杀掉本地进程其实很简单,取得进程ID后,调用OpenProcess函数打开进程句柄,然后调用TerminateProcess函数就可以杀掉进程了。有些情况下并不能直接打开进程句柄,例如WINLOGON等系统进程,因为权限不够。这个时候我们就得先提升自己的进程的权限了。提升权限过程也不复杂,先调用GetCurrentProcess函数取得当前进程的句柄,然后调用OpenProcessToken打开当前进程的访问令牌,接着调用LookupPrivilegeValue函数取得你想提升的权限的值,最后调用AdjustTokenPrivileges函数给当前进程的访问令牌增加权限就可以了。一般有了SeDebugPrivilege特权后,就可以杀掉除Idle外的所有进程了。
XL'\$f OK!那如何杀掉远程进程呢?说起来有点复杂,但其实也不难。
i'\-Y]?[ <1>与远程系统建立IPC连接
?CcX>R-/ <2>在远程系统的系统目录admin$\system32中写入一个文件killsrv.exe
D0z[h(m <3>调用函数OpenSCManager打开远程系统的Service Control Manager[SCM]
F/3L^k] <4>调用函数CreateService在远程系统创建一个服务,服务指向的程序是在<2>中写入的程序killsrv.exe
<FI*A+I4\ <5>调用函数StartService启动刚才创建的服务,把想杀掉的进程的ID作为参数传递给它
IreY8.FND <6>服务启动后,killsrv.exe运行,杀掉进程
gyhy0 <7>清场
dczSW]% 嗯!这样看来,我们需要两个程序了。Killsrv.exe的源代码如下:
u]i%<Yy89 /***********************************************************************
{7;QZk( Module:Killsrv.c
%5nEyZOq Date:2001/4/27
v>N*f~n Author:ey4s
Wu(^k25 Http://www.ey4s.org _x^rHADp ***********************************************************************/
M9m~ck #include
uh \Tf5 #include
CF@*ki3X #include "function.c"
VL'wrgk #define ServiceName "PSKILL"
{3kz\FS H4j1yD(d SERVICE_STATUS_HANDLE ssh;
#9~,d<H SERVICE_STATUS ss;
}X/YMgJ /////////////////////////////////////////////////////////////////////////
S.q0L void ServiceStopped(void)
bOp% {
D5f[: ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
pS}IU{#; ss.dwCurrentState=SERVICE_STOPPED;
~tZB1+%) ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
dnQ6Ras ss.dwWin32ExitCode=NO_ERROR;
lNl.lI\t)y ss.dwCheckPoint=0;
%r*,m3d ss.dwWaitHint=0;
MUGoW;}v) SetServiceStatus(ssh,&ss);
RDjw|V return;
EuImj#Zl }
nwC*w`4 /////////////////////////////////////////////////////////////////////////
J@}PySq void ServicePaused(void)
e4tC[6 ; {
t%0c$c ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
'cQ,;y ss.dwCurrentState=SERVICE_PAUSED;
+{C)^!zBK ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
po,Ue>n/ ss.dwWin32ExitCode=NO_ERROR;
%[M0TE=J ss.dwCheckPoint=0;
Gv}Q/v ss.dwWaitHint=0;
{9.UeVz SetServiceStatus(ssh,&ss);
3IB9-wG return;
S8v?H|rm }
p
.P#S void ServiceRunning(void)
;Krb/qr4_ {
w5
] lU ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
%Lb
cwh(9 ss.dwCurrentState=SERVICE_RUNNING;
\NEk B&^n ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
)+=Kh$VbS ss.dwWin32ExitCode=NO_ERROR;
c_?^:xs:d ss.dwCheckPoint=0;
,2+d+Zuh ss.dwWaitHint=0;
UUb0[oy SetServiceStatus(ssh,&ss);
|5X59!
JL return;
c3o3i }
z;Fz3s7 /////////////////////////////////////////////////////////////////////////
_\Z'Yl void WINAPI servier_ctrl(DWORD Opcode)//服务控制程序
dqo-.,= {
1~3dX[& switch(Opcode)
:Ea|FAeK8 {
;Bj&9DZd case SERVICE_CONTROL_STOP://停止Service
`'k2gq& ServiceStopped();
N&kUTSd break;
* fj`+J case SERVICE_CONTROL_INTERROGATE:
z8]@Gh+
( SetServiceStatus(ssh,&ss);
cAot+N+9|] break;
Un,'a8>V` }
udIm}jRA" return;
M X7Ix{ }
\Q1&w2mw //////////////////////////////////////////////////////////////////////////////
q9{)nU //杀进程成功设置服务状态为SERVICE_STOPPED
=5V7212 //失败设置服务状态为SERVICE_PAUSED
MI^$df //
r<Cr)%z! void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
j(]O$" " {
%*wEzvt* ssh=RegisterServiceCtrlHandler(ServiceName,servier_ctrl);
HW,v" if(!ssh)
x?0K' {
;134$7!Y ServicePaused();
:FtV~^Z return;
+zq"dj_ }
U{LS_VI~ ServiceRunning();
#7}M\\$M Sleep(100);
y'I
m/{9U //注意,argv[0]为此程序名,argv[1]为pskill,参数需要递增1
(_CvN=A //argv[2]=target,argv[3]=user,argv[4]=pwd,argv[5]=pid
^FBu|eAkE if(KillPS(atoi(lpszArgv[5])))
Kg2Du'WQ^ ServiceStopped();
ksuePMIK else
W[
W)q%[) ServicePaused();
&}7R\co3 return;
r
jxkgd }
|G$-5
7fk /////////////////////////////////////////////////////////////////////////////
sPeTW*HeR void main(DWORD dwArgc,LPTSTR *lpszArgv)
Ip=QtNW3\ {
LL)t) SERVICE_TABLE_ENTRY ste[2];
%"fO^KA.h] ste[0].lpServiceName=ServiceName;
DI2e%`$ ste[0].lpServiceProc=ServiceMain;
ls!A'@J ste[1].lpServiceName=NULL;
wVnmT94 ste[1].lpServiceProc=NULL;
T]tu#h{
a StartServiceCtrlDispatcher(ste);
JMo r[* return;
(w5cp!qW9J }
"kBVHy /////////////////////////////////////////////////////////////////////////////
ID!S}D function.c中有两个函数,一个是提升权限的,一个是提供进程ID,杀进程的。代码如
Zf<T`'_d 下:
= >tkc/aa /***********************************************************************
b7I0R;Zj Module:function.c
Ol+D"k~<C Date:2001/4/28
]?wz. Author:ey4s
0)~c)B:5 Http://www.ey4s.org $@71 w~y ***********************************************************************/
QRBx}!:NZ# #include
knph549 ////////////////////////////////////////////////////////////////////////////
N[Ei%I BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)
rxyeix {
HiU)q TOKEN_PRIVILEGES tp;
~9vK6;0 LUID luid;
CMOyK^(e CM++:Y vJ if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
lqJ92vi6Q {
xT*c## printf("\nLookupPrivilegeValue error:%d", GetLastError() );
<!UnH6J.b return FALSE;
kh2TDxa& }
<bSPKTKL tp.PrivilegeCount = 1;
J`GL_@$q tp.Privileges[0].Luid = luid;
4
l-UrnZ if (bEnablePrivilege)
Tq?Ai_
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
~wv$uL8y else
$L6R,%c tp.Privileges[0].Attributes = 0;
5V =mj+X? // Enable the privilege or disable all privileges.
r~f;g9I AdjustTokenPrivileges(
V@-Q&K# hToken,
xsJXf @ FALSE,
6vE#$(n#a& &tp,
UdM2!f sizeof(TOKEN_PRIVILEGES),
./Ek+p*96H (PTOKEN_PRIVILEGES) NULL,
#G F.M,O/h (PDWORD) NULL);
0 D
'^: // Call GetLastError to determine whether the function succeeded.
Uuu2wz3O0 if (GetLastError() != ERROR_SUCCESS)
:Hm'o} {
Xo~q}(ze^ printf("AdjustTokenPrivileges failed: %u\n", GetLastError() );
HB'9&
return FALSE;
-aok ]w
m }
a~_JTH4=t return TRUE;
]YFjz/f }
[R%*C9Y d ////////////////////////////////////////////////////////////////////////////
4W*o:Y! BOOL KillPS(DWORD id)
rXD:^wUSc {
Fb%?qaLmCv HANDLE hProcess=NULL,hProcessToken=NULL;
9wldd*r BOOL IsKilled=FALSE,bRet=FALSE;
&,jUaC5I __try
:}Yk0* {
Hv,ll1@h {2P18&=
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken))
qmFbq<& {
`pZX!6Wn printf("\nOpen Current Process Token failed:%d",GetLastError());
Z.Z;p/4F __leave;
6LGl]jHf }
~//E'V- //printf("\nOpen Current Process Token ok!");
wLqj<ot if(!SetPrivilege(hProcessToken,SE_DEBUG_NAME,TRUE))
J@_^] {
q@[F|EF= __leave;
*9kg\# }
Z Se30Rl\ printf("\nSetPrivilege ok!");
hB.8\-}QMq #\m.3!Hcr if((hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id))==NULL)
@!!u>1 {
2672oFD printf("\nOpen Process %d failed:%d",id,GetLastError());
,iP
YsW]5 __leave;
2 A!*8w }
;NdH]a{ //printf("\nOpen Process %d ok!",id);
xp95KxHHo if(!TerminateProcess(hProcess,1))
S!=R\_{u$ {
IBJNs$ printf("\nTerminateProcess failed:%d",GetLastError());
Y8v[kuo7 __leave;
=wDXlAQ }
T:{r*zLSN IsKilled=TRUE;
[(#)9/3, }
Wd)\r.pJ __finally
$Uy+]9
{
hZ
e{Ri if(hProcessToken!=NULL) CloseHandle(hProcessToken);
5yoi;$~}_0 if(hProcess!=NULL) CloseHandle(hProcess);
M NwY
}
f7Nmvla[q return(IsKilled);
Ul]7IUzsu }
`j)56bR //////////////////////////////////////////////////////////////////////////////////////////////
<%uEWb) OK!服务端的程序已经好了。接下来还需要一个客户端。如果通过在客户端运行的时候,把killsrv.exe COPY到远程系统上,那么就需要提供两个exe文件给用户,这样显得不是很专业,呵呵。不如我们就把killsrv.exe的二进制码作为buff保存在客户端吧,这样在运行的时候,我们直接把buff中的内容写过去,这样提供给用户一个exe文件就可以了。Pskill.c的源代码如下:
?VE'!DW /*********************************************************************************************
l_:P| ModulesKill.c
Nr>UZlU8 Create:2001/4/28
b:Zh|- Modify:2001/6/23
c]#}#RJ`\ Author:ey4s
1aRTvaGo Http://www.ey4s.org W&
0R/y7 PsKill ==>Local and Remote process killer for windows 2k
+O 7(
>a **************************************************************************/
*|\bS " #include "ps.h"
bs~P #define EXE "killsrv.exe"
!10/M #define ServiceName "PSKILL"
rmkBp_i{| K\U`gTGc #pragma comment(lib,"mpr.lib")
v8y Cf7+" //////////////////////////////////////////////////////////////////////////
{*GBUv5 //定义全局变量
g&2g>] SERVICE_STATUS ssStatus;
}O@>:?U SC_HANDLE hSCManager=NULL,hSCService=NULL;
E#(e2Z= BOOL bKilled=FALSE;
hui
#<2{ char szTarget[52]=;
ky[Cx!81C //////////////////////////////////////////////////////////////////////////
oOI0q_bf BOOL ConnIPC(char *,char *,char *);//建立IPC连接函数
L
QV@]z& BOOL InstallService(DWORD,LPTSTR *);//安装服务函数
#1'q'f:7& BOOL WaitServiceStop();//等待服务停止函数
(b#M4ho*f BOOL RemoveService();//删除服务函数
Bj\
x /////////////////////////////////////////////////////////////////////////
Ka(B&. int main(DWORD dwArgc,LPTSTR *lpszArgv)
'{
=F/q {
.p e3L7g BOOL bRet=FALSE,bFile=FALSE;
Q34u>VkdQI char tmp[52]=,RemoteFilePath[128]=,
gF)-Ci szUser[52]=,szPass[52]=;
V>)/z|[ HANDLE hFile=NULL;
MSM8wYcD DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(exebuff);
B;=Z^$%T }a5TY("d9H //杀本地进程
*'8q?R?7g if(dwArgc==2)
dNt^lx {
|Vz)!M if(KillPS(atoi(lpszArgv[1])))
ms}o[Z@n printf("\nLoacl Process %s have beed killed!",lpszArgv[1]);
q`2dL)E else
">wvd*w0"( printf("\nLoacl Process %s can't be killed!ErrorCode:%d",
3<$Ek3X lpszArgv[1],GetLastError());
o}KVT%} return 0;
w@,p` }
dE,E,tv //用户输入错误
7!jb else if(dwArgc!=5)
|Ol29C$@| {
QlMLWi printf("\nPSKILL ==>Local and Remote Process Killer"
iU 6,B "\nPower by ey4s"
&&C70+_po "\nhttp://www.ey4s.org 2001/6/23"
_4Eq_w` "\n\nUsage:%s <==Killed Local Process"
d9TTAaf "\n %s <==Killed Remote Process\n",
Y3[KS;_fr9 lpszArgv[0],lpszArgv[0]);
hizM}d-"C return 1;
?y>ji1 }
Q<V1`e //杀远程机器进程
XTF[4#WO strncpy(szTarget,lpszArgv[1],sizeof(szTarget)-1);
RA<ky*^dr strncpy(szUser,lpszArgv[2],sizeof(szUser)-1);
W>w(|3\ strncpy(szPass,lpszArgv[3],sizeof(szPass)-1);
EL3X8H tb~E.Lm\ //将在目标机器上创建的exe文件的路径
v4|TQ8!wR sprintf(RemoteFilePath,"\\%s\admin$\system32\%s",szTarget,EXE);
m\jjj^f a __try
@uRJl$3 {
:B5*?x //与目标建立IPC连接
v^o`+~i if(!ConnIPC(szTarget,szUser,szPass))
p#P<V% {
QjSWl,{
$D printf("\nConnect to %s failed:%d",szTarget,GetLastError());
#b428- return 1;
1ds4C:M+< }
^\B4]'+^j printf("\nConnect to %s success!",szTarget);
G9okl9;od //在目标机器上创建exe文件
*Xk5H,: |33t 5}we hFile=CreateFile(RemoteFilePath,GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRIT
a~LA&>@ E,
9;{(.K NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
c8mh#Tbl if(hFile==INVALID_HANDLE_VALUE)
OV;VsF {
| VaJ70\o printf("\nCreate file %s failed:%d",RemoteFilePath,GetLastError());
!6X6_ +}M __leave;
P/ 6$TgQ }
Lwi"K8.u //写文件内容
^TZmc{i while(dwSize>dwIndex)
qQ)1+^ {
-|}?+W xf;>o$oN0P if(!WriteFile(hFile,&exebuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
UJqh~s {
YL|)`m0-^5 printf("\nWrite file %s
084Us
s failed:%d",RemoteFilePath,GetLastError());
J7",fb __leave;
Yu" Q }
oCkG dwIndex+=dwWrite;
VV1sadS:S` }
Ow> u!P! //关闭文件句柄
K5LJx-x*j CloseHandle(hFile);
diu"Nt bFile=TRUE;
&':C"_|&r //安装服务
2C:u)}R7D if(InstallService(dwArgc,lpszArgv))
r{r~!=u {
Hm>cKPZ) //等待服务结束
GNM>hQ)h: if(WaitServiceStop())
w]qM
{
.>TG{>sH //printf("\nService was stoped!");
Ua|iAD1 }
Ot47.z else
#lqH/>`> {
IYq#|^)5+ //printf("\nService can't be stoped.Try to delete it.");
=C,DR4xh }
1-^D2B[- Sleep(500);
gd#R7[AVi //删除服务
+j F|8 RemoveService();
G-1qxK }
p: z][I }
#Swc>jYc __finally
r3' DXP {
?F]P=S:x //删除留下的文件
X(x,6cC if(bFile) DeleteFile(RemoteFilePath);
@ntwdv; //如果文件句柄没有关闭,关闭之~
h9m|f|cH if(hFile!=NULL) CloseHandle(hFile);
c"kB @P
//Close Service handle
%E@o8 if(hSCService!=NULL) CloseServiceHandle(hSCService);
m_Ed[h/I //Close the Service Control Manager handle
lq53
xT if(hSCManager!=NULL) CloseServiceHandle(hSCManager);
&D[M<7T //断开ipc连接
3YLfh`6 wsprintf(tmp,"\\%s\ipc$",szTarget);
m4OnRZYlw WNetCancelConnection2(tmp,CONNECT_UPDATE_PROFILE,TRUE);
-E6av|c,F if(bKilled)
53aJnxX printf("\nProcess %s on %s have been
k?Hi_;o killed!\n",lpszArgv[4],lpszArgv[1]);
LvS5N)[ else
-6-rXD printf("\nProcess %s on %s can't be
/f?;,CyI killed!\n",lpszArgv[4],lpszArgv[1]);
p2l@6\m\ }
Ih5Y7<8b~ return 0;
%Bm{ctf#) }
k]:`<`/I_ //////////////////////////////////////////////////////////////////////////
<7ANXHuSW BOOL ConnIPC(char *RemoteName,char *User,char *Pass)
`
~m/ {
lU
Zj NETRESOURCE nr;
[g@qZ5I. char RN[50]="\\";
N
e{=KdzT Gev\bQa strcat(RN,RemoteName);
S_Nm?;P strcat(RN,"\ipc$");
SbX^DAlB1 Jgr;'U$ nr.dwType=RESOURCETYPE_ANY;
feB ?
nr.lpLocalName=NULL;
%KO8i)n nr.lpRemoteName=RN;
5s^vC2$) nr.lpProvider=NULL;
Wx3DWY; lt4IoE`tk? if(WNetAddConnection2(&nr,Pass,User,FALSE)==NO_ERROR)
_z%\53h return TRUE;
Y9f7~w^s else
`UzH *w@e return FALSE;
,^mEi }
y~]D402Cx /////////////////////////////////////////////////////////////////////////
8d'/w}GV BOOL InstallService(DWORD dwArgc,LPTSTR *lpszArgv)
rN#9p+t$ {
Rh6CV BOOL bRet=FALSE;
j8e=],sQ __try
&/^p:I {
& ;5f/ //Open Service Control Manager on Local or Remote machine
e^~dx}X hSCManager=OpenSCManager(szTarget,NULL,SC_MANAGER_ALL_ACCESS);
9.dZA9l@g if(hSCManager==NULL)
2l V`UIa {
,V]FAIJ printf("\nOpen Service Control Manage failed:%d",GetLastError());
r*mYtS __leave;
2Q(ZW@0 }
7lF;(l^Z>} //printf("\nOpen Service Control Manage ok!");
l<=k#d //Create Service
o92BGqA>& hSCService=CreateService(hSCManager,// handle to SCM database
}T}c%p ServiceName,// name of service to start
emJZ+:% ServiceName,// display name
o-_,l
J7o^ SERVICE_ALL_ACCESS,// type of access to service
*$VeR(QN SERVICE_WIN32_OWN_PROCESS,// type of service
_+)OL- SERVICE_AUTO_START,// when to start service
[?<v|k
SERVICE_ERROR_IGNORE,// severity of service
n3V$Xtxw failure
g8Y)90 G EXE,// name of binary file
6w3[PNd NULL,// name of load ordering group
3_;=y\F NULL,// tag identifier
P;y!Y/$ C NULL,// array of dependency names
^=-25%&^ NULL,// account name
lws.;abm%n NULL);// account password
!}P^O(oY //create service failed
@/As|) if(hSCService==NULL)
D.7cWR`Wp {
B(71I; //如果服务已经存在,那么则打开
|uFb(kL[U if(GetLastError()==ERROR_SERVICE_EXISTS)
&~.|9P/45 {
E 8W*^^z( //printf("\nService %s Already exists",ServiceName);
SLkgIb~'X //open service
bSI*`Dc"! hSCService = OpenService(hSCManager, ServiceName,
G
DBV SERVICE_ALL_ACCESS);
t`}=~/#`X if(hSCService==NULL)
s]=XAm"4 {
ixM#|Yq printf("\nOpen Service failed:%d",GetLastError());
gP8}d*W%b __leave;
Qt'3v"S>) }
jsV1~1:83 //printf("\nOpen Service %s ok!",ServiceName);
H
9/m6F }
er
1zSTkg else
`3K."/N6c {
IYptNR printf("\nCreateService failed:%d",GetLastError());
UZiL NKc __leave;
<uoVGV5N }
*hFJI9G }
UDkH'x$= //create service ok
+('xzW else
Xsb.xxK. {
(Y&gse1}! //printf("\nCreate Service %s ok!",ServiceName);
;gJAxVD< }
IwbV+mWQ Vfq-H /+ // 起动服务
~|{e"!(} if ( StartService(hSCService,dwArgc,lpszArgv))
6eB~S)Ko {
kJ.7C //printf("\nStarting %s.", ServiceName);
HCktgL:E= Sleep(20);//时间最好不要超过100ms
c0jTQMe4yl while( QueryServiceStatus(hSCService, &ssStatus ) )
[ot+EA {
-ImO y| if ( ssStatus.dwCurrentState == SERVICE_START_PENDING)
W>x.*K {
Zn|lL0b{q printf(".");
Bz,Xg-k+ Sleep(20);
Y>nQ< }
4|jPr J
else
4rCw#mVtB break;
|l|$Q; }
ow,! 7|m if ( ssStatus.dwCurrentState != SERVICE_RUNNING )
NQ '|M printf("\n%s failed to run:%d",ServiceName,GetLastError());
}DvT6 }
|t$%kpp else if(GetLastError()==ERROR_SERVICE_ALREADY_RUNNING)
[8DPZU@ {
- sq=| //printf("\nService %s already running.",ServiceName);
(S=CxK }
ffOV7Dxy else
^'sy hI\ {
gz:US77 printf("\nStart Service %s failed:%d",ServiceName,GetLastError());
{c
$8?6 __leave;
*m&'6qsS }
qvh8~[ bRet=TRUE;
#x6wM~ }//enf of try
X*)DpbWd __finally
: 9>U+)% {
Oeg^%Y
return bRet;
.nA9irc }
PGTjOkx return bRet;
.q 4FGPWz }
=':SOO7 /////////////////////////////////////////////////////////////////////////
oC!z+< BOOL WaitServiceStop(void)
wUS w9xg {
}&l%>P BOOL bRet=FALSE;
dZd]p8 //printf("\nWait Service stoped");
/5>A 2y while(1)
\3rgwbF {
RbA.&=3 Sleep(100);
8X\":l: if(!QueryServiceStatus(hSCService, &ssStatus))
0w2<2grQ {
H7 {kl printf("\nQueryServiceStatus failed:%d",GetLastError());
r/+~4W5
break;
|t58n{V.O }
cGg~+R2P if(ssStatus.dwCurrentState==SERVICE_STOPPED)
(x[z=_I%` {
2-#&ktM%V bKilled=TRUE;
b u/GaE~ bRet=TRUE;
)Ee`11 break;
=@;\9j }
@# p{,L if(ssStatus.dwCurrentState==SERVICE_PAUSED)
S;!7/z {
6I5LZ^/ G9 //停止服务
NdI~1kemr bRet=ControlService(hSCService,SERVICE_CONTROL_STOP,NULL);
~MK%^5y? break;
^
-lWv }
E@@XWU21;N else
S]c&