Suicide EXE (Inject)
2004-10-03 20:04
295 查看
;*******************************************************
;ml /c /coff /Fo selfkill-Rnt.obj selfkill-Rnt.asm
;Link /subsystem:windows /SECTION:.text,WRE selfkill-Rnt.obj
;*******************************************************
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
;*******************************************************
.code
;删除自身的远程线程代码
KREMOTE_CODE_START equ this byte
call @F
@@:
pop ebx
sub ebx,offset @B ;重定位
push 500
call [ebx+_lpselfkillSleep]
lea eax,[ebx+offset _selfkillselfname]
push eax
call [ebx+_lpselfkillDeleteFile]
ret
_lpselfkillSleep dd ?
_lpselfkillDeleteFile dd ?
_selfkillselfname:
KREMOTE_CODE_END equ this byte
KREMOTE_CODE_LENGTH equ offset KREMOTE_CODE_END - offset KREMOTE_CODE_START
;*******************************************************
.data?
REMOTE_CODE db KREMOTE_CODE_LENGTH dup (?)
szSelfName db MAX_PATH dup (?)
.code
;*******************************************************
;用于在explorer.exe进程中插入远程线程
szDesktopClass db 'Progman',0
szDesktopWindow db 'Program Manager',0
_RemoteCode2KXP proc @_RmCodeStart,@_RmCodeLen
local @hRmCodeMemory
local @hselfkillProcessID
local @hselfkillProcess
;查找文件管理器窗口并获取进程ID,然后打开进程
invoke FindWindow,addr szDesktopClass,addr szDesktopWindow
lea ecx,@hselfkillProcessID
invoke GetWindowThreadProcessId,eax,ecx
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or /
PROCESS_VM_WRITE,FALSE,@hselfkillProcessID
mov @hselfkillProcess,eax
;在进程中分配空间并将写入远程代码,建立远程线程
invoke VirtualAllocEx,@hselfkillProcess,NULL,@_RmCodeLen,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov @hRmCodeMemory,eax
invoke WriteProcessMemory,@hselfkillProcess,eax,@_RmCodeStart,@_RmCodeLen,NULL
xor eax,eax
invoke CreateRemoteThread,@hselfkillProcess,eax,eax,@hRmCodeMemory,eax,eax,eax
invoke CloseHandle,eax
.endif
invoke CloseHandle,@hselfkillProcess
ret
_RemoteCode2KXP endp
;*******************************************************
szselfkillDllKernel db 'Kernel32.dll',0
szselfkillSleep db "Sleep",0
szselfkillDeleteFile db "DeleteFileA",0
start:
;取得API地址(硬编码地址)
invoke GetModuleHandle,addr szselfkillDllKernel
mov esi,eax
invoke GetProcAddress,esi,offset szselfkillSleep
mov _lpselfkillSleep,eax
invoke GetProcAddress,esi,offset szselfkillDeleteFile
mov _lpselfkillDeleteFile,eax
;把远程代码和自身地址合并
cld
mov ecx,KREMOTE_CODE_LENGTH
mov esi,offset KREMOTE_CODE_START
mov edi,offset REMOTE_CODE
rep movsb
invoke GetModuleFileName,NULL,offset szSelfName,MAX_PATH
push KREMOTE_CODE_LENGTH+MAX_PATH
push offset REMOTE_CODE
call _RemoteCode2KXP
ret
end start
;ml /c /coff /Fo selfkill-Rnt.obj selfkill-Rnt.asm
;Link /subsystem:windows /SECTION:.text,WRE selfkill-Rnt.obj
;*******************************************************
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
;*******************************************************
.code
;删除自身的远程线程代码
KREMOTE_CODE_START equ this byte
call @F
@@:
pop ebx
sub ebx,offset @B ;重定位
push 500
call [ebx+_lpselfkillSleep]
lea eax,[ebx+offset _selfkillselfname]
push eax
call [ebx+_lpselfkillDeleteFile]
ret
_lpselfkillSleep dd ?
_lpselfkillDeleteFile dd ?
_selfkillselfname:
KREMOTE_CODE_END equ this byte
KREMOTE_CODE_LENGTH equ offset KREMOTE_CODE_END - offset KREMOTE_CODE_START
;*******************************************************
.data?
REMOTE_CODE db KREMOTE_CODE_LENGTH dup (?)
szSelfName db MAX_PATH dup (?)
.code
;*******************************************************
;用于在explorer.exe进程中插入远程线程
szDesktopClass db 'Progman',0
szDesktopWindow db 'Program Manager',0
_RemoteCode2KXP proc @_RmCodeStart,@_RmCodeLen
local @hRmCodeMemory
local @hselfkillProcessID
local @hselfkillProcess
;查找文件管理器窗口并获取进程ID,然后打开进程
invoke FindWindow,addr szDesktopClass,addr szDesktopWindow
lea ecx,@hselfkillProcessID
invoke GetWindowThreadProcessId,eax,ecx
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or /
PROCESS_VM_WRITE,FALSE,@hselfkillProcessID
mov @hselfkillProcess,eax
;在进程中分配空间并将写入远程代码,建立远程线程
invoke VirtualAllocEx,@hselfkillProcess,NULL,@_RmCodeLen,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov @hRmCodeMemory,eax
invoke WriteProcessMemory,@hselfkillProcess,eax,@_RmCodeStart,@_RmCodeLen,NULL
xor eax,eax
invoke CreateRemoteThread,@hselfkillProcess,eax,eax,@hRmCodeMemory,eax,eax,eax
invoke CloseHandle,eax
.endif
invoke CloseHandle,@hselfkillProcess
ret
_RemoteCode2KXP endp
;*******************************************************
szselfkillDllKernel db 'Kernel32.dll',0
szselfkillSleep db "Sleep",0
szselfkillDeleteFile db "DeleteFileA",0
start:
;取得API地址(硬编码地址)
invoke GetModuleHandle,addr szselfkillDllKernel
mov esi,eax
invoke GetProcAddress,esi,offset szselfkillSleep
mov _lpselfkillSleep,eax
invoke GetProcAddress,esi,offset szselfkillDeleteFile
mov _lpselfkillDeleteFile,eax
;把远程代码和自身地址合并
cld
mov ecx,KREMOTE_CODE_LENGTH
mov esi,offset KREMOTE_CODE_START
mov edi,offset REMOTE_CODE
rep movsb
invoke GetModuleFileName,NULL,offset szSelfName,MAX_PATH
push KREMOTE_CODE_LENGTH+MAX_PATH
push offset REMOTE_CODE
call _RemoteCode2KXP
ret
end start
相关文章推荐
- csinject.exe
- 遭遇HBInject.exe,HBmhly.dll,sys07003.dll,zsqf.dll,ytfa.dll,ytfb.dll,ytfc.dll等
- Private exe Protector 1.8
- MFC工程中调用外部EXE资源...
- Sn.exe(强名称工具)
- unity .exe文件打开时跳过选择窗口界面的方式
- EXE文件操作
- 通用exe编程免杀[转贴]
- node-webkit打包成exe文件被360误报木马的解决方法
- 关于解决在使用opencv时出现*.exe 已触发了一个断点的问题
- 将java作成exe文件
- How to use Pageheap.exe in Windows XP, Windows 2000, and Windows Server 2003
- 浅议net.exe与net1.exe在黑客入侵中的作用
- 应用程序无法启动,因为应用程序的并行配置不正确。有关详细信息,请参阅应用程序事件日志,或使用命令行 sxstrace.exe 工具
- ASP.NET IIS 注册工具 (Aspnet_regiis.exe)
- junction.exe 学习
- vb.net winform exe 接参数
- 转:使用IDA动态调试WanaCrypt0r中的tasksche.exe
- RecoverEXE 2.0 Full Version
- 将exe窗口嵌入java的swt界面中