Psst.. new poll here.
[email protected] web/email now available. Want one? Go here.
Cannot use outlook/hotmail/live here to register as they blocking our mail servers. #microsoftdeez
Obey the Epel!
Paste
Pasted as C by KartalKaan ( 12 years ago )
#include<stdio.h>
#include<windows.h>
typedef struct CLIENT_ID
{
PVOID UniqueProcess;
PVOID UniqueThread;
} CLIENT_ID;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
void RestoreZOP()
{
DWORD oldProtection,oldProtection2;
HMODULE hntdll=LoadLibrary("ntdll.dll");
unsigned char *ZOP=(unsigned char *)GetProcAddress(hntdll,"ZwOpenProcess");
if (VirtualProtect((void *)ZOP,sizeof(unsigned char)*16,PAGE_EXECUTE_READWRITE,&oldProtection;)==false)
return ;
ZOP[0]=0xB8; // These bytes are taken from unhooked ZwOpenProcess, under Windows 7 32-bit Home Basic , other bytes in this code are also taken from the same system.
ZOP[1]=0xBE;
ZOP[2]=0x00;
ZOP[3]=0x00;
ZOP[4]=0x00;
ZOP[5]=0xBA;
ZOP[6]=0x00,
ZOP[7]=0x03;
ZOP[8]=0xFE;
ZOP[9]=0x7F;
ZOP[10]=0xFF;
ZOP[11]=0x12;
ZOP[12]=0xC2;
ZOP[13]=0x10;
ZOP[14]=0x00;
ZOP[15]=0x90;
VirtualProtect((void *)ZOP,sizeof(unsigned char)*16,oldProtection,&oldProtection2;);
}
void RestoreZTP()
{
DWORD oldProtection,oldProtection2;
HMODULE hntdll=LoadLibrary("ntdll.dll");
unsigned char *ZTP=(unsigned char *)GetProcAddress(hntdll,"ZwTerminateProcess");
if (VirtualProtect((void *)ZTP,sizeof(unsigned char)*16,PAGE_EXECUTE_READWRITE,&oldProtection;)==false)
return ;
ZTP[0]=0xB8;
ZTP[1]=0x72;
ZTP[2]=0x01;
ZTP[3]=0x00;
ZTP[4]=0x00;
ZTP[5]=0xBA;
ZTP[6]=0x00;
ZTP[7]=0x03;
ZTP[8]=0xFE;
ZTP[9]=0x7F;
ZTP[10]=0xFF;
ZTP[11]=0x12;
ZTP[12]=0xC2;
ZTP[13]=0x08;
ZTP[14]=0x00;
ZTP[15]=0x90;
VirtualProtect((void *)ZTP,sizeof(unsigned char)*16,oldProtection,&oldProtection2;);
}
void RestoreKFSC()
{
DWORD oldProtection,oldProtection2;
HMODULE hntdll=LoadLibrary("hntdll");
unsigned char *KFSC=(unsigned char *)GetProcAddress(hntdll,"KiFastSystemCall");
if (VirtualProtect((void *)KFSC,sizeof(unsigned char)*5,PAGE_EXECUTE_READWRITE,&oldProtection;)==false)
return ;
KFSC[0]=0x8B;
KFSC[1]=0xD4;
KFSC[2]=0x0F;
KFSC[3]=0x34;
KFSC[4]=0xC3;
VirtualProtect((void *)KFSC,sizeof(unsigned char)*5,oldProtection,&oldProtection2;);
}
bool SetPrivilege(const char *name,bool enable)
{
LUID luid;
TOKEN_PRIVILEGES tp;
HANDLE htoken;
tp.PrivilegeCount=1;
if (LookupPrivilegeValue(NULL,name,&luid;)==false)
return false;
if (enable)
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes=0;
tp.Privileges[0].Luid=luid;
if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&htoken;)==false)
return false;
if (AdjustTokenPrivileges(htoken,FALSE,&tp;,0,NULL,NULL)==false)
{
CloseHandle(htoken);
return false;
}
if (GetLastError()==ERROR_NOT_ALL_ASSIGNED)
{
CloseHandle(htoken);
return false;
}
CloseHandle(htoken);
return true;
}
int main()
{
SetPrivilege("SeDebugPrivilege",true);
DWORD oldProtect;
CLIENT_ID cli_id={0};
OBJECT_ATTRIBUTES obj_att={0};
HANDLE hprocess;
HMODULE hntdll=LoadLibrary("ntdll.dll");
DWORD (*ZwTerminateProcess)(HANDLE,DWORD);
DWORD (*ZwOpenProcess)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,CLIENT_ID*);
ZwTerminateProcess=(DWORD (*)(HANDLE,DWORD))GetProcAddress(hntdll,"ZwTerminateProcess");
ZwOpenProcess=(DWORD (*)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,CLIENT_ID*))GetProcAddress(hntdll,"ZwOpenProcess");
DWORD pid;
while(1)
{
system("cls");
printf("Enter the pid : ");
scanf("%u",&pid;);
cli_id.UniqueProcess=(void *)pid;
RestoreZOP();
RestoreZTP();
ZwOpenProcess(&hprocess;,PROCESS_TERMINATE,&obj;_att,&cli;_id);
ZwTerminateProcess(hprocess,0);
}
return 0;
}
Revise this Paste