KillTenSLX

/*建立1个win32 console程序 把代码粘里面就可以了*/
#include "stdafx.h"
#include "windows.h"
#include "TlHelp32.h"
const TCHAR QQ_GAME[] = _T("QQGame.exe");
const TCHAR QQ_THREAD_DLL[] = _T("TenSLX.dll");
 
 
typedef   enum   _THREADINFOCLASS   {
    ThreadBasicInformation,
    ThreadTimes,
    ThreadPriority,
    ThreadBasePriority,
    ThreadAffinityMask,
    ThreadImpersonationToken,
    ThreadDescriptorTableEntry,
    ThreadEnableAlignmentFaultFixup,
    ThreadEventPair_Reusable,
    ThreadQuerySetWin32StartAddress,
    ThreadZeroTlsCell,
    ThreadPerformanceCount,
    ThreadAmILastThread,
    ThreadIdealProcessor,
    ThreadPriorityBoost,
    ThreadSetTlsArrayAddress,
    ThreadIsIoPending,
    ThreadHideFromDebugger,
    ThreadBreakOnTermination,
    MaxThreadInfoClass
}   THREADINFOCLASS;
 
typedef LONG (__stdcall *_pfnZwQueryInformationThread) (
    IN   HANDLE   ThreadHandle,
    IN   THREADINFOCLASS   ThreadInformationClass,
    OUT   PVOID   ThreadInformation,
    IN   ULONG   ThreadInformationLength,
    OUT   PULONG   ReturnLength   OPTIONAL
    );
 
HANDLE m_GameProcessHandle;
//记录QQ_THREAD_DLL信息
BYTE  * m_pmodBaseAddr;
DWORD   m_dwmodBaseSize;
_pfnZwQueryInformationThread m_pfnZwQueryInformationThread;
 
BOOL StartPatch();//PATCHQQ主函数
DWORD EnablePrivilege (LPCTSTR name);//提权函数
BOOL ListProcessModules(DWORD dwPID);//枚举指定进程的模块
BOOL ListProcessThreads( DWORD dwOwnerPID);//枚举指定进程创建的线程,并结束掉QQ保护线程
PVOID ShowThreadInfo(DWORD tid);//获取线程的起始地址
 
int _tmain(int argc, _TCHAR* argv[])
{
    m_pfnZwQueryInformationThread =(_pfnZwQueryInformationThread)\
        GetProcAddress   (LoadLibrary(_T("ntdll.dll")),"ZwQueryInformationThread");
 
    if (StartPatch())
    {
        printf("可以CE附加QQ游戏大厅了\n");
    }
    else
        printf("失败!\n");
    return 0;
}
 
BOOL StartPatch()
{
    if(0!=EnablePrivilege (SE_DEBUG_NAME)) 
    {
        return FALSE; 
    }
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;
 
    hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
    if( hProcessSnap == INVALID_HANDLE_VALUE )
    {
        return FALSE;
    }
 
    pe32.dwSize = sizeof( PROCESSENTRY32 );
 
    if( !Process32First( hProcessSnap, &pe32 ) )
    {
        CloseHandle( hProcessSnap );
        return FALSE;
    }
 
    BOOL bStartGame = FALSE;
    do
    {
        if (_tcscmp(pe32.szExeFile, QQ_GAME) == 0)
        {
            bStartGame = TRUE;
            m_GameProcessHandle = OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION,\
                FALSE, pe32.th32ProcessID);
            if (m_GameProcessHandle == NULL)
            {
                return FALSE;
            }
            for (int i=0; i<5;i++)
            {
                if (!ListProcessModules(pe32.th32ProcessID))
                {
                    return FALSE;
                }
 
            }
            if (!ListProcessThreads(pe32.th32ProcessID))
            {
                return FALSE;
            }
        }
 
    } while( Process32Next( hProcessSnap, &pe32 ) );
 
    if (!bStartGame)
    {
        MessageBox(NULL,_T("运行QQ大厅后才能使用"),_T("提示"),MB_OK);
        return FALSE;
    }
    CloseHandle( hProcessSnap );
    return TRUE;
}
DWORD EnablePrivilege (LPCTSTR name) 
    HANDLE hToken; 
    BOOL rv; 
    //设置结构  
    TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} }; 
    // 查找权限值  
    LookupPrivilegeValue ( 
        0, 
        name, 
        &priv.Privileges[0].Luid 
        ); 
    // 打开本进程Token  
    OpenProcessToken( 
        GetCurrentProcess (), 
        TOKEN_ADJUST_PRIVILEGES, 
        &hToken 
        ); 
    // 提权  
    AdjustTokenPrivileges ( 
        hToken, 
        FALSE, 
        &priv, 
        sizeof priv, 
        0, 
        0 
        ); 
    // 返回值,错误信息,如果操作成功,则应为ERROR_SUCCESS,为O  
    rv = GetLastError(); 
    // 关闭Token  
    CloseHandle (hToken); 
    return rv; 
BOOL ListProcessModules(DWORD dwPID)
{
    HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
    MODULEENTRY32 me32;
 
    hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );
    if( hModuleSnap == INVALID_HANDLE_VALUE )
    {
        return( FALSE );
    }
 
    me32.dwSize = sizeof( MODULEENTRY32 );
    if( !Module32First( hModuleSnap, &me32 ) )
    {
        CloseHandle( hModuleSnap );
        return( FALSE );
    }
    do
    {
        if (_tcscmp(me32.szModule, QQ_THREAD_DLL) == 0)
        {
            m_pmodBaseAddr = me32.modBaseAddr;
            m_dwmodBaseSize = me32.modBaseSize;
 
        }
 
    }while( Module32Next( hModuleSnap, &me32 ));
 
    CloseHandle( hModuleSnap );
    return( TRUE );
 
}
BOOL ListProcessThreads( DWORD dwOwnerPID)
{
    HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
    THREADENTRY32 te32;
    PVOID addr;
 
    hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
    if( hThreadSnap == INVALID_HANDLE_VALUE )
        return( FALSE );
 
    te32.dwSize = sizeof(THREADENTRY32 );
 
 
    if( !Thread32First( hThreadSnap, &te32 ) )
    {
        CloseHandle( hThreadSnap );
        return( FALSE );
    }
 
    do
    {
        if( te32.th32OwnerProcessID == dwOwnerPID )
        {
            addr = ShowThreadInfo(te32.th32ThreadID);
            if(((DWORD)addr>(DWORD)m_pmodBaseAddr)&&((DWORD)addr<\
                ((DWORD)m_pmodBaseAddr+(DWORD)m_dwmodBaseSize)))
            {
 
                HANDLE oth=OpenThread(THREAD_ALL_ACCESS,FALSE,te32.th32ThreadID);
                //关闭这个线程
                TerminateThread(oth, 0);
            }
        }
    } while( Thread32Next(hThreadSnap, &te32 ) );
 
    CloseHandle( hThreadSnap );
    return( TRUE );
}
PVOID ShowThreadInfo(DWORD tid)
{
 
    PVOID                    startaddr;
    HANDLE                   thread;    
    //thread = m_pfnOpenThread_ex(THREAD_ALL_ACCESS,FALSE,tid);
    thread=OpenThread(THREAD_ALL_ACCESS,FALSE,tid);
    if   (thread   ==   NULL)
        return   FALSE;
 
    m_pfnZwQueryInformationThread(thread,
        ThreadQuerySetWin32StartAddress,  
        &startaddr,  
        sizeof(startaddr),  
        NULL);
 
    CloseHandle   (thread);
    return   startaddr;
}




附件列表

     

    posted @ 2012-05-26 08:32  XE2011  阅读(175)  评论(0编辑  收藏  举报