在Win2000/XP上安静地替换正在使用的系统文件

whypro · 发表于 2010-5-26 17:07:47

#include <stdlib.h>
#include "Windows.h"
#include "Tlhelp32.h"
#pragma comment( lib, "Advapi32.lib" )
typedef void (_stdcall * CLOSEEVENTS)(void);
typedef unsigned long DWORD;
typedef DWORD ANTISFC_ACCESS;
/*
* ANTISFC structures
*/
typedef struct _ANTISFC_PROCESS {
DWORD Pid; // process pid
HANDLE ProcessHandle; // process handle
char ImageName[MAX_PATH]; // image name (not full path)
} ANTISFC_PROCESS, *PANTISFC_PROCESS;
__inline void ErrorMessageBox(char *szAdditionInfo)
{
printf("error on %s, error code %d. \n", szAdditionInfo, GetLastError());
}
void usage(char *n) {
printf("usage: %s [/d]\n", n);
printf("\t/d: disable sfc file protecte fuction.\n");
exit(0);
}
DWORD Init() {
DWORD Ret = 0;
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
ErrorMessageBox("OpenProcessToken");
} else {
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
ErrorMessageBox("LookupPrivilegeValue");
} else {
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL)) {
ErrorMessageBox("AdjustTokenPrivileges");
} else {
Ret = 1;
}
}
CloseHandle(hToken);
}
return(Ret);
}
DWORD GetPidEx(char *proc_name, char *full_path) {
DWORD dwPid=0;
HANDLE hSnapshot;
PROCESSENTRY32 pe;
BOOL Ret;
if (isdigit(proc_name[0]))
dwPid = strtoul(proc_name, NULL, 0);
else
dwPid = -1;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == (HANDLE) -1){
ErrorMessageBox("CreateToolhelp32Snapshot");
return(0);
}
pe.dwSize = sizeof(PROCESSENTRY32);
Ret = Process32First(hSnapshot, &pe);
while (Ret) {
if((strncmp(strlwr(pe.szExeFile), strlwr(proc_name), strlen(proc_name)) == 0)
|| (pe.th32ProcessID == dwPid)) {
dwPid = pe.th32ProcessID;
strcpy(full_path, pe.szExeFile);
break;
}
pe.dwSize = sizeof(PROCESSENTRY32);
Ret = Process32Next(hSnapshot, &pe);
}
CloseHandle(hSnapshot);
if (dwPid == -1)
dwPid = 0;
return(dwPid);
}
DWORD InitProcess(PANTISFC_PROCESS Process, char *proc_name, ANTISFC_ACCESS access) {
DWORD Ret=0;
Process->Pid = GetPidEx(proc_name, Process->ImageName);
if (Process->Pid != 0 && Process->ImageName[0] != 0) {
Process->ProcessHandle = OpenProcess(access, FALSE, Process->Pid);
if (Process->ProcessHandle == NULL)
ErrorMessageBox("OpenProcess");
else
Ret = 1;
}
return(Ret);
}
DWORD InjectThread(PANTISFC_PROCESS Process,
PVOID function) {
HANDLE hThread;
DWORD dwThreadPid = 0, dwState;
hThread = CreateRemoteThread(Process->ProcessHandle,
NULL,
0,
(DWORD (__stdcall *) (void *)) function,
NULL,
0,
&dwThreadPid);
if (hThread == NULL) {
ErrorMessageBox("CreateRemoteThread");
goto cleanup;
}
dwState = WaitForSingleObject(hThread, 4000); // attends 4 secondes
switch (dwState) {
case WAIT_TIMEOUT:
case WAIT_FAILED:
ErrorMessageBox("WaitForSingleObject");
goto cleanup;
case WAIT_OBJECT_0:
break;
default:
ErrorMessageBox("WaitForSingleObject");
goto cleanup;
}
CloseHandle(hThread);
return dwThreadPid;
cleanup:
CloseHandle(hThread);
return 0;
}
int main(int argc, char* argv[])
{
ANTISFC_PROCESS Process;
HMODULE hSfc;
DWORD dwThread;
CLOSEEVENTS pfnCloseEvents;
DWORD dwVersion;
printf("AntiSfc programed by bgate. :) *\n\n");
if (argc != 2)
usage(argv[0]);
if (strcmp(argv[1], "/d") != 0) {
usage(argv[0]);
}
if (Init()) {
printf("debug privilege set\n");
} else {
printf("error on get debug privilege\n");
return(0);
}
if(InitProcess(&Process, "winlogon.exe", PROCESS_ALL_ACCESS) == 0) {
printf("error on get process info. \n");
return(0);
}
dwVersion = GetVersion();
if ((DWORD)(LOBYTE(LOWORD(dwVersion))) == 5){ // Windows 2000/XP
if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 0){ //Windows 2000
hSfc = LoadLibrary("sfc.dll");
printf("Win2000\n");
}
else {//if((DWORD)(HIBYTE(LOWORD(dwVersion))) = 1) //Windows XP
hSfc = LoadLibrary("sfc_os.dll");
printf("Windows XP\n");
}
}
//else if () //2003?
else {
printf("unsupported version\n");
}
pfnCloseEvents = (CLOSEEVENTS)GetProcAddress(hSfc,
MAKEINTRESOURCE(2));
if(pfnCloseEvents == NULL){
printf("Load the sfc fuction failed\n");
FreeLibrary(hSfc);
return(0);
}
FreeLibrary(hSfc);
dwThread = InjectThread(&Process,
pfnCloseEvents);
if(dwThread == 0){
printf("failed\n");
}
else{
printf("OK\n");
}
CloseHandle(Process.ProcessHandle);
return(0);
}

复制代码

whypro · 发表于 2010-5-26 17:09:35

signed int __cdecl wmain(signed int a1, int a2)
{
  const WCHAR *v2; // ebx@1
  const WCHAR *v3; // ebp@1
  bool v4; // edi@2
  const wchar_t **v6; // ebx@15
  int v7; // edi@15
  size_t v8; // esi@16
  int v9; // [sp-4h] [bp-510h]@5
  int v10; // [sp-4h] [bp-510h]@17
  char v11; // [sp+13h] [bp-4F9h]@25
  CHAR MultiByteStr; // [sp+14h] [bp-4F8h]@16
  int v13; // [sp+1Ch] [bp-4F0h]@1
  struct _OSVERSIONINFOA VersionInformation; // [sp+20h] [bp-4ECh]@1
  CHAR NewFileName; // [sp+B4h] [bp-458h]@29
  const CHAR puLen; // [sp+118h] [bp-3F4h]@6
  CHAR v17; // [sp+218h] [bp-2F4h]@2
  CHAR FileName; // [sp+268h] [bp-2A4h]@6
  CHAR PathName; // [sp+368h] [bp-1A4h]@29
  struct _WIN32_FIND_DATAA FindFileData; // [sp+3CCh] [bp-140h]@1

  v3 = *(const WCHAR **)(a2 + 4);
  v2 = *(const WCHAR **)(a2 + 8);
  FindFileData.dwFileAttributes = 0;
  v13 = 0;
  memset(&FindFileData.ftCreationTime, 0, 0x13Cu);
  memset(&VersionInformation, 0, sizeof(VersionInformation));
  VersionInformation.dwOSVersionInfoSize = 148;
  GetVersionExA(&VersionInformation);
  if ( VersionInformation.dwMajorVersion <= 4 )
  {
v9 = (int)"This program requires Windows 2000";
goto LABEL_31;
  }
  wsprintfA(&v17, "%d", LOWORD(VersionInformation.dwBuildNumber));
  v4 = unknown_libname_15(&v17, "2072") >= 0;
  ostream__operator__("InUse - version 1.4");
  ostream__operator__(10);
  sub_401820(sub_401840);
  ostream__operator__("---------------------------------------------------------------------------");
  ostream__operator__(10);
  sub_401820(sub_401840);
  ostream__operator__("Copyright (c) 1994-1999 Microsoft Corporation. All rights reserved");
  ostream__operator__(10);
  sub_401820(sub_401840);
  if ( v4 != 1 )
  {
v9 = (int)"You are running on an un-supported beta build of Windows 2000\a";
goto LABEL_31;
  }
  ostream__operator__("Windows 2000 detected - WFP is enforced");
  ostream__operator__(10);
  sub_401820(sub_401840);
  if ( a1 == 1 )
  {
LABEL_4:
sub_401730();
return 0;
  }
  WideCharToMultiByte(0, 0, v3, -1, &FileName, 256, 0, 0);
  WideCharToMultiByte(0, 0, v2, -1, (LPSTR)&puLen, 256, 0, 0);
  if ( (int)FindFirstFileA(&FileName, &FindFileData) == -1 )
  {
sub_401730();
v9 = (int)"\a Error:\tReplacement file doesn't exist";
goto LABEL_31;
  }
  if ( FindFirstFileA(&puLen, &FindFileData) == (HANDLE)-1 )
  {
sub_401730();
v9 = (int)"\a Error:\tDestination file doesn't exist";
goto LABEL_31;
  }
  if ( SfcIsFileProtected(0, v2) )
  {
ostream__operator__(10);
sub_401820(sub_401840);
ostream__operator__(&puLen);
ostream__operator__(" is protected by WFP\a");
ostream__operator__(10);
sub_401820(sub_401840);
return 1;
  }
  switch ( a1 )
  {
case 1:
case 2:
   sub_401730();
   return 1;
case 3:
case 4:
   if ( a1 <= 3 )
      goto LABEL_24;
   v7 = a1 - 3;
   v6 = (const wchar_t **)(a2 + 12);
   break;
default:
   goto LABEL_4;
  }
  do
  {
v8 = wcslen(*v6);
WideCharToMultiByte(0, 0, *(LPCWSTR *)(a2 + 12), -1, &MultiByteStr, 256, 0, 0);
if ( v8 == 2 )
{
   if ( unknown_libname_15(&MultiByteStr, "/y") && unknown_libname_15(&MultiByteStr, "/Y") )
   {
      ostream__operator__("\n ");
      ostream__operator__(&MultiByteStr);
      ostream__operator__(" <-- invalid parameter");
      ostream__operator__(10);
      sub_401820(sub_401840);
      sub_401730();
      goto LABEL_23;
   }
   v13 = 1;
   v10 = (int)"Confirmation suppressed";
}
else
{
   v10 = (int)" <-- invalid parameter";
   ostream__operator__(L" ");
   ostream__operator__(&MultiByteStr);
}
ostream__operator__(v10);
ostream__operator__(10);
sub_401820(sub_401840);
LABEL_23:
++v6;
--v7;
  }
  while ( v7 );
LABEL_24:
  ostream__operator__("\nINUSE is about to replace the following file");
  ostream__operator__(10);
  sub_401820(sub_401840);
  ostream__operator__("\n\tExisting: ");
  ostream__operator__(L" ");
  ostream__operator__(&puLen);
  ostream__operator__(10);
  sub_401820(sub_401840);
  ostream__operator__(L"\t");
  sub_4015C0(&puLen);
  ostream__operator__(10);
  sub_401820(sub_401840);
  ostream__operator__("\tReplacement:");
  ostream__operator__(L" ");
  ostream__operator__(&FileName);
  ostream__operator__(10);
  sub_401820(sub_401840);
  ostream__operator__(L"\t");
  sub_4015C0(&FileName);
  if ( v13 )
goto LABEL_34;
  ostream__operator__("\n\aDo you want to continue?(y/n) ");
  istream__operator__(&v11);
  if ( v11 == 110 )
  {
v9 = (int)"\a\nOperation cancelled";
goto LABEL_31;
  }
  if ( v11 != 78 )
  {
LABEL_34:
GetTempPathA(0x200u, &PathName);
GetTempFileNameA(&PathName, "INU", 0, &NewFileName);
ostream__operator__("\n\t");
ostream__operator__(&FileName);
ostream__operator__(" is replacing --> ");
ostream__operator__(&puLen);
ostream__operator__(10);
sub_401820(sub_401840);
CopyFileA(&FileName, &NewFileName, 0);
MoveFileExA(&NewFileName, &puLen, 5u);
v9 = (int)"\nChanges will not take affect until you reboot.";
  }
  else
  {
v9 = (int)"\a\nOperation cancelled";
  }
LABEL_31:
  ostream__operator__(v9);
  ostream__operator__(10);
  sub_401820(sub_401840);
  return 0;
}

whypro · 发表于 2010-5-26 17:14:14

只不过是移动拷贝而已，再就是用SfcIsFileProtected检查了一下，目标是否被保护。

		自动登录	找回密码
密码			加入我们

在Win2000/XP上安静地替换正在使用的系统文件

相关帖子