debploitoffexe.cpp

来自「Cracker终结者——提供最优秀的软件保护技术」· C++ 代码 · 共 43 行

// You must have "Debug programs" right.
// DebPloitOff.dll must be in the same directory as DebPloitOff.exe
// Path to DebPloitOff.dll can have max. 240 characters.
// SYSTEM must have Read&Execute access to DebPloitOff.dll.


#define WIN32_LEAN_AND_MEAN
#define UNICODE
#ifdef UNICODE
  #define _UNICODE
#endif
#include <windows.h>
#include <tchar.h>
#define AH_STATIC_LINKING
#include <ApiHooks.h>
#define PW_STATIC_LINKING
#include <PrcWorks.h>
#define AW_STATIC_LINKING
#include <NtApiWorks.h>

VOID WINAPI xMain(VOID) {
  TCHAR Hooks_DLL[MAX_PATH]; 

  HINSTANCE hntdll;
  DWORD  WasEn;
  typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, DWORD*);
  TRAP  RAP;
  if(hntdll = GetModuleHandle(_T("ntdll.dll")))
    if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
      RAP(20, TRUE, 0, &WasEn);
                
  DWORD n = GetModuleFileName(NULL, Hooks_DLL, sizeof(Hooks_DLL)/sizeof(TCHAR));
  Hooks_DLL[n-1] = 'L';   
  Hooks_DLL[n-2] = 'L';   
  Hooks_DLL[n-3] = 'D';   
   
  DWORD EAHScoutSize;
  PVOID LocalEAHScout;
  if((DWORD)(LocalEAHScout = NtAllocEAHScout(Hooks_DLL, FALSE, &EAHScoutSize)) < ErrorAHMin) {
    RemoteExecute(NULL, ProcessName2PID(_T("0/smss.exe")), 5000, LocalEAHScout, EAHScoutSize, (PVOID)GetCurrentProcessId());
    NtFreeEAHScout(LocalEAHScout);
  }
}