?? win32thread.h
字號:
#include <PrcWorks.h>
#include <ApiHooks.h>
CRITICAL_SECTION xxxCCSLock;
typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, DWORD*);
TRAP RAP = NULL;
LONG xxxCCSEntry = 0;
typedef struct _xxxCRTMSG {
BYTE Dummy[0x20];
LONG Status;
DWORD Dummy24;
HANDLE hThread;
DWORD PID;
DWORD TID;
} xxxCRTMSG, *PxxxCRTMSG;
typedef LONG (WINAPI *TxxxCsrClientCallServer)(PxxxCRTMSG, DWORD, DWORD, DWORD);
static TxxxCsrClientCallServer OldxxxCsrClientCallServer = NULL;
LONG WINAPI NewxxxCsrClientCallServer(PxxxCRTMSG Buffer, DWORD Par1, DWORD Command, DWORD Size) {
LONG Result = OldxxxCsrClientCallServer(Buffer, Par1, Command, Size);
if((Buffer->Status == 0xC0000001) //STATUS_UNSUCCESSFUL
&& (Command == 0x00010001)) {
EnterCriticalSection(&xxxCCSLock);
if(InterlockedExchangeAdd(&xxxCCSEntry, 1) == 0) {
TCHAR SesFullCsrName[32];
#ifdef _stprintf
_stprintf(SesFullCsrName, TEXT("%u/csrss.exe"), GetSessionId(Buffer->PID));
#else
wsprintf(SesFullCsrName, TEXT("%u/csrss.exe"), GetSessionId(Buffer->PID));
#endif
DWORD WasEn = TRUE;
if(RAP)
RAP(20, TRUE, 0, &WasEn);
HANDLE hCsr;
if(hCsr = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | SYNCHRONIZE |
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE |
PROCESS_CREATE_THREAD | READ_CONTROL,
FALSE, ProcessName2PID(SesFullCsrName))) {
HANDLE DuphTargetThread;
if(DuplicateHandle((HANDLE)-1, Buffer->hThread, hCsr, &DuphTargetThread, 0, FALSE, DUPLICATE_SAME_ACCESS)) {
static RCINFO rci = {0};
DWORD Params[4] = {(DWORD)DuphTargetThread, LACSTKPointer+8, Buffer->PID, Buffer->TID};
if((LONG)hLoadAndCall(&rci, TEXT("csrsrv.dll"), hCsr, 20000, 0, TEXT("CsrCreateRemoteThread"), 4, Params)>=0) {
Result = 0;
Buffer->Status = 0;
}
hLoadAndCall(&rci, TEXT("ntdll.dll"), hCsr, 5000, 0, TEXT("NtClose"), 1, &DuphTargetThread);
}
CloseHandle(hCsr);
}
if(!WasEn && RAP)
RAP(20, WasEn, 0, &WasEn);
}
InterlockedExchangeAdd(&xxxCCSEntry, -1);
LeaveCriticalSection(&xxxCCSLock);
}
return(Result);
}
VOID WINAPI InitWin32Thread(VOID) {
InitializeCriticalSection(&xxxCCSLock);
HINSTANCE hntdll;
if(hntdll = GetModuleHandle(TEXT("ntdll.dll")))
RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege");
}
VOID WINAPI QuitWin32Thread(VOID) {
DeleteCriticalSection(&xxxCCSLock);
}?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -