#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
long gpg()
{
BOOLEAN nEn = 0;
typedef long (WINAPI *RTLADJUSTPRIVILEGE)(ULONG, BOOLEAN, BOOLEAN, PBOOLEAN);
RTLADJUSTPRIVILEGE RtlAdjustPrivilege = (RTLADJUSTPRIVILEGE)GetProcAddress(LoadLibraryW(L"ntdll.dll"), "RtlAdjustPrivilege");
return RtlAdjustPrivilege(0x14, 1, 0, &nEn);
}
void PrintProcessMemory(HANDLE hProcess, PVOID p, ULONG l)
{
SIZE_T size = 0 , i;
PUCHAR xxx = (PUCHAR)malloc(l);
RtlZeroMemory(xxx,l);
ReadProcessMemory(hProcess,p,xxx,l,&size);
for(i=0;i<l;i++)
printf("%X ",xxx[i]);
free(xxx);
puts("");
}
int main()
{
HANDLE hProcessSnap = 0;
PROCESSENTRY32W pe32 = {0};
pe32.dwSize = sizeof(PROCESSENTRY32);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap != INVALID_HANDLE_VALUE)
{
if(Process32First(hProcessSnap, &pe32))
{
do
{
if(wcsnicmp(pe32.szExeFile,L"dwm.exe",7)==0)
{
printf("Found DWM.EXE: %ld\n\n",pe32.th32ProcessID);gpg();
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,0,pe32.th32ProcessID);
if(hProcess!=INVALID_HANDLE_VALUE && hProcess!=NULL)
{
SIZE_T size;
PVOID p;
BOOL b;
#ifdef AMD64
UCHAR buffer[1] = {0xC3};
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"MessageBoxW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"MessageBoxExW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"MessageBoxTimeoutW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"MessageBoxIndirectW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"DialogBoxIndirectParamW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
//
p = GetProcAddress(LoadLibraryW(L"user32.dll"),"DialogBoxParamW");
b = WriteProcessMemory(hProcess,p,buffer,1,&size);
printf("Patch address[%p] length[%ld] result: %ld\nCurrent byte: ",p,sizeof(buffer),b);PrintProcessMemory(hProcess,p,1);
#endif
CloseHandle(hProcess);
}
else
{
puts("Cannot open DWM.EXE!");
}
}
} while(Process32Next(hProcessSnap, &pe32));
}
CloseHandle(hProcessSnap);
}
system("timeout 10");
return TRUE;
}