1- Put the hacked file in a dir of your choice (in our example c:\user32.dll)
2- Run the following prog after changing the target of course
Code: Select all
DataSection
reg_data:
Data.s "\??\C:\user32.dll"
Data.s "!\??\C:\WINDOWS\system32\user32.dll"
Data.s #NULL$
EndDataSection
datasize.l = Llen("\??\C:\user32.dll")+Len("!\??\C:\WINDOWS\system32\user32.dll")+3
openkey = #HKEY_LOCAL_MACHINE
subkey.s = "SYSTEM\CurrentControlSet\Control\Session Manager"
keyset.s = "PendingFileRenameOperations"
hkey.l = 0
RegCreateKey_(OpenKey,SubKey,@hKey)
RegSetValueEx_(hKey,keyset,0,#REG_MULTI_SZ,?reg_data,datasize)
RegCloseKey_(hKey)
Code: Select all
Structure MyLUID
LowPart.l
HighPart.l
Attributes.l
EndStructure
Structure MyTOKEN
PrivilegeCount.l
LowPart.l
HighPart.l
Attributes.l
EndStructure
Logoff = #EWX_LOGOFF | #EWX_FORCE
Reboot = #EWX_REBOOT | #EWX_FORCE
Shutdown = #EWX_SHUTDOWN |#EWX_POWEROFF | #EWX_FORCE
Global hdlProcessHandle.l
Global hdlTokenHandle.l
Global tmpLuid.MyLUID
Global tkp.MyTOKEN
Global tkpNewButIgnored.MyTOKEN
Global lBufferNeeded.l
Global Actionflag
ProcedureDLL PowerAction(Actionflag)
hdlProcessHandle = GetCurrentProcess_()
OpenProcessToken_(hdlProcessHandle, #TOKEN_ADJUST_PRIVILEGES | #TOKEN_QUERY, @hdlTokenHandle)
SysName.s=""+Chr(0)
Name.s="SeShutdownPrivilege"+Chr(0)
Erg.l=LookupPrivilegeValue_(SysName, Name, @tmpLuid)
tmpLuid\Attributes = #SE_PRIVILEGE_ENABLED
tkp\PrivilegeCount = 1
tkp\LowPart = tmpLuid\LowPart
tkp\HighPart = tmpLuid\HighPart
tkp\Attributes = tmpLuid\Attributes
Erg.l = AdjustTokenPrivileges_(hdlTokenHandle,0,@tkp,SizeOf(MyTOKEN),@tkpNewButIgnored,@lBufferNeeded)
Erg.l = ExitWindowsEx_(Actionflag, 0)
EndProcedure
PowerAction(Reboot)
RASHAD