共有回帖数 0 个
-
最近看到一个关于"进程保护"的问题,无聊就研究了一下,总共得出了2种比较可行的方法,第一种就是进程隐藏,第2种就是进程守护.代码发出来,希望大家可以互相学习......
进程守护:http://hi.baidu.com/ciw%5Fblue/blog/item/edd5ff457062603b869473a1.html
进程隐藏:http://hi.baidu.com/ciw%5Fblue/blog/item/bcb8b0c4ad66e9cf38db49f3.html
进程隐藏的代码:
.386
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szLoadLibrary db 'LoadLibraryA',0
szGetProcAddress db 'GetProcAddress',0
szGetModuleHandle db 'GetModuleHandleA',0
szProcessWndName db 'Program Manager',0
szKernel db 'Kernel32.dll',0
.data?
dwProcessID dd ?
hProcess dd ?
lpLoadLibrary dd ?
lpGetProcAddress dd ?
lpGetModuleHandle dd ?
hModule dd ?
lpRemoteCode dd ?
.code
REMOTE_CODE_START equ this byte
_lpLoadLibrary dd ?
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
_lpMessageBox dd ?
_hInstance dd ?
_hUserModule dd ?
_szMessageBox db 'MessageBoxA',0
_szUserDLL db 'User32.dll',0
_szMsgCaption db '远程成功',0
_szMsgText db '请打开Windows任务管理器,看看!',0
;
_RemoteThread proc uses ebx edi esi lParam
call @F
@@:
pop ebx
sub ebx,offset @B
push NULL
call [ebx + _lpGetModuleHandle]
mov [ebx + _hInstance],eax
lea eax, [ebx + offset _szUserDLL]
push eax
call [ebx + _lpLoadLibrary]
.if eax
mov [ebx + _hUserModule], eax
lea eax, [ebx + offset _szMessageBox]
push eax
mov eax, [ebx + _hUserModule]
push eax
call [ebx + _lpGetProcAddress]
.if eax
mov [ebx + _lpMessageBox], eax
lea edx, [ebx + offset _szMsgText]
lea ecx, [ebx + offset _szMsgCaption]
push MB_OK
push ecx
push edx
push NULL
call [ebx + _lpMessageBox]
.endif
.endif
ret
_RemoteThread endp
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START
start:
invoke GetModuleHandle, offset szKernel
mov hModule, eax
invoke GetProcAddress, hModule, offset szLoadLibrary
mov lpLoadLibrary, eax
invoke GetProcAddress, hModule, offset szGetProcAddress
mov lpGetProcAddress, eax
invoke GetProcAddress, hModule, offset szGetModuleHandle
mov lpGetModuleHandle, eax
invoke FindWindow, NULL, offset szProcessWndName ;获取窗口句柄
invoke GetWindowThreadProcessId, eax, offset dwProcessID ;获取程序 ID
invoke OpenProcess, PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,
FALSE, dwProcessID
.if eax
mov hProcess, eax
invoke VirtualAllocEx, hProcess, NULL, REMOTE_CODE_LENGTH, MEM_COMMIT, PAGE_EXECUTE_READWRITE
.if eax
mov lpRemoteCode, eax
invoke WriteProcessMemory, hProcess, lpRemoteCode, offset REMOTE_CODE_START,
REMOTE_CODE_LENGTH , NULL
invoke WriteProcessMemory, hProcess,lpRemoteCode, offset lpLoadLibrary,
sizeof dword * 3, NULL
mov eax, lpRemoteCode
add eax, _RemoteThread - offset REMOTE_CODE_START
invoke CreateRemoteThread, hProcess, NULL, 0, eax, 0, NULL, 0
invoke CloseHandle, eax
.endif
.endif
invoke CloseHandle, hProcess
invoke ExitProcess, 0
end start
楼主 2016-01-15 18:27 回复
Copyright © 2010~2015 直线网 版权所有,All Rights Reserved.沪ICP备10039589号
意见反馈 |
关于直线 |
版权声明 |
会员须知
