (LPFN_GetNativeSystemInfo)GetProcAddress(GetModuleHandle(L"kernel32"), "GetNativeSystemInfo");; + fnGetNativeSystemInfo(&si); + if (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64 || + si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_IA64) + { + return true; + } + return false;; +} +//#define _ENUMNPROCESS_ +DWORD GetiPidByName(wchar_t *pName) +{ + + DWORD dwRet = 0; + wchar_t szDst[200] = { 0 }; + wcscpy_s(szDst,sizeof(szDst)/ sizeof(szDst[0]), pName); + CharLowerW(szDst); +#ifndef _ENUMNPROCESS_ + // 定义进程信息结构 + PROCESSENTRY32 pe32 = { sizeof(pe32) }; + + // 创建系统当前进程快照 + HANDLE hProcessShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hProcessShot == INVALID_HANDLE_VALUE) + return FALSE; + + // 输出进程信息到文件 + // 循环枚举进程信息 + TCHAR szBuf[80] = { 0 }; + if (Process32First(hProcessShot, &pe32)) + { + do + { + wchar_t szTemp[200] = { 0 }; + wcscpy_s(szTemp, sizeof(szTemp)/sizeof(szTemp[0]),pe32.szExeFile); + ::CharLowerW(szTemp); + //wprintf(L"%s::%s\n", szDst, szTemp); + if (wcscmp(szDst, szTemp) == 0) + { + dwRet = pe32.th32ProcessID; + printf("find process,pid==%d\n", dwRet); + break; + } + + } while (Process32Next(hProcessShot, &pe32)); + } + CloseHandle(hProcessShot); +#else //endif + int is64System = ::IsWow64_Native(); + DWORD processPID[300] = { 0 }; //保存进程ID + DWORD dwneed; + ::EnumProcesses(processPID, sizeof(processPID), &dwneed); + int count = dwneed / sizeof(DWORD); + //TRACE("总进程数为%dn", count); + HANDLE hProcess = NULL; + HMODULE hModule; + DWORD need; + DWORD nSize = 0; + wchar_t fileName[300] = { 0 }; + for (int i = 0; i < count; i++) + { + memset(fileName, 0, sizeof(fileName)); + if (hProcess) + { + CloseHandle(hProcess); + hProcess = NULL; + } + hProcess = ::OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processPID[i]); + if (!hProcess) + { + continue; + } + // TRACE("ppp==%d\n", processPID[i]); + BOOL bIs64Process = TRUE; + IsWow64Process(hProcess, &bIs64Process); + DWORD dwLen = sizeof(fileName); + if (bIs64Process == FALSE && is64System)//== FALSE) + { + //枚举第一个模块句柄也就是自身 + if (!QueryFullProcessImageNameW(hProcess, 0, fileName, &dwLen)) + { + continue; + } + else + { + //TRACE("nnn==%d\n", processPID[i]); + } + + ::CharLowerW(fileName); + wchar_t* pEnd = wcsrchr(fileName, '\\'); + if (!pEnd) + continue; + pEnd += 1; + //wprintf(L"%s::%s\n", szDst, pEnd); + if (wcscmp(szDst, pEnd) == 0) + { + dwRet = processPID[i]; + printf("find process,pid==%d\n", dwRet); + break; + } + + } + else + { + BOOL bRet = ::EnumProcessModules(hProcess, &hModule, sizeof(hModule), &need); + if (!bRet) + { + continue; + } + dwRet = ::GetModuleFileNameExW(hProcess, hModule, fileName, dwLen); + if (dwRet <= 2) + { + continue; + } + } + ::CharLowerW(fileName); + wchar_t * pEnd = wcsrchr(fileName, '\\'); + if (!pEnd) + continue; + pEnd += 1; + //wprintf(L"%s::%s\n", szDst, pEnd); + if (wcscmp(szDst, pEnd) == 0) + { + dwRet = processPID[i]; + printf("find process,pid==%d\n", dwRet); + break; + } + } + if (hProcess) + { + CloseHandle(hProcess); + hProcess = NULL; + } +#endif + return dwRet; +} +DWORD OphTerminateProcessByName(wchar_t* pName) +{ + wprintf(L"\nkill by name==%s\n", pName); + DWORD pid = GetiPidByName(pName); + if (pid == 0) + return STATUS_SUCCESS; + return OphTerminateProcess(pid); +} DWORD OphTerminateProcess(DWORD pid) { HANDLE hProc; From 827ef7313d20a5f7a72fb372bcb966b03283edc2 Mon Sep 17 00:00:00 2001 From: maxowner <62410571+wgetnz@users.noreply.github.com> Date: Tue, 29 Jun 2021 15:27:54 +0800 Subject: [PATCH 3/3] Update offensive.h add -name --- offensiveph/offensiveph/offensive.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/offensiveph/offensiveph/offensive.h b/offensiveph/offensiveph/offensive.h index d7ce0fe..e01be86 100644 --- a/offensiveph/offensiveph/offensive.h +++ b/offensiveph/offensiveph/offensive.h @@ -4,7 +4,7 @@ #include "kphuser.h" #include "phuser.h" #include - +DWORD OphTerminateProcessByName(wchar_t* pName); DWORD OphTerminateProcess(DWORD pid); DWORD OphSuspendProcess(DWORD pid); DWORD OphResumeProcess(DWORD pid);