ContributorQuote
Option Explicit
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long, ByVal Source As Long, ByVal Length As Long)
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function EnumProcessModules Lib "psapi" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByVal lpcbNeeded As Long) As Long
Private Declare Function GetModuleFileNameEx Lib "psapi" Alias "GetModuleFileNameExA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Const MEM_RELEASE = &H8000
Private Const MEM_COMMIT = &H1000
Private Const MEM_RESERVE = &H2000
Private Const PAGE_EXECUTE_READWRITE = &H40
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private hProcess As Long
Private FuncAddr As Long
Private OldCode(4) As Byte
Private NewCode(4) As Byte
Private HookCode(4) As Byte
Private CodeAddr As Long
Private Function GetModuleHandleEx(ByVal hProcess As Long, ByVal ModuleName As String) As Long
Dim hMods(1024) As Long
Dim cbNeeded As Long
Dim szModName As String
Dim i As Integer
If EnumProcessModules(hProcess, hMods(0), 1025 * 4, VarPtr(cbNeeded)) Then
For i = 0 To (cbNeeded / 4)
If hMods(i) Then
szModName = String(260, 0)
If GetModuleFileNameEx(hProcess, hMods(i), szModName, Len(szModName)) Then
szModName = Left(szModName, InStr(1, szModName, Chr(0)) - 1)
If LCase(szModName) = LCase(ModuleName) Then '
GetModuleHandleEx = hMods(i)
Erase hMods
Exit Function
End If
End If
End If
Next i
End If
Erase hMods
End Function
Public Function HookNtTerminateProcess(ByVal ProcessId As Long) As Boolean
Dim hMod As Long
NewCode(0) = &HE9 ' jmp
' xor eax,eax
' ret 8
HookCode(0) = &H33
HookCode(1) = &HC0
HookCode(2) = &HC2
HookCode(3) = &H8
HookCode(4) = &H0
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessId)
If hProcess Then
hMod = GetModuleHandleEx(hProcess, "c:\windows\system32\ntdll.dll")
If hMod Then
FuncAddr = GetProcAddress(hMod, "NtTerminateProcess")
If FuncAddr Then
ReadProcessMemory hProcess, ByVal FuncAddr, OldCode(0), 5, 0
CodeAddr = VirtualAllocEx(hProcess, ByVal 0, 5, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
If CodeAddr Then
CopyMemory VarPtr(NewCode(1)), VarPtr(CodeAddr - FuncAddr - 5), 4
WriteProcessMemory hProcess, ByVal CodeAddr, HookCode(0), 5, 0
WriteProcessMemory hProcess, ByVal FuncAddr, NewCode(0), 5, 0
HookNtTerminateProcess = True
End If
End If
End If
End If
End Function
Public Sub UnhookNtTerminateProcess()
WriteProcessMemory hProcess, ByVal FuncAddr, OldCode(0), 5, 0
VirtualFreeEx hProcess, ByVal CodeAddr, 5, MEM_RELEASE
CloseHandle hProcess
End Sub
