erunasexe.cpp

来自「Cracker终结者——提供最优秀的软件保护技术」· C++ 代码 · 共 77 行

CPP

77 行

#define WIN32_LEAN_AND_MEAN
#define UNICODE
#define _UNICODE
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>

//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>

#define HostProcessW L"winlogon.exe"

VOID wmain(int argc, WCHAR** argv) {
  BOOL NoError = FALSE;
  if(argc < 2) 
    wprintf(L"Usage: ERunAs <CommandLine> [R]esident");
  else {
    HINSTANCE hntdll;
    BYTE  WasEn;
    typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
    TRAP  RAP;
    if(hntdll = GetModuleHandleW(L"ntdll.dll"))
      if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
        RAP(20, TRUE, 0, &WasEn);

  
    DWORD PID = ProcessName2PIDW(HostProcessW);
    if((PID != PW_SESERROR) && (PID != PW_PIDERROR) && (PID != PW_MEMERROR)) {
      #define CLOffset (sizeof(DWORD)*5)
      #define DSOffset (sizeof(DWORD)*5+MAX_PATH*sizeof(WCHAR))
      #define DROffset (sizeof(DWORD)*5+(MAX_PATH+MAX_PATH)*sizeof(WCHAR))
      DWORD Params[5+(MAX_PATH+MAX_PATH+MAX_PATH)*sizeof(WCHAR)/sizeof(DWORD)];
      Params[0] = GetCurrentProcessId();
      Params[1] = LACMEMPointer+CLOffset;
      Params[2] = NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED;
      Params[3] = NULL; //LACMEMPointer+DSOffset
      Params[4] = LACMEMPointer+DROffset;

      ExpandEnvironmentStringsW(argv[1], (PWSTR)((DWORD)Params+CLOffset), MAX_PATH);
      GetCurrentDirectoryW(MAX_PATH, (PWSTR)((DWORD)Params+DROffset));

      BOOL WasResident = TRUE;
      WCHAR FullDLLW[MAX_PATH] = L"ERunAs.dll";
      DWORD hPhT = LoadAndCallW(NULL, FullDLLW, PID, 40000, 0, L"CreateProcessAsSYSTEMW", sizeof(Params)/sizeof(DWORD), Params);
      if(((ErrorAMMin < hPhT) && (hPhT <= ErrorAMMax)) || (LOWORD(hPhT) == NULL)) {
        WasResident = FALSE;
        int nChars = GetModuleFileNameW(NULL, FullDLLW, sizeof(FullDLLW)/sizeof(WCHAR));
        FullDLLW[nChars-1] = L'L';   
        FullDLLW[nChars-2] = L'L';   
        FullDLLW[nChars-3] = L'D';
        hPhT = LoadAndCallW(NULL, FullDLLW, PID, 40000, 1, L"CreateProcessAsSYSTEMW", sizeof(Params)/sizeof(DWORD), Params);
      }
      if(((ErrorAMMin < hPhT) && (hPhT <= ErrorAMMax)) || (LOWORD(hPhT) == NULL)) {
        wprintf(L"Can't create '%s'!", argv[1]);
      }
      else {
        ResumeThread((HANDLE)LOWORD(hPhT));
        CloseHandle((HANDLE)LOWORD(hPhT));
        CloseHandle((HANDLE)HIWORD(hPhT));
        NoError = TRUE;
        //wprintf(L"'%s' created.", argv[1]);
      }
      BOOL UnloadDLL = TRUE;
      if(argc > 2)
        UnloadDLL = ((argv[2][0] | L' ') != L'r');
      if(UnloadDLL && !WasResident)
        UnloadModuleW(NULL, FullDLLW, PID, 40000, 1);
    }
    else
      wprintf(L"Can't find host process!");
  }
  if(!NoError)
    getch();
}

erunasexe.cpp - 源码说明

本页面展示了「Cracker终结者——提供最优秀的软件保护技术」中的 erunasexe.cpp 源码文件，采用 C++ 编程语言编写，共 77 行代码。您可以在线阅读完整代码内容，也可以返回资源详情页下载完整源码包进行本地学习和开发。

虫虫下载站收录了大量与Cracker相关的技术资源，包括源代码、技术文档、电路图等，是电子工程师和嵌入式开发者的专业学习平台。

⌨️ 快捷键说明

复制代码Ctrl + C

搜索代码Ctrl + F

全屏模式F11

增大字号Ctrl + =

减小字号Ctrl + -

显示快捷键?