一段關閉windows文件保護的代碼,在xp下測試通過.
調用 TerminateSfc() 就可以了.
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Shlwapi.h>
#include <sfc.h>
#include <stdlib.h>
#include <stdio.h>
#include <iostream>
#include <tlhelp32.h>
#pragma comment(lib,"sfc.lib")
#pragma comment(lib,"shlwapi.lib")
#pragma check_stack (off)
DWORD thread_func (FARPROC sfc_terminate)
{
sfc_terminate();
return 0;
}
void after_thread_func(void)
{
}
#pragma check_stack
//調整權限
int AdjustPrivileges(void)
{
HANDLE token_handle;
int ret=0;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token_handle))
{
LUID luid;
if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
TOKEN_PRIVILEGES tk_priv;
tk_priv.PrivilegeCount=1;
tk_priv.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tk_priv.Privileges[0].Luid=luid;
if(AdjustTokenPrivileges(token_handle,FALSE,&tk_priv,0,NULL,NULL)) ret=1;
}
CloseHandle(token_handle);
}
return ret;
}
//根據取得進程號
DWORD GetProcessID(const char* pname)
{
HANDLE hProcessSnap = NULL;
DWORD bRet = 0;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
return (FALSE);
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hProcessSnap, &pe32))
{
do
{
if (stricmp(pe32.szExeFile, pname) == 0) {
bRet = pe32.th32ProcessID;
break;
}
}while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle (hProcessSnap);
return (bRet);
}
//關閉windows文件保護
void TerminateSfc()
{
DWORD wpid = 0;
wpid = GetProcessID("winlogon.exe");
HANDLE remote_thread;
HMODULE sfc=LoadLibrary("SFC_OS.DLL");
FARPROC sfc_terminate=GetProcAddress(sfc, (char *) 2);
if (!AdjustPrivileges()) {
MessageBox(NULL, "調整權限錯誤", "", MB_OK);
exit(0);
}
HANDLE process=OpenProcess(PROCESS_ALL_ACCESS, FALSE, wpid);
if(!process)
{
exit(0);
}
LPVOID remote_mem=VirtualAllocEx(process,NULL,(SIZE_T) ((char *)after_thread_func-(char *)thread_func),MEM_COMMIT,PAGE_READWRITE);
if(!remote_mem)
{
printf("Error while commiting memory in the remote process\n");
goto clean_up;
}
if(!WriteProcessMemory(process,remote_mem,(char *) thread_func,(SIZE_T) ((char *)after_thread_func-(char *)thread_func),(SIZE_T *) 0))
{
printf("Error %d while writing to the remote process\n", GetLastError());
goto clean_up;
}
remote_thread=CreateRemoteThread(process,NULL,0,(LPTHREAD_START_ROUTINE) remote_mem,(LPVOID) sfc_terminate,0,NULL);
if(!remote_thread)
{
printf("Error while creating remote thread in the process\n");
goto clean_up;
}
if(WaitForSingleObject(remote_thread, 10*1000)==WAIT_TIMEOUT)
printf("Timeout occured while waiting for the remote thread\n");
CloseHandle(remote_thread);
clean_up:
if(remote_mem) VirtualFreeEx(process, remote_mem, 0, MEM_RELEASE);
CloseHandle(process);
}