13,826
社区成员
发帖
与我相关
我的任务
分享
#include <windows.h>
#include <string.h>
#include "psapi.h"
#include <tlhelp32.h>
#include <stdio.h>
#define THREADSIZE 32767
typedef DWORD (WINAPI* PFN_GETPROCNAME) (HANDLE, LPTSTR, DWORD);
typedef BOOL (WINAPI* PFN_DELETE) (LPCTSTR);
typedef struct TAGRMPARAM
{
char szFilePath[MAX_PATH];
DWORD dwDeleteAddr;
}RMPARAM, *LPRMPARAM;
DWORD GetFuncAddr (LPTSTR lpszDll, LPTSTR lpszProc)
{
HMODULE hDll = LoadLibrary (lpszDll);
if (hDll)
return (DWORD)GetProcAddress (hDll, lpszProc);
return 0;
}
DWORD ProcessNameToId (char* lpszProcName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe;
pe.dwSize = sizeof (PROCESSENTRY32);
if (Process32First (hSnapshot, &pe))
while (Process32Next (hSnapshot, &pe))
{
_strlwr (pe.szExeFile);
_strlwr (lpszProcName);
if (!strcmp (pe.szExeFile, lpszProcName))
return pe.th32ProcessID;
}
return 0;
}
DWORD CALLBACK ThreadProc (LPVOID pVoid)
{
LPRMPARAM pRP = (LPRMPARAM) pVoid;
PFN_DELETE pfnDelete = (PFN_DELETE) pRP->dwDeleteAddr;
pfnDelete (pRP->szFilePath);
return 0;
}
BOOL GetCurrentFileName (LPSTR lpszFileName)
{
char szShort[MAX_PATH];
char szFileName[MAX_PATH];
PFN_GETPROCNAME pfnGetProcName = (PFN_GETPROCNAME) GetFuncAddr ("psapi.dll",
"GetProcessImageFileNameA");
if (!pfnGetProcName)
return FALSE;
HANDLE hCur = GetCurrentProcess ();
pfnGetProcName (hCur, szFileName, MAX_PATH);
GetFileTitle (szFileName, szShort, MAX_PATH);
strcpy (lpszFileName, szShort);
return TRUE;
}
int APIENTRY WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nShowCmd)
{
DWORD dwBytesWritten;
DWORD dwProcessId = ProcessNameToId ("explorer.exe");
if (dwProcessId == 0)
{
MessageBox (NULL, "找不到线程", NULL, 0);
return 0;
}
HANDLE hTargetProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (!hTargetProcess)
{
MessageBox (NULL, "无法打开线程", NULL, 0);
return 0;
}
LPVOID pRemoteThread = VirtualAllocEx (hTargetProcess, NULL, THREADSIZE,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pRemoteThread)
{
MessageBox (NULL, "无法申请线程空间", NULL, 0);
return 0;
}
if (!WriteProcessMemory (hTargetProcess, pRemoteThread,
&ThreadProc, THREADSIZE, &dwBytesWritten))
{
MessageBox (NULL, "无法写入线程空间", NULL, 0);
return 0;
}
RMPARAM RemoteParam;
ZeroMemory (&RemoteParam, sizeof (RMPARAM));
char szCurrentPath[MAX_PATH];
char szFileName[MAX_PATH];
if (!GetCurrentFileName (szFileName))
{
MessageBox (NULL, "无法获得现有文件名", NULL, 0);
return 0;
}
GetCurrentDirectory (MAX_PATH, szCurrentPath);
sprintf (RemoteParam.szFilePath, "%s\\%s", szCurrentPath, szFileName);
DWORD dwFuncAddr = GetFuncAddr ("Kernel32.dll", "DeleteFileA");
if (dwFuncAddr == 0)
{
MessageBox (NULL, "无法加载Kernel32.dll", NULL, 0);
return 0;
}
RemoteParam.dwDeleteAddr = dwFuncAddr;
LPVOID pRmParam = VirtualAllocEx (hTargetProcess, NULL, sizeof (RMPARAM),
MEM_COMMIT, PAGE_READWRITE);
if (!pRmParam)
{
MessageBox (NULL, "无法申请线程空间", NULL, 0);
return 0;
}
if (!WriteProcessMemory (hTargetProcess, pRmParam,
&RemoteParam, sizeof (RMPARAM), &dwBytesWritten))
{
MessageBox (NULL, "无法写入线程空间", NULL, 0);
return 0;
}
HANDLE hRemoteThread = CreateRemoteThread (hTargetProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) pRemoteThread, pRmParam, 0, &dwBytesWritten);
return 0;
}
#include <string.h>
#include <windows.h>
#include "psapi.h"
#include <tlhelp32.h>
#include <stdio.h>
#define THREADSIZE 4*1024
typedef DWORD (WINAPI* PFN_GETPROCNAME) (HANDLE, LPTSTR, DWORD);
typedef BOOL (WINAPI* PFN_DELETE) (LPCTSTR);
typedef VOID (WINAPI* PFN_SLEEP)(DWORD dwMilliseconds);
typedef HANDLE (WINAPI* PFN_OPENPROCESS)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
typedef DWORD (WINAPI* PFN_WAITFORSINGLEOBJECT)(HANDLE hHandle,DWORD dwMilliseconds);
typedef BOOL (WINAPI* PFN_CLOSEHANDLE)(HANDLE hObject);
typedef struct TAGRMPARAM
{
char szFilePath[MAX_PATH];
DWORD dwProcessId;
DWORD dwDeleteAddr;
DWORD dwSleep;
DWORD dwOpenProcess;
DWORD dwCloseHandle;
DWORD dwWaitFor;
}RMPARAM, *LPRMPARAM;
DWORD GetFuncAddr (LPTSTR lpszDll, LPTSTR lpszProc)
{
HMODULE hDll = LoadLibrary (lpszDll);
if (hDll)
return (DWORD)GetProcAddress (hDll, lpszProc);
return 0;
}
DWORD ProcessNameToId (char* lpszProcName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe;
pe.dwSize = sizeof (PROCESSENTRY32);
if (Process32First (hSnapshot, &pe))
while (Process32Next (hSnapshot, &pe))
{
strlwr (pe.szExeFile);
strlwr (lpszProcName);
if (!strcmp (pe.szExeFile, lpszProcName))
return pe.th32ProcessID;
}
return 0;
}
DWORD CALLBACK ThreadProc (LPVOID pVoid)
{
LPRMPARAM pRP = (LPRMPARAM) pVoid;
PFN_DELETE pfnDelete = (PFN_DELETE) pRP->dwDeleteAddr;
PFN_SLEEP pfnSleep = (PFN_SLEEP) pRP->dwSleep;
PFN_OPENPROCESS pfnOpenProcess = (PFN_OPENPROCESS) pRP->dwOpenProcess;
PFN_CLOSEHANDLE pfnCloseHandle = (PFN_CLOSEHANDLE) pRP->dwCloseHandle;
PFN_WAITFORSINGLEOBJECT pfnWaitFor = (PFN_WAITFORSINGLEOBJECT) pRP->dwWaitFor;
HANDLE hProcess = pfnOpenProcess(PROCESS_ALL_ACCESS,false,pRP->dwProcessId);
if (hProcess != INVALID_HANDLE_VALUE) {
pfnWaitFor(hProcess, INFINITE);
pfnCloseHandle(hProcess);
}
pfnDelete (pRP->szFilePath);
return 0;
}
BOOL GetCurrentFileName (LPSTR lpszFileName)
{
char szShort[MAX_PATH];
char szFileName[MAX_PATH];
PFN_GETPROCNAME pfnGetProcName = (PFN_GETPROCNAME) GetFuncAddr ("psapi.dll",
"GetProcessImageFileNameA");
if (!pfnGetProcName)
return FALSE;
HANDLE hCur = GetCurrentProcess ();
pfnGetProcName (hCur, szFileName, MAX_PATH);
GetFileTitle (szFileName, szShort, MAX_PATH);
strcpy (lpszFileName, szShort);
return TRUE;
}
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid ) ) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError() );
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
#define RTN_OK 0
#define RTN_USAGE 1
#define RTN_ERROR 13
int APIENTRY WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nShowCmd)
{
DWORD dwBytesWritten;
HANDLE hToken;
if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))
{
if (GetLastError() == ERROR_NO_TOKEN)
{
if (!ImpersonateSelf(SecurityImpersonation))
return RTN_ERROR;
if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)){
//DisplayError("OpenThreadToken");
return RTN_ERROR;
}
}
else
return RTN_ERROR;
}
// enable SeDebugPrivilege
if(!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
{
//DisplayError("SetPrivilege");
// close token handle
CloseHandle(hToken);
// indicate failure
return RTN_ERROR;
}
DWORD dwProcessId = ProcessNameToId ("explorer.exe");
if (dwProcessId == 0)
{
MessageBox (NULL, "找不到线程", NULL, 0);
return 0;
}
HANDLE hTargetProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (!hTargetProcess)
{
DWORD dwLastError = GetLastError();
char s[100];
sprintf(s,"无法打开线程:%d",dwLastError);
MessageBox (NULL, s, NULL, 0);
return 0;
}
LPVOID pRemoteThread = VirtualAllocEx (hTargetProcess, NULL, THREADSIZE,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pRemoteThread)
{
MessageBox (NULL, "无法申请线程空间", NULL, 0);
return 0;
}
if (!WriteProcessMemory (hTargetProcess, pRemoteThread,
&ThreadProc, THREADSIZE, &dwBytesWritten))
{
DWORD dwLastError = GetLastError();
char s[100];
sprintf(s,"无法写入线程空间:%d(%d/%d)",dwLastError,THREADSIZE, dwBytesWritten);
MessageBox (NULL,s , NULL, 0);
return 0;
}
RMPARAM RemoteParam;
ZeroMemory (&RemoteParam, sizeof (RMPARAM));
char szCurrentPath[MAX_PATH];
char szFileName[MAX_PATH];
if (!GetCurrentFileName (szFileName))
{
MessageBox (NULL, "无法获得现有文件名", NULL, 0);
return 0;
}
GetCurrentDirectory (MAX_PATH, szCurrentPath);
sprintf (RemoteParam.szFilePath, "%s\\%s", szCurrentPath, szFileName);
DWORD dwFuncAddr = GetFuncAddr ("Kernel32.dll", "DeleteFileA");
if (dwFuncAddr == 0)
{
MessageBox (NULL, "无法加载Kernel32.dll", NULL, 0);
return 0;
}
RemoteParam.dwDeleteAddr = dwFuncAddr;
RemoteParam.dwSleep = GetFuncAddr ("Kernel32.dll", "Sleep");
RemoteParam.dwProcessId = GetCurrentProcessId();
RemoteParam.dwOpenProcess = GetFuncAddr ("Kernel32.dll", "OpenProcess");
RemoteParam.dwCloseHandle = GetFuncAddr ("Kernel32.dll", "CloseHandle");
RemoteParam.dwWaitFor = GetFuncAddr ("Kernel32.dll", "WaitForSingleObject");
LPVOID pRmParam = VirtualAllocEx (hTargetProcess, NULL, sizeof (RMPARAM),
MEM_COMMIT, PAGE_READWRITE);
if (!pRmParam)
{
MessageBox (NULL, "无法申请线程空间", NULL, 0);
return 0;
}
if (!WriteProcessMemory (hTargetProcess, pRmParam,
&RemoteParam, sizeof (RMPARAM), &dwBytesWritten))
{
MessageBox (NULL, "无法写入线程空间", NULL, 0);
return 0;
}
HANDLE hRemoteThread = CreateRemoteThread (hTargetProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) pRemoteThread, pRmParam, CREATE_SUSPENDED, &dwBytesWritten);
if(!OpenProcessToken(hTargetProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return RTN_ERROR;
}
else
return RTN_ERROR;
}
// enable SeDebugPrivilege
if(!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
{
//DisplayError("SetPrivilege");
// close token handle
CloseHandle(hToken);
// indicate failure
return RTN_ERROR;
}
ResumeThread(hRemoteThread);
return 0;
}
#include <string.h>
#include <windows.h>
#include "psapi.h"
#include <tlhelp32.h>
#include <stdio.h>
#define THREADSIZE 4*1024
typedef DWORD (WINAPI* PFN_GETPROCNAME) (HANDLE, LPTSTR, DWORD);
typedef BOOL (WINAPI* PFN_DELETE) (LPCTSTR);
typedef VOID (WINAPI* PFN_SLEEP)(DWORD dwMilliseconds);
typedef struct TAGRMPARAM
{
char szFilePath[MAX_PATH];
DWORD dwDeleteAddr;
DWORD dwSleep;
}RMPARAM, *LPRMPARAM;
DWORD GetFuncAddr (LPTSTR lpszDll, LPTSTR lpszProc)
{
HMODULE hDll = LoadLibrary (lpszDll);
if (hDll)
return (DWORD)GetProcAddress (hDll, lpszProc);
return 0;
}
DWORD ProcessNameToId (char* lpszProcName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe;
pe.dwSize = sizeof (PROCESSENTRY32);
if (Process32First (hSnapshot, &pe))
while (Process32Next (hSnapshot, &pe))
{
strlwr (pe.szExeFile);
strlwr (lpszProcName);
if (!strcmp (pe.szExeFile, lpszProcName))
return pe.th32ProcessID;
}
return 0;
}
DWORD CALLBACK ThreadProc (LPVOID pVoid)
{
LPRMPARAM pRP = (LPRMPARAM) pVoid;
PFN_DELETE pfnDelete = (PFN_DELETE) pRP->dwDeleteAddr;
PFN_SLEEP pfnSleep = (PFN_SLEEP) pRP->dwSleep;
pfnSleep(2000);
pfnDelete (pRP->szFilePath);
return 0;
}
BOOL GetCurrentFileName (LPSTR lpszFileName)
{
char szShort[MAX_PATH];
char szFileName[MAX_PATH];
PFN_GETPROCNAME pfnGetProcName = (PFN_GETPROCNAME) GetFuncAddr ("psapi.dll",
"GetProcessImageFileNameA");
if (!pfnGetProcName)
return FALSE;
HANDLE hCur = GetCurrentProcess ();
pfnGetProcName (hCur, szFileName, MAX_PATH);
GetFileTitle (szFileName, szShort, MAX_PATH);
strcpy (lpszFileName, szShort);
return TRUE;
}
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid ) ) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError() );
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
#define RTN_OK 0
#define RTN_USAGE 1
#define RTN_ERROR 13
int APIENTRY WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nShowCmd)
{
DWORD dwBytesWritten;
HANDLE hToken;
if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken))
{
if (GetLastError() == ERROR_NO_TOKEN)
{
if (!ImpersonateSelf(SecurityImpersonation))
return RTN_ERROR;
if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)){
//DisplayError("OpenThreadToken");
return RTN_ERROR;
}
}
else
return RTN_ERROR;
}
// enable SeDebugPrivilege
if(!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
{
//DisplayError("SetPrivilege");
// close token handle
CloseHandle(hToken);
// indicate failure
return RTN_ERROR;
}
DWORD dwProcessId = ProcessNameToId ("notepad.exe");
if (dwProcessId == 0)
{
MessageBox (NULL, "找不到线程", NULL, 0);
return 0;
}
HANDLE hTargetProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (!hTargetProcess)
{
DWORD dwLastError = GetLastError();
char s[100];
sprintf(s,"无法打开线程:%d",dwLastError);
MessageBox (NULL, s, NULL, 0);
return 0;
}
LPVOID pRemoteThread = VirtualAllocEx (hTargetProcess, NULL, THREADSIZE,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pRemoteThread)
{
MessageBox (NULL, "无法申请线程空间", NULL, 0);
return 0;
}
if (!WriteProcessMemory (hTargetProcess, pRemoteThread,
&ThreadProc, THREADSIZE, &dwBytesWritten))
{
DWORD dwLastError = GetLastError();
char s[100];
sprintf(s,"无法写入线程空间:%d(%d/%d)",dwLastError,THREADSIZE, dwBytesWritten);
MessageBox (NULL,s , NULL, 0);
return 0;
}
RMPARAM RemoteParam;
ZeroMemory (&RemoteParam, sizeof (RMPARAM));
char szCurrentPath[MAX_PATH];
char szFileName[MAX_PATH];
if (!GetCurrentFileName (szFileName))
{
MessageBox (NULL, "无法获得现有文件名", NULL, 0);
return 0;
}
GetCurrentDirectory (MAX_PATH, szCurrentPath);
sprintf (RemoteParam.szFilePath, "%s\\%s", szCurrentPath, szFileName);
DWORD dwFuncAddr = GetFuncAddr ("Kernel32.dll", "DeleteFileA");
if (dwFuncAddr == 0)
{
MessageBox (NULL, "无法加载Kernel32.dll", NULL, 0);
return 0;
}
RemoteParam.dwDeleteAddr = dwFuncAddr;
RemoteParam.dwSleep = GetFuncAddr ("Kernel32.dll", "Sleep");;
LPVOID pRmParam = VirtualAllocEx (hTargetProcess, NULL, sizeof (RMPARAM),
MEM_COMMIT, PAGE_READWRITE);
if (!pRmParam)
{
MessageBox (NULL, "无法申请线程空间", NULL, 0);
return 0;
}
if (!WriteProcessMemory (hTargetProcess, pRmParam,
&RemoteParam, sizeof (RMPARAM), &dwBytesWritten))
{
MessageBox (NULL, "无法写入线程空间", NULL, 0);
return 0;
}
HANDLE hRemoteThread = CreateRemoteThread (hTargetProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) pRemoteThread, pRmParam, 0, &dwBytesWritten);
return 0;
}