elva

[轉(zhuǎn)]一段精巧的代碼~~ring3文件占坑大法

#include <windows.h>

BOOL OccupyFile( LPCTSTR lpFileName );


int main()
{
    OccupyFile("c:\\aaa111.txt");

    return 0;
}



void RaiseToDebugP()
{
    HANDLE hToken;
    HANDLE hProcess = GetCurrentProcess();
    if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) )
    {
        TOKEN_PRIVILEGES tkp;
        if ( LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid) )
        {
            tkp.PrivilegeCount = 1;
            tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
            
            BOOL bREt = AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0) ;
        }
        CloseHandle(hToken);
    }    
}

BOOL OccupyFile( LPCTSTR lpFileName )
{
    BOOL    bRet;
    
    RaiseToDebugP();

    HANDLE hProcess = OpenProcess( PROCESS_DUP_HANDLE, FALSE, 4);    // 4為system進(jìn)程號

    if ( hProcess == NULL )
    {
        hProcess = OpenProcess( PROCESS_DUP_HANDLE, FALSE, 8);        // 2K下是 8??
        
        if ( hProcess == NULL )
            return FALSE;
    }

    HANDLE hFile;
    HANDLE hTargetHandle;

    hFile = CreateFile( lpFileName, GENERIC_READ, 0, NULL, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL, NULL);    


    if ( hFile == INVALID_HANDLE_VALUE )
    {
        CloseHandle( hProcess );
        return FALSE;
    }

    bRet = DuplicateHandle( GetCurrentProcess(), hFile, hProcess, &hTargetHandle,
        0, FALSE, DUPLICATE_SAME_ACCESS|DUPLICATE_CLOSE_SOURCE);

    CloseHandle( hProcess );

    return bRet;
}

posted on 2008-02-04 11:57 葉子 閱讀(954) 評論(0)  編輯 收藏 引用 所屬分類: 技術(shù)研究