;点击上面的构建菜单,先编译再构建就可以了,因为只有一个进程所以也懒得写INI了,自己改下下面那个进程名就行了
;要改的地方就在下面一点,如果你就RadAsm打开一下就看到下面那行黄色的字了
;http://www./tools/Compilers.htm
;编译工具在上面的网址下载,(RadASM 2.2.1.2)就这个,不要新建工程,新建一个ASM文件就可以了
;______________________________________________________
.386
.model flat, stdcall
option casemap :none
;______________________________________________________
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
;______________________________________________________
_EnablePrivilege proto :DWORD,:DWORD
_GetPidFromProcName proto :DWORD
.data?
lpLoadLibrary dd ?
lpGetProcAddress dd ?
lpGetModuleHandle dd ?
dwProcessID dd ?
dwThreadID dd ?
hProcess dd ?
lpRemoteCode dd ?
.const
szSeDebugPrivilege db 'SeDebugPrivilege',0
;szwinlogon db 'notepad.exe',0
szwinlogon db 'winlogon.exe',0
szErrOpen db '无法打开远程线程!',0
szDllKernel db 'Kernel32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szGetProcAddress db 'GetProcAddress',0
szGetModuleHandle db 'GetModuleHandleA',0
;______________________________________________________
reverseArgs macro arglist:VARARG
local txt,count
txt TEXTEQU <>
count = 0
for i,<arglist>
count = count + 1
txt TEXTEQU @CatStr(i,<!,>,<%txt>)
endm
if count GT 0
txt SUBSTR txt,1,@SizeStr(%txt)-1
endif
exitm txt
endm
;______________________________________________________
_invoke macro _Proc,args:VARARG
local count
count = 0
% for i,< reverseArgs( args ) >
count = count + 1
push i
endm
call dword ptr _Proc
endm
;______________________________________________________
.code
;______________________________________________________
REMOTE_CODE_START equ this byte
_lpLoadLibrary dd ?
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
;______________________________________________________
;user32.dll
;______________________________________________________
_lpDestroyWindow dd ?
_lpPostQuitMessage dd ?
_lpDefWindowProc dd ?
_lpLoadCursor dd ?
_lpRegisterClassEx dd ?
_lpCreateWindowEx dd ?
_lpFindWindowA dd ?
_lpPostMessageA dd ?
_lpShowWindow dd ?
_lpUpdateWindow dd ?
_lpGetMessage dd ?
_lpTranslateMessage dd ?
_lpDispatchMessage dd ?
_lpSetTimer dd ?
_lpMessageBoxA dd ?
;______________________________________________________
;kernel32.dll
;______________________________________________________
_lpCreateToolhelp32Snapshot dd ?
_lpProcess32First dd ?
_lplstrcmp dd ?
_lpSleep dd ?
_lpOpenProcess dd ?
_lpTerminateProcess dd ?
_lpProcess32Next dd ?
_lpCloseHandle dd ?
;______________________________________________________
;ntdll.dll
;______________________________________________________
_lpRtlAdjustPrivilege dd ?
_lpNtShutdownSystem dd ?
;______________________________________________________
_hProcess dd ?
_hSnapShot dd ?
_hInstance dd ?
_hWinMain dd ?
_stProcess PROCESSENTRY32 <?>
_scCmd db 'Client.exe',0 ;这个cmd.exe就是要保护的进程,改成计费系统的进程就可以了
_szDllUser db 'User32.dll',0
_szDllUserkernel32 db 'kernel32.dll',0
_szDllNtdll db 'ntdll.dll',0
;______________________________________________________
;kernel32.dll
;______________________________________________________
_szCreateToolhelp32Snapshot db 'CreateToolhelp32Snapshot',0
_szProcess32First db 'Process32First',0
_szlstrcmp db 'lstrcmpA',0
_szSleep db 'Sleep',0
_szOpenProcess db 'OpenProcess',0
_szTerminateProcess db 'TerminateProcess',0
_szProcess32Next db 'Process32Next',0
_szCloseHandle db 'CloseHandle',0,0
;______________________________________________________
_szText db 'Mr.Fox',0
_szClassName db 'RemoteClass',0
_szCaptionMain db 'RemoteWindow',0
_szNotepad db 'notepad',0
_szQQ db '444705607_QQMusic_SmallClient',0
_system32 db 'system32',0
_command db 'command$ 在 WXNT.CN (192.168.0.253) 上',0
_IceSword db 'IceSword.exe',0
_P2pover db 'p2pover.exe',0
_Netrobocop db 'Netrobocop.exe',0
_SuperLANadmin db 'SuperLANadmin.exe'
_Robocop db 'Robocop.exe',0
_Netsense db 'Netsense.exe',0
_Netcut db 'netcut.exe',0
;______________________________________________________
;user32.dll
;______________________________________________________
_szDestroyWindow db 'DestroyWindow',0
_szPostQuitMessage db 'PostQuitMessage',0
_szDefWindowProc db 'DefWindowProcA',0
_szLoadCursor db 'LoadCursorA',0
_szRegisterClassEx db 'RegisterClassExA',0
_szCreateWindowEx db 'CreateWindowExA',0
_szFindWindowA db 'FindWindowA',0
_szPostMessageA db 'PostMessageA',0
_szShowWindow db 'ShowWindow',0
_szUpdateWindow db 'UpdateWindow',0
_szGetMessage db 'GetMessageA',0
_szTranslateMessage db 'TranslateMessage',0
_szDispatchMessage db 'DispatchMessageA',0
_szSetTimer db 'SetTimer',0
_szMessageBoxA db 'MessageBoxA',0,0
;______________________________________________________
;ntdll.dll
;______________________________________________________
_szRtlAdjustPrivilege db 'RtlAdjustPrivilege',0
_szNtShutdownSystem db 'NtShutdownSystem',0,0
;______________________________________________________
_RemoteThread proc uses ebx edi esi lParam
local @sc
call @F
@@:
pop ebx
sub ebx,offset @B
;______________________________________________________
;user32.dll
lea eax,[ebx + offset _szDllUser]
_invoke [ebx + _lpGetModuleHandle],eax
mov @sc,eax
lea esi,[ebx + offset _szDestroyWindow]
lea edi,[ebx + offset _lpDestroyWindow]
.while TRUE
_invoke [ebx + _lpGetProcAddress],@sc,esi
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if ! byte ptr [esi + 1]
.endw
;______________________________________________________
;kernel32.dll
lea eax,[ebx + offset _szDllUserkernel32]
_invoke [ebx + _lpGetModuleHandle],eax
mov @sc,eax
lea esi,[ebx + offset _szCreateToolhelp32Snapshot]
lea edi,[ebx + offset _lpCreateToolhelp32Snapshot]
.while TRUE
_invoke [ebx + _lpGetProcAddress],@sc,esi
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if ! byte ptr [esi + 1]
.endw
;______________________________________________________
;ntdll.dll
lea eax,[ebx + offset _szDllNtdll]
_invoke [ebx + _lpGetModuleHandle],eax
mov @sc,eax
lea esi,[ebx + offset _szRtlAdjustPrivilege]
lea edi,[ebx + offset _lpRtlAdjustPrivilege]
.while TRUE
_invoke [ebx + _lpGetProcAddress],@sc,esi
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if ! byte ptr [esi + 1]
.endw
;______________________________________________________
.while TRUE
_invoke [ebx + _lpSleep],1000
call _Process
.endw
ret
_RemoteThread endp
;______________________________________________________
_Process proc
local @stProcess:PROCESSENTRY32
local @scCmd
local @ExeFile
call @F
@@:
pop ebx
sub ebx,offset @B
;______________________________________________________
_invoke [ebx + _lpCreateToolhelp32Snapshot],TH32CS_SNAPPROCESS,0
mov [ebx + _hSnapShot],eax
mov @stProcess.dwSize,sizeof @stProcess
lea eax,@stProcess
_invoke [ebx + _lpProcess32First],[ebx + _hSnapShot],eax
.while eax != 0
mov esi,FALSE
lea eax,@stProcess.szExeFile
mov @ExeFile,eax
lea eax,[ebx + offset _scCmd]
mov @scCmd,eax
_invoke [ebx + _lplstrcmp],@scCmd,@ExeFile
.if eax == 0
mov esi,TRUE
.break
.endif
lea eax,@stProcess
_invoke [ebx + _lpProcess32Next],[ebx + _hSnapShot],eax
.endw
_invoke [ebx + _lpCloseHandle],[ebx + _hSnapShot]
.if esi != TRUE
call _Shutdown
.endif
mov esi,FALSE
ret
_Process endp
;______________________________________________________
_Shutdown Proc
call @F
@@:
pop ebx
sub ebx,offset @B
;______________________________________________________
_invoke [ebx + _lpRtlAdjustPrivilege],13h,1h,0h,esp
_invoke [ebx + _lpNtShutdownSystem],0
_Shutdown endp
;*******************************************************************
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START
;______________________________________________________
start:
invoke GetModuleHandle,addr szDllKernel
mov ebx,eax
invoke GetProcAddress,ebx,offset szLoadLibrary
mov lpLoadLibrary,eax
invoke GetProcAddress,ebx,offset szGetProcAddress
mov lpGetProcAddress,eax
invoke GetProcAddress,ebx,offset szGetModuleHandle
mov lpGetModuleHandle,eax
;______________________________________________________
invoke _EnablePrivilege,offset szSeDebugPrivilege, TRUE
invoke _GetPidFromProcName,offset szwinlogon
invoke OpenProcess, PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_WRITE, FALSE, eax
.if eax
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov lpRemoteCode,eax
invoke WriteProcessMemory,hProcess,lpRemoteCode,\
offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,NULL
invoke WriteProcessMemory,hProcess,lpRemoteCode,\
offset lpLoadLibrary,sizeof dword * 3,NULL
mov eax,lpRemoteCode
add eax,offset _RemoteThread - offset REMOTE_CODE_START
invoke CreateRemoteThread,hProcess,NULL,0,eax,0,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,NULL,addr szErrOpen,NULL,MB_OK or MB_ICONWARNING
.endif
invoke ExitProcess,NULL
;______________________________________________________
_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
local hToken
local tkp : TOKEN_PRIVILEGES
invoke GetCurrentProcess
mov edx,eax
invoke OpenProcessToken,edx,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr hToken
invoke LookupPrivilegeValue,NULL,szPriv,addr tkp.Privileges.Luid
mov tkp.PrivilegeCount, 1
xor eax,eax
.if bFlags
mov eax,SE_PRIVILEGE_ENABLED
.endif
mov tkp.Privileges.Attributes, eax
invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
push eax
invoke CloseHandle, hToken
pop eax
ret
_EnablePrivilege endp
;_____________________________________________________________
_GetPidFromProcName proc lpProcName:DWORD
local stProcess : PROCESSENTRY32
local hSnapshot
local @dwProcessID
mov @dwProcessID, 0
invoke RtlZeroMemory, addr stProcess, sizeof stProcess
mov stProcess.dwSize, sizeof stProcess
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
mov hSnapshot, eax
invoke Process32First, hSnapshot, addr stProcess
.while eax
invoke lstrcmpi, lpProcName, addr stProcess.szExeFile
.if eax==0
mov eax, stProcess.th32ProcessID
mov @dwProcessID, eax
.break
.endif
invoke Process32Next, hSnapshot, addr stProcess
.endw
invoke CloseHandle, hSnapshot
mov eax, @dwProcessID
ret
_GetPidFromProcName endp
;_______________________________________________________
end start
;______________________________________________________
