[原创]Ring 3文件保护[X64ASM/VB/VC]
IncludeLib User32.Lib
IncludeLib Kernel32.Lib
EXTERN LoadLibraryA:PROC
EXTERN GetProcAddress:PROC
EXTERN ExitProcess:PROC
EXTERN CreateFileA:PROC
EXTERN OpenProcess:PROC
EXTERN MessageBoxA:PROC
EXTERN GetCurrentProcess:PROC
EXTERN CloseHandle:PROC
EXTERN SetHandleInformation:PROC
.DATA?
hMod qword 0
pApi1 qword 0
pApi2 qword 0
bRet qword 0
hsFile qword 0
htFile qword 0
hProc qword 0
hMyProc qword 0
iii qword 0
.DATA
szTit BYTE"c:\TryToDel2.txt",0
szDll BYTE"ntdll.dll",0
szFun1 BYTE"RtlAdjustPrivilege",0
szFun2 BYTE"NtDuplicateObject",0
szStr1 BYTE"Tips",0
szStr2 BYTE"OK!!",0
.CODE
Entry PROC
;hMod=LoadLibraryA("ntdll.dll")
sub rsp,16
lea rcx,szDll
call LoadLibraryA
mov hMod,rax
add rsp,16
;pApi1=GetProcAddress(hMod,"RtlAdjustPrivilege")
sub rsp,24
mov rcx,hMod
lea rdx,szFun1
call GetProcAddress
mov pApi1,rax
add rsp,24
;pApi2=GetProcAddress(hMod,"NtDuplicateObject")
sub rsp,24
mov rcx,hMod
lea rdx,szFun2
call GetProcAddress
mov pApi2,rax
add rsp,24
;RtlAdjustPrivilege(20,1,0,&bRet);
sub rsp,40
mov rcx,20
mov rdx,1
mov r8,0
lea r9,bRet
call pApi1
add rsp,40
;hMyProc=GetCurrentProcess()
sub rsp,8
call GetCurrentProcess
mov hMyProc,rax
add rsp,8
;hsFile=CreateFileA(pFile, 0x80000000, 0, 0, 3, 0, 0)
sub rsp,64
xor rax,rax
mov ,rax
mov ,rax
mov rax,3
mov ,rax
xor r9,r9
xor r8,r8
mov rdx,80000000h
lea rcx,szTit
call CreateFileA
mov hsFile,rax
add rsp,64
;SetHandleInformation(hsFile,0,2)
sub rsp,32
mov rcx,hsFile
mov rdx,0
mov r8,2
call SetHandleInformation
add rsp,32
;for(i=100;i<19996;i+=4)
mov iii,100 ;start pid
addto19996:
;OpenProcess(0x1F0FFF, 0, iii);
sub rsp,32
mov rcx,1F0FFFh
mov rdx,0
mov r8,iii
call OpenProcess
mov hProc,rax
add rsp,32
;if (rax==0) goto
cmp rax,0
je loopnext
;NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &htFile, 0, 0, 4);
sub rsp,64
mov rax,4
mov ,rax
xor rax,rax
mov ,rax
mov ,rax
lea r9,htFile
mov r8,hProc
mov rdx,hsFile
mov rcx,hMyProc
call pApi2
add rsp,64
;CloseHandle(hProc)
sub rsp,16
mov rcx,hProc
call CloseHandle
add rsp,16
loopnext:
mov rbx,iii
add rbx,4
mov iii,rbx
;if (rbx<>19996) goto
cmp rbx,19996 ;end pid
jb addto19996
;MessageBoxA(0,"OK!!","TIPS",0)
sub rsp,40
mov rcx,0
lea rdx,szStr2
lea r8,szStr1
mov r9,0
call MessageBoxA
add rsp,40
;ExitProcess(0)
sub rsp,8
mov rcx,0
call ExitProcess
add rsp,8
ret
Entry ENDP
END
VB2010(要编译成64位程序):
Module Module1
Private Declare Function EnumProcesses Lib "psapi" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function RtlAdjustPrivilege Lib "ntdll" (ByVal Privilege As Long, ByVal NewValue As Long, ByVal NewThread As Long, ByRef OldValue As Long) As Long
Private Declare Function NtClose Lib "ntdll" (ByVal ObjectHandle As Long) As Long
Private Declare Function NtDuplicateObject Lib "ntdll" (ByVal SourceProcessHandle As Long, ByVal SourceHandle As Long, ByVal TargetProcessHandle As Long, ByRef TargetHandle As Long, ByVal DesiredAccess As Long, ByVal HandleAttributes As Long, ByVal Options As Long) As Long
Private Declare Function CreateFileA Lib "kernel32" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long) As Long
Private Declare Function SetHandleInformation Lib "kernel32.dll" (ByVal hObject As Long, ByVal dwMask As Long, ByVal dwFlags As Long) As Long
Private Declare Function CreateHardLinkA Lib "kernel32.dll" (ByVal lpFileName As String, ByVal lpExistingFileName As String, ByVal lpSecurityAttributes As Long) As Long
Public Function GetProcesses() As Long()
Dim lngCbNeeded As Long, lngProcArr() As Long
ReDim lngProcArr(1024)
EnumProcesses(lngProcArr(0), 4 * 1024, lngCbNeeded)
ReDim Preserve lngProcArr(lngCbNeeded / 4 - 1)
GetProcesses = lngProcArr
End Function
Sub Main()
Dim pFile As String, hsFile As Long, hProcess As Long, htFile As Long, lProcess() As Long, fProcess As Long
RtlAdjustPrivilege(20, 1, 0, 0)
pFile = InputBox("Input File Name:", "Protect File", "c:\TryToDel3.txt")
hsFile = CreateFileA(pFile, &H80000000, 0, 0, 3, 0, 0)
SetHandleInformation(hsFile, 0, 2)
lProcess = GetProcesses()
For fProcess = 0 To UBound(lProcess)
hProcess = OpenProcess(&H1F0FFF, 0, lProcess(fProcess))
If hProcess <> 0 Then
NtDuplicateObject(-1, hsFile, hProcess, htFile, 0, 0, 4)
NtClose(hProcess)
End If
Next
MsgBox("OK")
End Sub
End Module
C++:
#include <stdio.h>
#include <Windows.h>
typedef long (*RTLADJUSTPRIVILEGE)(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
typedef long (*NTDUPLICATEOBJECT)(HANDLE,HANDLE,HANDLE,PHANDLE,ACCESS_MASK,BOOLEAN,ULONG);
void GetAllProcessA(int pids[],int *procount)
{
int i=0,c=0;
HANDLE hProcess=0;
for(i=8;i<19996;i+=4)
{
hProcess=OpenProcess(0x10,0,i);
if (hProcess!=0)
{
pids=i;
CloseHandle(hProcess);
c++;
}
}
*procount=c;
}
int main()
{
BOOLEAN bRet;
int pids;
int procsnum=0;
char pFile;
RTLADJUSTPRIVILEGE getdbg=(RTLADJUSTPRIVILEGE)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"RtlAdjustPrivilege");
NTDUPLICATEOBJECT NtDuplicateObject=(NTDUPLICATEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"NtDuplicateObject");
getdbg(20,1,0,&bRet);
memset(pids,0,4*260);
memset(pFile,0,260);
printf("Input the file name you want to protect: ");
scanf("%s",pFile);
HANDLE hsFile = CreateFileA(pFile, 0x80000000, 0, 0, 3, 0, 0);
SetHandleInformation(hsFile,0,2);
GetAllProcessA(pids,&procsnum);
for(int i=0;i<procsnum;i++)
{
HANDLE htFile=0;
HANDLE hProcess = OpenProcess(0x1F0FFF, 0, pids);
if (hProcess!=0)
{
NtDuplicateObject((HANDLE)-1, hsFile, hProcess, &htFile, 0, 0, 4);
CloseHandle(hProcess);
}
}
getchar();
printf("OK!\n");
getchar();
return 0;
}
支持一个,,,能用x64写。的却很牛叉! 回复 nbboy 的帖子
小伎俩而已。 顶一下 好吧支持个 Tesla.Angela 发表于 2011-1-5 00:16 static/image/common/back.gif
C++:
支持一下 不愧坛主 功底深厚
页:
[1]