Psst.. new poll here.
Psst.. new forums here.
Microsoft is blocking us again (TY IP Reputation!) so dont bother with any of their useless mail servers here and just use oauth login instead. Thank the nice Russians for causing that. :)
Paste
Pasted as C by KartalKaan ( 13 years ago )
#include<stdio.h>
#include<windows.h>
typedef struct CLIENT_ID
{
PVOID UniqueProcess;
PVOID UniqueThread;
} CLIENT_ID;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
void RestoreZOP()
{
DWORD oldProtection,oldProtection2;
HMODULE hntdll=LoadLibrary("ntdll.dll");
unsigned char *ZOP=(unsigned char *)GetProcAddress(hntdll,"ZwOpenProcess");
if (VirtualProtect((void *)ZOP,sizeof(unsigned char)*16,PAGE_EXECUTE_READWRITE,&oldProtection;)==false)
return ;
ZOP[0]=0xB8; // These bytes are taken from unhooked ZwOpenProcess, under Windows 7 32-bit Home Basic , other bytes in this code are also taken from the same system.
ZOP[1]=0xBE;
ZOP[2]=0x00;
ZOP[3]=0x00;
ZOP[4]=0x00;
ZOP[5]=0xBA;
ZOP[6]=0x00,
ZOP[7]=0x03;
ZOP[8]=0xFE;
ZOP[9]=0x7F;
ZOP[10]=0xFF;
ZOP[11]=0x12;
ZOP[12]=0xC2;
ZOP[13]=0x10;
ZOP[14]=0x00;
ZOP[15]=0x90;
VirtualProtect((void *)ZOP,sizeof(unsigned char)*16,oldProtection,&oldProtection2;);
}
void RestoreZTP()
{
DWORD oldProtection,oldProtection2;
HMODULE hntdll=LoadLibrary("ntdll.dll");
unsigned char *ZTP=(unsigned char *)GetProcAddress(hntdll,"ZwTerminateProcess");
if (VirtualProtect((void *)ZTP,sizeof(unsigned char)*16,PAGE_EXECUTE_READWRITE,&oldProtection;)==false)
return ;
ZTP[0]=0xB8;
ZTP[1]=0x72;
ZTP[2]=0x01;
ZTP[3]=0x00;
ZTP[4]=0x00;
ZTP[5]=0xBA;
ZTP[6]=0x00;
ZTP[7]=0x03;
ZTP[8]=0xFE;
ZTP[9]=0x7F;
ZTP[10]=0xFF;
ZTP[11]=0x12;
ZTP[12]=0xC2;
ZTP[13]=0x08;
ZTP[14]=0x00;
ZTP[15]=0x90;
VirtualProtect((void *)ZTP,sizeof(unsigned char)*16,oldProtection,&oldProtection2;);
}
void RestoreKFSC()
{
DWORD oldProtection,oldProtection2;
HMODULE hntdll=LoadLibrary("hntdll");
unsigned char *KFSC=(unsigned char *)GetProcAddress(hntdll,"KiFastSystemCall");
if (VirtualProtect((void *)KFSC,sizeof(unsigned char)*5,PAGE_EXECUTE_READWRITE,&oldProtection;)==false)
return ;
KFSC[0]=0x8B;
KFSC[1]=0xD4;
KFSC[2]=0x0F;
KFSC[3]=0x34;
KFSC[4]=0xC3;
VirtualProtect((void *)KFSC,sizeof(unsigned char)*5,oldProtection,&oldProtection2;);
}
bool SetPrivilege(const char *name,bool enable)
{
LUID luid;
TOKEN_PRIVILEGES tp;
HANDLE htoken;
tp.PrivilegeCount=1;
if (LookupPrivilegeValue(NULL,name,&luid;)==false)
return false;
if (enable)
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes=0;
tp.Privileges[0].Luid=luid;
if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&htoken;)==false)
return false;
if (AdjustTokenPrivileges(htoken,FALSE,&tp;,0,NULL,NULL)==false)
{
CloseHandle(htoken);
return false;
}
if (GetLastError()==ERROR_NOT_ALL_ASSIGNED)
{
CloseHandle(htoken);
return false;
}
CloseHandle(htoken);
return true;
}
int main()
{
SetPrivilege("SeDebugPrivilege",true);
DWORD oldProtect;
CLIENT_ID cli_id={0};
OBJECT_ATTRIBUTES obj_att={0};
HANDLE hprocess;
HMODULE hntdll=LoadLibrary("ntdll.dll");
DWORD (*ZwTerminateProcess)(HANDLE,DWORD);
DWORD (*ZwOpenProcess)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,CLIENT_ID*);
ZwTerminateProcess=(DWORD (*)(HANDLE,DWORD))GetProcAddress(hntdll,"ZwTerminateProcess");
ZwOpenProcess=(DWORD (*)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,CLIENT_ID*))GetProcAddress(hntdll,"ZwOpenProcess");
DWORD pid;
while(1)
{
system("cls");
printf("Enter the pid : ");
scanf("%u",&pid;);
cli_id.UniqueProcess=(void *)pid;
RestoreZOP();
RestoreZTP();
ZwOpenProcess(&hprocess;,PROCESS_TERMINATE,&obj;_att,&cli;_id);
ZwTerminateProcess(hprocess,0);
}
return 0;
}
Revise this Paste