;*******************************************************
;ml /c /coff /Fo selfkill-Rnt.obj selfkill-Rnt.asm
;Link /subsystem:windows /SECTION:.text,WRE selfkill-Rnt.obj
;*******************************************************
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
;*******************************************************
.code
;删除自身的远程线程代码
KREMOTE_CODE_START equ this byte
call @F
@@:
pop ebx
sub ebx,offset @B ;重定位
push 500
call [ebx+_lpselfkillSleep]
lea eax,[ebx+offset _selfkillselfname]
push eax
call [ebx+_lpselfkillDeleteFile]
ret
_lpselfkillSleep dd ?
_lpselfkillDeleteFile dd ?
_selfkillselfname:
KREMOTE_CODE_END equ this byte
KREMOTE_CODE_LENGTH equ offset KREMOTE_CODE_END - offset KREMOTE_CODE_START
;*******************************************************
.data?
REMOTE_CODE db KREMOTE_CODE_LENGTH dup (?)
szSelfName db MAX_PATH dup (?)
.code
;*******************************************************
;用于在explorer.exe进程中插入远程线程
szDesktopClass db 'Progman',0
szDesktopWindow db 'Program Manager',0
_RemoteCode2KXP proc @_RmCodeStart,@_RmCodeLen
local @hRmCodeMemory
local @hselfkillProcessID
local @hselfkillProcess
;查找文件管理器窗口并获取进程ID,然后打开进程
invoke FindWindow,addr szDesktopClass,addr szDesktopWindow
lea ecx,@hselfkillProcessID
invoke GetWindowThreadProcessId,eax,ecx
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or \
PROCESS_VM_WRITE,FALSE,@hselfkillProcessID
mov @hselfkillProcess,eax
;在进程中分配空间并将写入远程代码,建立远程线程
invoke VirtualAllocEx,@hselfkillProcess,NULL,@_RmCodeLen,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov @hRmCodeMemory,eax
invoke WriteProcessMemory,@hselfkillProcess,eax,@_RmCodeStart,@_RmCodeLen,NULL
xor eax,eax
invoke CreateRemoteThread,@hselfkillProcess,eax,eax,@hRmCodeMemory,eax,eax,eax
invoke CloseHandle,eax
.endif
invoke CloseHandle,@hselfkillProcess
ret
_RemoteCode2KXP endp
;*******************************************************
szselfkillDllKernel db 'Kernel32.dll',0
szselfkillSleep db "Sleep",0
szselfkillDeleteFile db "DeleteFileA",0
start:
;取得API地址(硬编码地址)
invoke GetModuleHandle,addr szselfkillDllKernel
mov esi,eax
invoke GetProcAddress,esi,offset szselfkillSleep
mov _lpselfkillSleep,eax
invoke GetProcAddress,esi,offset szselfkillDeleteFile
mov _lpselfkillDeleteFile,eax
;把远程代码和自身地址合并
cld
mov ecx,KREMOTE_CODE_LENGTH
mov esi,offset KREMOTE_CODE_START
mov edi,offset REMOTE_CODE
rep movsb
invoke GetModuleFileName,NULL,offset szSelfName,MAX_PATH
push KREMOTE_CODE_LENGTH+MAX_PATH
push offset REMOTE_CODE
call _RemoteCode2KXP
ret
end start
本文地址:http://com.8s8s.com/it/it26951.htm