#include <windows.h>
#include <stdio.h>
DWORD WINAPI ThreadProc(
LPVOID lpParameter // thread data
)
{
char *pName = (char*)lpParameter;
HANDLE hMutex;
STARTUPINFO si={sizeof(si)};
PROCESS_INFORMATION pi={0};
while (true)
{
hMutex = OpenMutex(MUTEX_ALL_ACCESS,FALSE,pName); //打开互斥量
if (!hMutex)
{
CreateProcess(pName,NULL,NULL,NULL,FALSE,NULL,NULL,NULL,&si,&pi);//创建进程Test2.exe
WaitForSingleObject(pi.hProcess,INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
else
{
CloseHandle(hMutex);
}
Sleep(1);
}
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
DWORD ThreadId;
CreateMutex(NULL,TRUE,"Test2.exe");
CreateThread(NULL,0,ThreadProc,(LPVOID*)"Test1.exe",0,&ThreadId);
while (true) //这里是为了不让程序退出,正常文件则写入一些实用代码就可以了
{
Sleep(1000);
}
return 0;
}
#include <windows.h>
#include <stdio.h>
DWORD WINAPI ThreadProc(
LPVOID lpParameter // thread data
)
{
char *pName = (char*)lpParameter;
HANDLE hMutex;
STARTUPINFO si={sizeof(si)};
PROCESS_INFORMATION pi={0};
while (true)
{
hMutex = OpenMutex(MUTEX_ALL_ACCESS,FALSE,pName); //打开互斥量
if (!hMutex)
{
CreateProcess(pName,NULL,NULL,NULL,FALSE,NULL,NULL,NULL,&si,&pi);//创建进程Test2.exe
WaitForSingleObject(pi.hProcess,INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
else
{
CloseHandle(hMutex);
}
Sleep(1);
}
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
DWORD ThreadId;
CreateMutex(NULL,TRUE,"Test2.exe");
CreateThread(NULL,0,ThreadProc,(LPVOID*)"Test1.exe",0,&ThreadId);
while (true) //这里是为了不让程序退出,正常文件则写入一些实用代码就可以了
{
Sleep(1000);
}
return 0;
}
上面是Test1.exe的代码,Test2.exe的代码只需要将下面信息修改一下即可。
CreateMutex(NULL,TRUE,"Test2.exe");//Test2.exe改成Test1.exe
CreateThread(NULL,0,ThreadProc,(LPVOID*)"Test1.exe",0,&ThreadId); //Test1.exe改成Test2.exe
***************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
下面的代码更好一些,因为在任务管理器中用“结束进程树”是可以结束上面程序的,但下面的代码是无法被结束的。不过这两个代码都可以用IceSword与ProcessExplorer结束掉。
#include <windows.h>
#define ID_TIMER 1
LRESULT CALLBACK WndProc (HWND, UINT, WPARAM, LPARAM) ;
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
PSTR szCmdLine, int iCmdShow)
{
static TCHAR szAppName[] = TEXT ("MyWindow") ;
HWND hwnd ;
MSG msg ;
WNDCLASS wndclass ;
CreateMutex(NULL, TRUE, TEXT("The_first_program")); //防止程序运行多个实例
if (GetLastError() == ERROR_ALREADY_EXISTS) //若实例已经存在就返回退出
return 0;
wndclass.style = CS_HREDRAW | CS_VREDRAW ;
wndclass.lpfnWndProc = WndProc ;
wndclass.cbClsExtra = 0 ;
wndclass.cbWndExtra = 0 ;
wndclass.hInstance = hInstance ;
wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION) ;
wndclass.hCursor = LoadCursor (NULL, IDC_ARROW) ;
wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH) ;
wndclass.lpszMenuName = NULL ;
wndclass.lpszClassName = szAppName ;
if(!RegisterClass (&wndclass))
{
MessageBox (NULL, TEXT ("此程序必须运行在NT下!"), szAppName, MB_ICONERROR) ;
return 0;
}
hwnd = CreateWindow (szAppName, // window class name
TEXT ("The_First_Program"), // window caption
WS_OVERLAPPEDWINDOW, // window style
CW_USEDEFAULT, // initial x position
CW_USEDEFAULT, // initial y position
CW_USEDEFAULT, // initial x size
CW_USEDEFAULT, // initial y size
NULL, // parent window handle
NULL, // window menu handle
hInstance, // program instance handle
NULL) ; // creation parameters
while (GetMessage (&msg, NULL, 0, 0))
{
TranslateMessage (&msg) ;
DispatchMessage (&msg) ;
}
return msg.wParam ;
}
LRESULT CALLBACK WndProc (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
{
HANDLE hMutex;
hMutex = CreateMutex(NULL, TRUE, TEXT("The_Second_Program"));
if (GetLastError() == ERROR_ALREADY_EXISTS)
CloseHandle(hMutex);
else
{
CloseHandle(hMutex);
WinExec("sec.exe", SW_HIDE); //运行sec.exe
}
switch (message)
{
case WM_CREATE:
SetTimer(hwnd, ID_TIMER, 10, NULL);
return 0;
case WM_TIMER:
return 0;
case WM_DESTROY:
KillTimer(hwnd, ID_TIMER);
PostQuitMessage (0) ;
return 0 ;
}
return DefWindowProc (hwnd, message, wParam, lParam) ;
}
*/
/*
#include <windows.h>
#define ID_TIMER 1
LRESULT CALLBACK WndProc (HWND, UINT, WPARAM, LPARAM) ;
int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
PSTR szCmdLine, int iCmdShow)
{
static TCHAR szAppName[] = TEXT ("MyWindow") ;
HWND hwnd ;
MSG msg ;
WNDCLASS wndclass ;
CreateMutex(NULL, TRUE, TEXT("The_Second_Program"));
if (GetLastError() == ERROR_ALREADY_EXISTS)
return 0 ;
wndclass.style = CS_HREDRAW | CS_VREDRAW ;
wndclass.lpfnWndProc = WndProc ;
wndclass.cbClsExtra = 0 ;
wndclass.cbWndExtra = 0 ;
wndclass.hInstance = hInstance ;
wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION) ;
wndclass.hCursor = LoadCursor (NULL, IDC_ARROW) ;
wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH) ;
wndclass.lpszMenuName = NULL ;
wndclass.lpszClassName = szAppName ;
if(!RegisterClass (&wndclass))
{
MessageBox (NULL, TEXT ("此程序必须运行在NT下!"), szAppName, MB_ICONERROR) ;
return 0;
}
hwnd = CreateWindow (szAppName, // window class name
TEXT ("The_Second_Program"), // window caption
WS_OVERLAPPEDWINDOW, // window style
CW_USEDEFAULT, // initial x position
CW_USEDEFAULT, // initial y position
CW_USEDEFAULT, // initial x size
CW_USEDEFAULT, // initial y size
NULL, // parent window handle
NULL, // window menu handle
hInstance, // program instance handle
NULL) ; // creation parameters
while (GetMessage (&msg, NULL, 0, 0))
{
TranslateMessage (&msg) ;
DispatchMessage (&msg) ;
}
return msg.wParam ;
}
LRESULT CALLBACK WndProc (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
{
static HANDLE hMutex;
hMutex = CreateMutex(NULL, TRUE, TEXT("The_first_program"));
if (GetLastError() == ERROR_ALREADY_EXISTS) CloseHandle(hMutex);
else
{
CloseHandle(hMutex);
WinExec("fir.exe", SW_HIDE); //运行fir.exe
}
switch (message)
{
case WM_CREATE:
SetTimer(hwnd, ID_TIMER, 10, NULL);
return 0;
case WM_TIMER:
return 0;
case WM_DESTROY:
KillTimer(hwnd, ID_TIMER);
PostQuitMessage (0) ;
return 0 ;
}
return DefWindowProc (hwnd, message, wParam, lParam) ;
}
***************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
下面的代码用IceSword与ProcessExplorer都无法结束掉,用SnipeSword可以结束。缺点是CPU占用率实在太高。
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;这个是代码一,测试过程中,你们可以一直看着任务管理器进程,两个进程会循环交换
;CPU虽然是100%,但是速度没有改变
;就会更加明白我对双进程守护技术的解释
;代码编写 By Asm
;如果转载,请保持文章的完整性,
;并且注明来源于 红狼安全小组 http://www./
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szFileName db '22222222.exe',0
.data?
hSnapShot dd ?
stProcess PROCESSENTRY32 <?>
stStartUp STARTUPINFO <?>
stProcInfo PROCESS_INFORMATION <?>
hInstance dd ?
hWinList dd ?
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Snapshot proc
invoke RtlZeroMemory,addr stProcess,sizeof stProcess ;清空stProcess,不然进程会重叠
mov stProcess.dwSize,sizeof stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,addr stProcess ;开始历遍快照
mov hSnapShot,eax ;保存到句柄中
invoke Process32First,hSnapShot,addr stProcess ;历遍第一个进程
.while eax
invoke lstrcmp,addr szFileName,addr stProcess.szExeFile ;对比是否发现22222222.exe
.if eax == NULL ;如果发现了,就调用_Snapshot1刷新快照
call _Snapshot1
.endif
invoke Process32Next,hSnapShot,addr stProcess
.endw
call _Process ;如果没发现,就执行22222222.exe
invoke ExitProcess,NULL ;一定要退出,不然会大量消耗CPU导致死机
_Snapshot endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Snapshot1 proc
invoke RtlZeroMemory,addr stProcess,sizeof stProcess
mov stProcess.dwSize,sizeof stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,addr stProcess
mov hSnapShot,eax
invoke Process32First,hSnapShot,addr stProcess
.while eax
invoke lstrcmp,addr szFileName,addr stProcess.szExeFile ;刷新并开始对比是否发现22222222.exe
.if eax == NULL ;如果发现
call _Snapshot ;重新刷新快照重复
.endif
invoke Process32Next,hSnapShot,addr stProcess
.endw
call _Process ;如果没发现,就执行它,执行完毕,退出
invoke ExitProcess,NULL
_Snapshot1 endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;开始调用CreateProcess创建22222222.exe
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Process proc
invoke GetStartupInfo,addr stStartUp
invoke CreateProcess,addr szFileName,NULL,NULL,NULL,NULL,\
NORMAL_PRIORITY_CLASS,NULL,NULL,addr stStartUp,addr stProcInfo
ret
_Process endp
start:
call _Snapshot ;程序一开始运行就要马上历遍快照
end start
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;这个是代码二,测试过程中,你们可以一直看着任务管理器进程,两个进程会循环交换
;CPU虽然是100%,但是速度没有改变
;就会更加明白我对双进程守护技术的解释
;代码编写 By Asm
;如果转载,请保持文章的完整性,
;并且注明来源于 红狼安全小组 http://www./
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szFileName db '111111111.exe',0
.data?
Pid dd ?
hSnapShot dd ?
stProcess PROCESSENTRY32 <?>
stStartUp STARTUPINFO <?>
stProcInfo PROCESS_INFORMATION <?>
hInstance dd ?
hWinList dd ?
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Snapshot proc
invoke RtlZeroMemory,addr stProcess,sizeof stProcess
mov stProcess.dwSize,sizeof stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,addr stProcess
mov hSnapShot,eax
invoke Process32First,hSnapShot,addr stProcess
.while eax
invoke lstrcmp,addr szFileName,addr stProcess.szExeFile
.if eax == NULL
call _Snapshot1
.endif
invoke Process32Next,hSnapShot,addr stProcess
.endw
call _Process
invoke ExitProcess,NULL
_Snapshot endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Snapshot1 proc
invoke RtlZeroMemory,addr stProcess,sizeof stProcess
mov stProcess.dwSize,sizeof stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,addr stProcess
mov hSnapShot,eax
invoke Process32First,hSnapShot,addr stProcess
.while eax
invoke lstrcmp,addr szFileName,addr stProcess.szExeFile
.if eax == NULL
call _Snapshot
.endif
invoke Process32Next,hSnapShot,addr stProcess
.endw
call _Process
invoke ExitProcess,NULL
_Snapshot1 endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Process proc
invoke GetStartupInfo,addr stStartUp
invoke CreateProcess,addr szFileName,NULL,NULL,NULL,NULL,\
NORMAL_PRIORITY_CLASS,NULL,NULL,addr stStartUp,addr stProcInfo
ret
_Process endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
call _Snapshot
end start