📄 erunasexe.cpp

📁 Cracker终结者——提供最优秀的软件保护技术
💻 CPP
字号:
#define WIN32_LEAN_AND_MEAN
#define UNICODE
#define _UNICODE
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>

//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>

#define HostProcessW L"winlogon.exe"

VOID wmain(int argc, WCHAR** argv) {
  BOOL NoError = FALSE;
  if(argc < 2) 
    wprintf(L"Usage: ERunAs <CommandLine> [R]esident");
  else {
    HINSTANCE hntdll;
    BYTE  WasEn;
    typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
    TRAP  RAP;
    if(hntdll = GetModuleHandleW(L"ntdll.dll"))
      if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
        RAP(20, TRUE, 0, &WasEn);

  
    DWORD PID = ProcessName2PIDW(HostProcessW);
    if((PID != PW_SESERROR) && (PID != PW_PIDERROR) && (PID != PW_MEMERROR)) {
      #define CLOffset (sizeof(DWORD)*5)
      #define DSOffset (sizeof(DWORD)*5+MAX_PATH*sizeof(WCHAR))
      #define DROffset (sizeof(DWORD)*5+(MAX_PATH+MAX_PATH)*sizeof(WCHAR))
      DWORD Params[5+(MAX_PATH+MAX_PATH+MAX_PATH)*sizeof(WCHAR)/sizeof(DWORD)];
      Params[0] = GetCurrentProcessId();
      Params[1] = LACMEMPointer+CLOffset;
      Params[2] = NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED;
      Params[3] = NULL; //LACMEMPointer+DSOffset
      Params[4] = LACMEMPointer+DROffset;

      ExpandEnvironmentStringsW(argv[1], (PWSTR)((DWORD)Params+CLOffset), MAX_PATH);
      GetCurrentDirectoryW(MAX_PATH, (PWSTR)((DWORD)Params+DROffset));

      BOOL WasResident = TRUE;
      WCHAR FullDLLW[MAX_PATH] = L"ERunAs.dll";
      DWORD hPhT = LoadAndCallW(NULL, FullDLLW, PID, 40000, 0, L"CreateProcessAsSYSTEMW", sizeof(Params)/sizeof(DWORD), Params);
      if(((ErrorAMMin < hPhT) && (hPhT <= ErrorAMMax)) || (LOWORD(hPhT) == NULL)) {
        WasResident = FALSE;
        int nChars = GetModuleFileNameW(NULL, FullDLLW, sizeof(FullDLLW)/sizeof(WCHAR));
        FullDLLW[nChars-1] = L'L';   
        FullDLLW[nChars-2] = L'L';   
        FullDLLW[nChars-3] = L'D';
        hPhT = LoadAndCallW(NULL, FullDLLW, PID, 40000, 1, L"CreateProcessAsSYSTEMW", sizeof(Params)/sizeof(DWORD), Params);
      }
      if(((ErrorAMMin < hPhT) && (hPhT <= ErrorAMMax)) || (LOWORD(hPhT) == NULL)) {
        wprintf(L"Can't create '%s'!", argv[1]);
      }
      else {
        ResumeThread((HANDLE)LOWORD(hPhT));
        CloseHandle((HANDLE)LOWORD(hPhT));
        CloseHandle((HANDLE)HIWORD(hPhT));
        NoError = TRUE;
        //wprintf(L"'%s' created.", argv[1]);
      }
      BOOL UnloadDLL = TRUE;
      if(argc > 2)
        UnloadDLL = ((argv[2][0] | L' ') != L'r');
      if(UnloadDLL && !WasResident)
        UnloadModuleW(NULL, FullDLLW, PID, 40000, 1);
    }
    else
      wprintf(L"Can't find host process!");
  }
  if(!NoError)
    getch();
}
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -