能力值:
![]()
(RANK:650 )
|
-
-
2 楼
第二种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
PostMessage(hWnd, WM_CLOSE, 0, 0);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
3 楼
第三种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
4 楼
第四种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
PostMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
5 楼
第五种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SendMessageTimeout(hWnd, WM_CLOSE, 0, 0, 0, 1000, NULL);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
6 楼
第六种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SendMessageTimeout(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0, 0, 1000, NULL);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
7 楼
第七种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
DWORD Tid;
DWORD Pid;
DWORD OpenThread;
HANDLE hThread;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");
__asm
{
push Tid
push 0
push THREAD_TERMINATE
call OpenThread
mov hThread, eax
}
TerminateThread(hThread, 0);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
8 楼
第八种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
keybd_event(VK_MENU,0,0,0);
keybd_event(VK_F4,0,0,0);
keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0);
keybd_event(VK_F4,0,KEYEVENTF_KEYUP,0);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
9 楼
第九种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
RECT rc;
hWnd = FindWindow("#32770", "CrackMeApp");
GetWindowRect(hWnd, &rc);
SetCursorPos(rc.right-10, rc.top+10);
SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
Sleep(500);
mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0);
Sleep(10);
mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);
Sleep(10);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
10 楼
第十种
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
hWnd = FindWindow("#32770", "CrackMeApp");
SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
Sleep(200);
keybd_event(VK_ESCAPE,0,0,0);
keybd_event(VK_ESCAPE,0,KEYEVENTF_KEYUP,0);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
11 楼
第十一种方法
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
DWORD Tid;
DWORD Pid;
DWORD OpenThread;
DWORD EP;
HANDLE hThread;
CONTEXT context;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");
__asm
{
mov eax, dword ptr [ExitProcess]
mov EP, eax
push Tid
push 0
push THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT
call OpenThread
mov hThread, eax
}
SuspendThread(hThread);
context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &context);
context.Eip = EP;
context.ContextFlags = CONTEXT_CONTROL;
SetThreadContext(hThread, &context);
ResumeThread(hThread);
SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
12 楼
裁判检查完上面的我再继续
|
能力值:
![]()
(RANK:650 )
|
-
-
13 楼
第十二种方法
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd = NULL;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hProcess = NULL;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, FALSE, Pid);
if (hProcess)
{
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)&ExitProcess, NULL, 0, NULL);
}
}
|
能力值:
![]()
(RANK:650 )
|
-
-
14 楼
第十三种 //cpp
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")
void start()
{
HWND hWnd;
DWORD a;
DWORD b;
hWnd = FindWindow("#32770", "CrackMeApp");
a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");
__asm call a
Sleep(100);
SetForegroundWindow(hWnd);
Sleep(100);
__asm call b
}//dll
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:dllmain")
#pragma comment (linker, "/filealign:0x200")
HHOOK h = NULL;
HMODULE b = NULL;
void fk()
{
HWND hWnd = NULL;
DWORD Tid = 0;
DWORD Pid = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == GetCurrentProcessId())
ExitProcess(0);
return ;
}
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
fk();
return NULL;
}
extern "C" void __declspec(dllexport) hook()
{
h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}
extern "C" void _declspec(dllexport) unhook()
{
UnhookWindowsHookEx(h);
h = NULL;
}
BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
if (DLL_PROCESS_ATTACH == ud)
b = hModule;
return TRUE;
}
|
能力值:
![]()
(RANK:650 )
|
-
-
15 楼
第十四种
//cpp
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")
void start()
{
HWND hWnd;
DWORD a;
DWORD b;
hWnd = FindWindow("#32770", "CrackMeApp");
a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");
__asm call a
Sleep(100);
SetForegroundWindow(hWnd);
Sleep(100);
__asm call b
}//dll
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:dllmain")
#pragma comment (linker, "/filealign:0x200")
HHOOK h = NULL;
HMODULE b = NULL;
void fk()
{
HWND hWnd = NULL;
DWORD Tid = 0;
DWORD Pid = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == GetCurrentProcessId())
PostQuitMessage(0);
return ;
}
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
fk();
return NULL;
}
extern "C" void __declspec(dllexport) hook()
{
h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}
extern "C" void _declspec(dllexport) unhook()
{
UnhookWindowsHookEx(h);
h = NULL;
}
BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
if (DLL_PROCESS_ATTACH == ud)
b = hModule;
return TRUE;
}
|
能力值:
![]()
(RANK:650 )
|
-
-
16 楼
第十五种
//cpp
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")
void start()
{
HWND hWnd;
DWORD a;
DWORD b;
hWnd = FindWindow("#32770", "CrackMeApp");
a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");
__asm call a
Sleep(100);
SetForegroundWindow(hWnd);
Sleep(100);
__asm call b
}//dll
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:dllmain")
#pragma comment (linker, "/filealign:0x200")
HHOOK h = NULL;
HMODULE b = NULL;
void fk()
{
HWND hWnd = NULL;
DWORD Tid = 0;
DWORD Pid = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == GetCurrentProcessId())
EndDialog(hWnd, 0);
return ;
}
LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
fk();
return NULL;
}
extern "C" void __declspec(dllexport) hook()
{
h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}
extern "C" void _declspec(dllexport) unhook()
{
UnhookWindowsHookEx(h);
h = NULL;
}
BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
if (DLL_PROCESS_ATTACH == ud)
b = hModule;
return TRUE;
}
|
能力值:
![]()
(RANK:650 )
|
-
-
17 楼
第十六种
sys
//shoooo22.c
#include <ntddk.h>
#pragma warning(disable:4047)
NTKERNELAPI
NTSTATUS
ObOpenObjectByPointer(
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
IN ULONG ulProcId,
OUT PEPROCESS * pEProcess
);
NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
HANDLE handle = NULL;
UNICODE_STRING y;
PULONG PsProcessType;
status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
handle = 0;
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType = MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
if (NT_SUCCESS(status))
{
*pHandle = handle;
}
}
ObfDereferenceObject(EProcess);
}
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING strSymbolicName;
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo22");
IoDeleteSymbolicLink(&strSymbolicName);
pDeviceObject = pDriverObject->DeviceObject;
IoDeleteDevice(pDeviceObject);
return ;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
PVOID DeviceExtension;
PIO_STACK_LOCATION pIrpSp;
PVOID SystemBufferIn;
PVOID SystemBufferOut;
ULONG InBufferLength;
ULONG OutBufferLength;
ULONG IoControlCode;
DeviceExtension = pDeviceObject->DeviceExtension;
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer;
SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case 0x100:
if (InBufferLength != 4 || OutBufferLength != 4)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
status = STATUS_SUCCESS;
}
else
{
status = MyOpenProcess(*(PULONG)SystemBufferIn, SystemBufferOut);
if (NT_SUCCESS(status))
{
pIrp->IoStatus.Information = 4;
pIrp->IoStatus.Status = STATUS_SUCCESS;
}
else
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
}
status = STATUS_SUCCESS;
}
break ;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break ;
}
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status;
UNICODE_STRING strDeviceName;
UNICODE_STRING strSymbolicName;
PDEVICE_OBJECT pDeviceObject;
RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo22");
status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
0x220000, 0, 0, &pDeviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo22");
status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDeviceObject);
return status;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
EXE
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile = NULL;
HANDLE hProcess = NULL;
DWORD temp = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (hWnd == NULL)
return ;
hFile = CreateFile("\\\\.\\shoooo22", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x100, &Pid, 4, &hProcess, 4, &temp, NULL);
TerminateProcess(hProcess, 0);
CloseHandle(hFile);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
18 楼
第十七种
sys
//shoooo23.c
#include <ntddk.h>
#pragma warning(disable:4047)
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[2];
PEPROCESS Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);
//404198 4031BC
NTSTATUS MyWriteProcessMemory(ULONG PID)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
KAPC_STATE apc_state;
ULONG i;
ULONG Address = 0x404198;
status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess(EProcess, &apc_state);
__try
{
*(PULONG)Address = 0x4031BC;
}
__except(1)
{
}
KeUnstackDetachProcess(&apc_state);
ObDereferenceObject(EProcess);
}
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING strSymbolicName;
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo23");
IoDeleteSymbolicLink(&strSymbolicName);
pDeviceObject = pDriverObject->DeviceObject;
IoDeleteDevice(pDeviceObject);
return ;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
PVOID DeviceExtension;
PIO_STACK_LOCATION pIrpSp;
char* SystemBufferIn;
PVOID SystemBufferOut;
ULONG InBufferLength;
ULONG OutBufferLength;
ULONG IoControlCode;
DeviceExtension = pDeviceObject->DeviceExtension;
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer;
SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case 0x104:
if (InBufferLength != 4)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
status = STATUS_SUCCESS;
}
else
{
status = MyWriteProcessMemory(*(PULONG)SystemBufferIn);
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
status = STATUS_SUCCESS;
}
break ;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break ;
}
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status;
UNICODE_STRING strDeviceName;
UNICODE_STRING strSymbolicName;
PDEVICE_OBJECT pDeviceObject;
ULONG cr4reg;
RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo23");
status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
0x220000, 0, 0, &pDeviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo23");
status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDeviceObject);
return status;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}exe
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile = NULL;
DWORD temp = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (hWnd == NULL)
return ;
hFile = CreateFile("\\\\.\\shoooo23", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x104, &Pid, 4, NULL, 0, &temp, NULL);
SetForegroundWindow(hWnd);
CloseHandle(hFile);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
19 楼
第十八种
驱动同17楼的 exe
#define _WIN32_WINNT 0x500
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile = NULL;
HANDLE hProcess = NULL;
HANDLE hJob;
DWORD temp = 0;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (hWnd == NULL)
return ;
hFile = CreateFile("\\\\.\\shoooo22", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x100, &Pid, 4, &hProcess, 4, &temp, NULL);
hJob = CreateJobObject(NULL, NULL);
AssignProcessToJobObject(hJob, hProcess);
TerminateJobObject(hJob, 0);
CloseHandle(hFile);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
20 楼
第十九种
sys
//shoooo24.c
#include <ntddk.h>
#pragma warning(disable:4047)
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[2];
PEPROCESS Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);
NTSTATUS FuckPID(ULONG Base)
{
*(PULONG)(Base+0x3074) = 0;
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING strSymbolicName;
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo24");
IoDeleteSymbolicLink(&strSymbolicName);
pDeviceObject = pDriverObject->DeviceObject;
IoDeleteDevice(pDeviceObject);
return ;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
PVOID DeviceExtension;
PIO_STACK_LOCATION pIrpSp;
char* SystemBufferIn;
PVOID SystemBufferOut;
ULONG InBufferLength;
ULONG OutBufferLength;
ULONG IoControlCode;
DeviceExtension = pDeviceObject->DeviceExtension;
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer;
SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case 0x108:
if (InBufferLength != 4)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
status = STATUS_SUCCESS;
}
else
{
status = FuckPID(*(PULONG)SystemBufferIn);
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
status = STATUS_SUCCESS;
}
break ;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break ;
}
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status;
UNICODE_STRING strDeviceName;
UNICODE_STRING strSymbolicName;
PDEVICE_OBJECT pDeviceObject;
ULONG cr4reg;
RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo24");
status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
0x220000, 0, 0, &pDeviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo24");
status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDeviceObject);
return status;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}exe
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")
DWORD GetSysBase()
{
DWORD ZwQuerySystemInformation;
DWORD status;
ULONG PoolSize;
char* Pool;
char* ModuleStart;
ULONG i;
char* Name;
ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
PoolSize = 0x1000;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
do
{
__asm
{
push 0
push PoolSize
push Pool
push 0x0B
call ZwQuerySystemInformation
mov status, eax
}
if (status == 0xC0000004)
{
VirtualFree(Pool, 0, MEM_RELEASE);
PoolSize = PoolSize * 2;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
continue ;
}
break ;
}while(1);
ModuleStart = Pool+4;
for (i=0; i<*(LPDWORD)Pool; i++)
{
Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
if (Name != NULL)
Name = Name + 1;
else
Name = ModuleStart+0x1C+i*0x11C;
if (Name != NULL)
{
if (stricmp(Name, "CrackMe.sys") == 0)
{
return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
}
}
}
return 0;
}
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile;
DWORD base;
DWORD temp;
HANDLE hProcess;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == 0)
return ;
base = GetSysBase();
if (base == 0)
return ;
hFile = CreateFile("\\\\.\\shoooo24", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x108, &base, 4, NULL, 0, &temp, NULL);
CloseHandle(hFile);
hProcess = OpenProcess(PROCESS_TERMINATE, 0, Pid);
TerminateProcess(hProcess, 0);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
21 楼
第二十种
驱动和第十九种shoooo24.sys一样
exe
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")
DWORD GetSysBase()
{
DWORD ZwQuerySystemInformation;
DWORD status;
ULONG PoolSize;
char* Pool;
char* ModuleStart;
ULONG i;
char* Name;
ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
PoolSize = 0x1000;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
do
{
__asm
{
push 0
push PoolSize
push Pool
push 0x0B
call ZwQuerySystemInformation
mov status, eax
}
if (status == 0xC0000004)
{
VirtualFree(Pool, 0, MEM_RELEASE);
PoolSize = PoolSize * 2;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
continue ;
}
break ;
}while(1);
ModuleStart = Pool+4;
for (i=0; i<*(LPDWORD)Pool; i++)
{
Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
if (Name != NULL)
Name = Name + 1;
else
Name = ModuleStart+0x1C+i*0x11C;
if (Name != NULL)
{
if (stricmp(Name, "CrackMe.sys") == 0)
{
return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
}
}
}
return 0;
}
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile;
DWORD base;
DWORD temp;
HANDLE hProcess;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == 0)
return ;
base = GetSysBase();
if (base == 0)
return ;
hFile = CreateFile("\\\\.\\shoooo24", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x108, &base, 4, NULL, 0, &temp, NULL);
CloseHandle(hFile);
DebugActiveProcess(Pid);
ExitProcess(0);
}
|
能力值:
![]()
(RANK:650 )
|
-
-
22 楼
第二十一种
sys
//shoooo25.c
#include <ntddk.h>
#pragma warning(disable:4047)
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[2];
PEPROCESS Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);
NTSTATUS UnhookSSDT(ULONG Base)
{
ULONG Address;
Address = Base + 0x1810;
__asm call Address
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING strSymbolicName;
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo25");
IoDeleteSymbolicLink(&strSymbolicName);
pDeviceObject = pDriverObject->DeviceObject;
IoDeleteDevice(pDeviceObject);
return ;
}
NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS status;
status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS status;
PVOID DeviceExtension;
PIO_STACK_LOCATION pIrpSp;
char* SystemBufferIn;
PVOID SystemBufferOut;
ULONG InBufferLength;
ULONG OutBufferLength;
ULONG IoControlCode;
DeviceExtension = pDeviceObject->DeviceExtension;
pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
SystemBufferIn = pIrp->AssociatedIrp.SystemBuffer;
SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
InBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case 0x10C:
if (InBufferLength != 4)
{
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
status = STATUS_SUCCESS;
}
else
{
status = UnhookSSDT(*(PULONG)SystemBufferIn);
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
status = STATUS_SUCCESS;
}
break ;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break ;
}
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status;
UNICODE_STRING strDeviceName;
UNICODE_STRING strSymbolicName;
PDEVICE_OBJECT pDeviceObject;
ULONG cr4reg;
RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo25");
status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
0x220000, 0, 0, &pDeviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo25");
status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDeviceObject);
return status;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}exe
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")
DWORD GetSysBase()
{
DWORD ZwQuerySystemInformation;
DWORD status;
ULONG PoolSize;
char* Pool;
char* ModuleStart;
ULONG i;
char* Name;
ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
PoolSize = 0x1000;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
do
{
__asm
{
push 0
push PoolSize
push Pool
push 0x0B
call ZwQuerySystemInformation
mov status, eax
}
if (status == 0xC0000004)
{
VirtualFree(Pool, 0, MEM_RELEASE);
PoolSize = PoolSize * 2;
Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
continue ;
}
break ;
}while(1);
ModuleStart = Pool+4;
for (i=0; i<*(LPDWORD)Pool; i++)
{
Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
if (Name != NULL)
Name = Name + 1;
else
Name = ModuleStart+0x1C+i*0x11C;
if (Name != NULL)
{
if (stricmp(Name, "CrackMe.sys") == 0)
{
return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
}
}
}
return 0;
}
void start()
{
HWND hWnd;
DWORD Tid = 0;
DWORD Pid = 0;
HANDLE hFile;
DWORD base;
DWORD temp;
HANDLE hProcess;
hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);
if (Pid == 0)
return ;
base = GetSysBase();
if (base == 0)
return ;
hFile = CreateFile("\\\\.\\shoooo25", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return ;
DeviceIoControl(hFile, 0x10C, &base, 4, NULL, 0, &temp, NULL);
CloseHandle(hFile);
hProcess = OpenProcess(PROCESS_TERMINATE, 0, Pid);
TerminateProcess(hProcess, 0);
}
|
能力值:
( LV11,RANK:188 )
|
-
-
23 楼
膜拜LZ
顶礼膜拜发帖时间。
|
能力值:
( LV4,RANK:50 )
|
-
-
24 楼
KeAttachProcess
|
能力值:
( LV6,RANK:90 )
|
-
-
25 楼
只能膜拜,无法学习。
|
|
|
|
