#include <windows.h>#include <winternl.h>#include <tlhelp32.h>#include <stdio

1. #include <windows.h>
2. #include <winternl.h>
3. #include <tlhelp32.h>
4. #include <stdio.h>
5.  
6. #ifdef _MSC_VER
7. #pragma comment (lib, "ntdll.lib")
8. #endif // _MSC_VER
9.  
10. #define ZwCurrentProcess() ((HANDLE)(LONG_PTR)-1)
11.  
12. NTSTATUS ZwOpenProcessToken(
13. HANDLE ProcessHandle,
14. ACCESS_MASK DesiredAccess,
15. PHANDLE TokenHandle);
16.  
17. NTSTATUS ZwAdjustPrivilegesToken(
18. HANDLE TokenHandle,
19. BOOLEAN DisableAllPrivileges,
20. PTOKEN_PRIVILEGES NewState,
21. ULONG BufferLength,
22. PTOKEN_PRIVILEGES PreviousState,
23. PULONG ReturnLength);
24.  
25. NTSTATUS ZwOpenProcess(
26. PHANDLE ProcessHandle,
27. ACCESS_MASK DesiredAccess,
28. POBJECT_ATTRIBUTES ObjectAttributes,
29. CLIENT_ID* ClientId);
30.  
31. NTSTATUS ZwSuspendProcess(
32. HANDLE ProcessHandle);
33.  
34. NTSTATUS ZwResumeProcess(
35. HANDLE ProcessHandle);
36.  
37. NTSTATUS ZwTerminateProcess(
38. HANDLE ProcessHandle,
39. NTSTATUS ExitStatus);
40.  
41. NTSTATUS ZwClose(
42. HANDLE Handle);
43.  
44. NTSTATUS EnablePrivilege(PWSTR lpName)
45. {
46. HANDLE TokenHandle = NULL;
47. LUID Luid;
48. TOKEN_PRIVILEGES NewState;
49.  
50. ZwOpenProcessToken(
51. ZwCurrentProcess(),
52. TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
53. &TokenHandle);
54. LookupPrivilegeValueW(NULL, lpName, &Luid);
55.  
56. NewState.PrivilegeCount = 1;
57. NewState.Privileges[0].Luid = Luid;
58. NewState.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
59.  
60. NTSTATUS Status = ZwAdjustPrivilegesToken(
61. TokenHandle, FALSE, &NewState,
62. sizeof(TOKEN_PRIVILEGES), NULL, NULL);
63.  
64. return Status;
65. }
66.  
67. void GetPid(PWSTR ProcessName, PULONG ProcessId)
68. {
69. PROCESSENTRY32W entry;
70. entry.dwSize = sizeof(PROCESSENTRY32W);
71.  
72. HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
73.  
74. if (Process32FirstW(snapshot, &entry))
75. {
76. while (Process32NextW(snapshot, &entry))
77. {
78. if (_wcsicmp(entry.szExeFile, ProcessName) == 0)
79. {
80. *ProcessId = entry.th32ProcessID;
81. }
82. }
83. }
84. ZwClose(snapshot);
85. }
86.  
87.  
88. int wmain(int wargc, wchar_t* wargv[])
89. {
90.  
91. if (wargc < 2)
92. {
93. wprintf(L"No option provided\n");
94. return 0;
95. }
96.  
97. ULONG ProcessId;
98. HANDLE hProcess = NULL;
99. OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
100. ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
101. CLIENT_ID ClientId = { 0 };
102.  
103. NTSTATUS Status = EnablePrivilege(L"SeDebugPrivilege");
104.  
105. if (!wcscmp(L"-s", wargv[1]))
106. {
107. GetPid(L"winlogon.exe", &ProcessId);
108. ClientId.UniqueProcess = (HANDLE)(ULONG64)ProcessId;
109.  
110. Status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &ClientId);
111. Status = ZwSuspendProcess(hProcess);
112. wprintf(L"winlogon: PID: %ld Handle: %p Status: %lu\n",
113. ProcessId, hProcess, Status);
114. ZwClose(hProcess);
115.  
116. GetPid(L"dwm.exe", &ProcessId);
117. ClientId.UniqueProcess = (HANDLE)(ULONG64)ProcessId;
118.  
119. Status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &ClientId);
120. Status = ZwTerminateProcess(hProcess, 0);
121. wprintf(L"dwm: PID: %ld Handle: %p Status: %lu\n",
122. ProcessId, hProcess, Status);
123. ZwClose(hProcess);
124.  
125. return 0;
126. }
127. else if (!wcscmp(L"-r", wargv[1]))
128. {
129. GetPid(L"winlogon.exe", &ProcessId);
130. ClientId.UniqueProcess = (HANDLE)(ULONG64)ProcessId;
131.  
132. Status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &ClientId);
133. Status = ZwResumeProcess(hProcess);
134. wprintf(L"winlogon: PID: %ld Handle: %p Status: %lu\n",
135. ProcessId, hProcess, Status);
136. ZwClose(hProcess);
137.  
138. return 0;
139. }
140. else
141. {
142. wprintf(L"Only -r and -s option available\n");
143. return 0;
144. }
145. }