整理资料的时候发现的以前的代码,本机Win7 x64 Sp1 运行直接关机,黑屏。就是利用RtlAdjustPrivilege函数提权,代码中的注释写的很详细了。用的VS2010写的,直接编译成x64就可以运行,直接关机了。
#include "stdafx.h" #include <Windows.h> #include <stdio.h> //定义函数原型 typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID); typedef int (* pfnZwShutdownSystem)(int); pfnRtlAdjustPrivilege64 RtlAdjustPrivilege; pfnZwShutdownSystem ZwShutdownSystem; int _tmain(int argc, _TCHAR* argv[]) { //装载DLL HMODULE hModule = ::LoadLibrary(L"NTDLL.DLL"); if(hModule == NULL) { printf("LoadLibrary error "); return 0; } //得到导出函数的地址 RtlAdjustPrivilege = (pfnRtlAdjustPrivilege64)GetProcAddress(hModule, "RtlAdjustPrivilege"); ZwShutdownSystem = (pfnZwShutdownSystem)GetProcAddress(hModule,"ZwShutdownSystem"); if(RtlAdjustPrivilege == NULL) { printf("GetProcAddress error "); return 0; } //取得系统版本 OSVERSIONINFO osvi; osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if(GetVersionEx(&osvi) == 0) { return false; } DWORD dwReturnval; if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) { /* .常量 SE_BACKUP_PRIVILEGE, "17", 公开 .常量 SE_RESTORE_PRIVILEGE, "18", 公开 .常量 SE_SHUTDOWN_PRIVILEGE, "19", 公开 .常量 SE_DEBUG_PRIVILEGE, "20", 公开 */ RtlAdjustPrivilege(19, 1, 0, &dwReturnval); } //强制关机, 不向进程发送WM_QUERYENDSESSION消息 //ExitWindowsEx(EWX_FORCE, 0); //退出用户 ZwShutdownSystem(2); //直接黑屏 return 0; }