在Win2000/XP上安静地替换正在使用的系统文件
#include <stdlib.h>#include "Windows.h"
#include "Tlhelp32.h"
#pragma comment( lib, "Advapi32.lib" )
typedef void (_stdcall * CLOSEEVENTS)(void);
typedef unsigned long DWORD;
typedef DWORD ANTISFC_ACCESS;
/*
* ANTISFC structures
*/
typedef struct _ANTISFC_PROCESS {
DWORD Pid; // process pid
HANDLE ProcessHandle; // process handle
char ImageName; // image name (not full path)
} ANTISFC_PROCESS, *PANTISFC_PROCESS;
__inline void ErrorMessageBox(char *szAdditionInfo)
{
printf("error on %s, error code %d. \n", szAdditionInfo, GetLastError());
}
void usage(char *n) {
printf("usage: %s \n", n);
printf("\t/d: disable sfc file protecte fuction.\n");
exit(0);
}
DWORD Init() {
DWORDRet = 0;
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
ErrorMessageBox("OpenProcessToken");
} else {
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
ErrorMessageBox("LookupPrivilegeValue");
} else {
tkp.PrivilegeCount = 1;
tkp.Privileges.Luid = sedebugnameValue;
tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) {
ErrorMessageBox("AdjustTokenPrivileges");
} else {
Ret = 1;
}
}
CloseHandle(hToken);
}
return(Ret);
}
DWORD GetPidEx(char *proc_name, char *full_path) {
DWORD dwPid=0;
HANDLE hSnapshot;
PROCESSENTRY32 pe;
BOOL Ret;
if (isdigit(proc_name))
dwPid = strtoul(proc_name, NULL, 0);
else
dwPid = -1;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == (HANDLE) -1){
ErrorMessageBox("CreateToolhelp32Snapshot");
return(0);
}
pe.dwSize = sizeof(PROCESSENTRY32);
Ret = Process32First(hSnapshot, &pe);
while (Ret) {
if((strncmp(strlwr(pe.szExeFile), strlwr(proc_name), strlen(proc_name)) == 0)
|| (pe.th32ProcessID == dwPid)) {
dwPid = pe.th32ProcessID;
strcpy(full_path, pe.szExeFile);
break;
}
pe.dwSize = sizeof(PROCESSENTRY32);
Ret = Process32Next(hSnapshot, &pe);
}
CloseHandle(hSnapshot);
if (dwPid == -1)
dwPid = 0;
return(dwPid);
}
DWORD InitProcess(PANTISFC_PROCESS Process, char *proc_name, ANTISFC_ACCESS access) {
DWORD Ret=0;
Process->Pid = GetPidEx(proc_name, Process->ImageName);
if (Process->Pid != 0 && Process->ImageName != 0) {
Process->ProcessHandle = OpenProcess(access, FALSE, Process->Pid);
if (Process->ProcessHandle == NULL)
ErrorMessageBox("OpenProcess");
else
Ret = 1;
}
return(Ret);
}
DWORD InjectThread(PANTISFC_PROCESS Process,
PVOID function) {
HANDLE hThread;
DWORD dwThreadPid = 0, dwState;
hThread = CreateRemoteThread(Process->ProcessHandle,
NULL,
0,
(DWORD (__stdcall *) (void *)) function,
NULL,
0,
&dwThreadPid);
if (hThread == NULL) {
ErrorMessageBox("CreateRemoteThread");
goto cleanup;
}
dwState = WaitForSingleObject(hThread, 4000); // attends 4 secondes
switch (dwState) {
case WAIT_TIMEOUT:
case WAIT_FAILED:
ErrorMessageBox("WaitForSingleObject");
goto cleanup;
case WAIT_OBJECT_0:
break;
default:
ErrorMessageBox("WaitForSingleObject");
goto cleanup;
}
CloseHandle(hThread);
return dwThreadPid;
cleanup:
CloseHandle(hThread);
return 0;
}
int main(int argc, char* argv[])
{
ANTISFC_PROCESS Process;
HMODULE hSfc;
DWORD dwThread;
CLOSEEVENTS pfnCloseEvents;
DWORD dwVersion;
printf("AntiSfc programed by bgate. :) *\n\n");
if (argc != 2)
usage(argv);
if (strcmp(argv, "/d") != 0) {
usage(argv);
}
if (Init()) {
printf("debug privilege set\n");
} else {
printf("error on get debug privilege\n");
return(0);
}
if(InitProcess(&Process, "winlogon.exe", PROCESS_ALL_ACCESS) == 0) {
printf("error on get process info. \n");
return(0);
}
dwVersion = GetVersion();
if ((DWORD)(LOBYTE(LOWORD(dwVersion))) == 5){ // Windows 2000/XP
if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 0){ //Windows 2000
hSfc = LoadLibrary("sfc.dll");
printf("Win2000\n");
}
else {//if((DWORD)(HIBYTE(LOWORD(dwVersion))) = 1) //Windows XP
hSfc = LoadLibrary("sfc_os.dll");
printf("Windows XP\n");
}
}
//else if ()//2003?
else {
printf("unsupported version\n");
}
pfnCloseEvents = (CLOSEEVENTS)GetProcAddress(hSfc,
MAKEINTRESOURCE(2));
if(pfnCloseEvents == NULL){
printf("Load the sfc fuction failed\n");
FreeLibrary(hSfc);
return(0);
}
FreeLibrary(hSfc);
dwThread = InjectThread(&Process,
pfnCloseEvents);
if(dwThread == 0){
printf("failed\n");
}
else{
printf("OK\n");
}
CloseHandle(Process.ProcessHandle);
return(0);
}
signed int __cdecl wmain(signed int a1, int a2)
{
const WCHAR *v2; // ebx@1
const WCHAR *v3; // ebp@1
bool v4; // edi@2
const wchar_t **v6; // ebx@15
int v7; // edi@15
size_t v8; // esi@16
int v9; // @5
int v10; // @17
char v11; // @25
CHAR MultiByteStr; // @16
int v13; // @1
struct _OSVERSIONINFOA VersionInformation; // @1
CHAR NewFileName; // @29
const CHAR puLen; // @6
CHAR v17; // @2
CHAR FileName; // @6
CHAR PathName; // @29
struct _WIN32_FIND_DATAA FindFileData; // @1
v3 = *(const WCHAR **)(a2 + 4);
v2 = *(const WCHAR **)(a2 + 8);
FindFileData.dwFileAttributes = 0;
v13 = 0;
memset(&FindFileData.ftCreationTime, 0, 0x13Cu);
memset(&VersionInformation, 0, sizeof(VersionInformation));
VersionInformation.dwOSVersionInfoSize = 148;
GetVersionExA(&VersionInformation);
if ( VersionInformation.dwMajorVersion <= 4 )
{
v9 = (int)"This program requires Windows 2000";
goto LABEL_31;
}
wsprintfA(&v17, "%d", LOWORD(VersionInformation.dwBuildNumber));
v4 = unknown_libname_15(&v17, "2072") >= 0;
ostream__operator__("InUse - version 1.4");
ostream__operator__(10);
sub_401820(sub_401840);
ostream__operator__("---------------------------------------------------------------------------");
ostream__operator__(10);
sub_401820(sub_401840);
ostream__operator__("Copyright (c) 1994-1999 Microsoft Corporation. All rights reserved");
ostream__operator__(10);
sub_401820(sub_401840);
if ( v4 != 1 )
{
v9 = (int)"You are running on an un-supported beta build of Windows 2000\a";
goto LABEL_31;
}
ostream__operator__("Windows 2000 detected - WFP is enforced");
ostream__operator__(10);
sub_401820(sub_401840);
if ( a1 == 1 )
{
LABEL_4:
sub_401730();
return 0;
}
WideCharToMultiByte(0, 0, v3, -1, &FileName, 256, 0, 0);
WideCharToMultiByte(0, 0, v2, -1, (LPSTR)&puLen, 256, 0, 0);
if ( (int)FindFirstFileA(&FileName, &FindFileData) == -1 )
{
sub_401730();
v9 = (int)"\a Error:\tReplacement file doesn't exist";
goto LABEL_31;
}
if ( FindFirstFileA(&puLen, &FindFileData) == (HANDLE)-1 )
{
sub_401730();
v9 = (int)"\a Error:\tDestination file doesn't exist";
goto LABEL_31;
}
if ( SfcIsFileProtected(0, v2) )
{
ostream__operator__(10);
sub_401820(sub_401840);
ostream__operator__(&puLen);
ostream__operator__(" is protected by WFP\a");
ostream__operator__(10);
sub_401820(sub_401840);
return 1;
}
switch ( a1 )
{
case 1:
case 2:
sub_401730();
return 1;
case 3:
case 4:
if ( a1 <= 3 )
goto LABEL_24;
v7 = a1 - 3;
v6 = (const wchar_t **)(a2 + 12);
break;
default:
goto LABEL_4;
}
do
{
v8 = wcslen(*v6);
WideCharToMultiByte(0, 0, *(LPCWSTR *)(a2 + 12), -1, &MultiByteStr, 256, 0, 0);
if ( v8 == 2 )
{
if ( unknown_libname_15(&MultiByteStr, "/y") && unknown_libname_15(&MultiByteStr, "/Y") )
{
ostream__operator__("\n ");
ostream__operator__(&MultiByteStr);
ostream__operator__(" <-- invalid parameter");
ostream__operator__(10);
sub_401820(sub_401840);
sub_401730();
goto LABEL_23;
}
v13 = 1;
v10 = (int)"Confirmation suppressed";
}
else
{
v10 = (int)" <-- invalid parameter";
ostream__operator__(L" ");
ostream__operator__(&MultiByteStr);
}
ostream__operator__(v10);
ostream__operator__(10);
sub_401820(sub_401840);
LABEL_23:
++v6;
--v7;
}
while ( v7 );
LABEL_24:
ostream__operator__("\nINUSE is about to replace the following file");
ostream__operator__(10);
sub_401820(sub_401840);
ostream__operator__("\n\tExisting: ");
ostream__operator__(L" ");
ostream__operator__(&puLen);
ostream__operator__(10);
sub_401820(sub_401840);
ostream__operator__(L"\t");
sub_4015C0(&puLen);
ostream__operator__(10);
sub_401820(sub_401840);
ostream__operator__("\tReplacement:");
ostream__operator__(L" ");
ostream__operator__(&FileName);
ostream__operator__(10);
sub_401820(sub_401840);
ostream__operator__(L"\t");
sub_4015C0(&FileName);
if ( v13 )
goto LABEL_34;
ostream__operator__("\n\aDo you want to continue?(y/n) ");
istream__operator__(&v11);
if ( v11 == 110 )
{
v9 = (int)"\a\nOperation cancelled";
goto LABEL_31;
}
if ( v11 != 78 )
{
LABEL_34:
GetTempPathA(0x200u, &PathName);
GetTempFileNameA(&PathName, "INU", 0, &NewFileName);
ostream__operator__("\n\t");
ostream__operator__(&FileName);
ostream__operator__(" is replacing --> ");
ostream__operator__(&puLen);
ostream__operator__(10);
sub_401820(sub_401840);
CopyFileA(&FileName, &NewFileName, 0);
MoveFileExA(&NewFileName, &puLen, 5u);
v9 = (int)"\nChanges will not take affect until you reboot.";
}
else
{
v9 = (int)"\a\nOperation cancelled";
}
LABEL_31:
ostream__operator__(v9);
ostream__operator__(10);
sub_401820(sub_401840);
return 0;
} 只不过是移动拷贝而已,再就是用SfcIsFileProtected检查了一下,目标是否被保护。
页:
[1]