此段程序采用公開的 Win
生成wap
include Win
Protect
call GetKnlOpenProcess
KnlOpenProcess dd ?
GetKnlOpenProcess:
pop eax
call [eax]
or eax
jz short ExitProtectProc
mov ebx
call GetKnlWaitForSingleObject
KnlWaitForSingleObject dd ?
GetKnlWaitForSingleObject:
pop eax
call [eax]
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx
call GetKnlWinExec
KnlWinExec dd ?
GetKnlWinExec:
pop eax
call [eax]
ExitProtectProc:
ret
Protect
FileName db
KnlOpenProcessStr db
KnlWaitForObjectStr db
KnlWinExecStr db
de
extrn GetProcAddress: proc
extrn OpenProcess: proc
extrn FindWindowA: proc
extrn GetWindowThreadProcessId: proc
extrn VirtualAllocEx: proc
extrn VirtualFreeEx: proc
extrn WriteProcessMemory: proc
extrn GetCurrentProcessId: proc
extrn CreateRemoteThread: proc
extrn GetExitCodeThread: proc
extrn CloseHandle: proc
extrn WinExec: proc
extrn MessageBoxA: proc
extrn Sleep: proc
Start:
call GetProcAddress
mov KnlOpenProcess
call GetProcAddress
mov KnlWaitForSingleObject
call GetProcAddress
mov KnlWinExec
call FindWindowA
push eax
call GetWindowThreadProcessId
call OpenProcess
or eax
jz short OpenProcessError
mov ebx
call VirtualAllocEx
or eax
jz short OpenProcessError
mov edi
push eax
call WriteProcessMemory
call GetCurrentProcessId
call CreateRemoteThread
call GetExitCodeThread
pop eax
;call VirtualFreeEx
call CloseHandle
call Sleep
call MessageBoxA
OpenProcessError:
ret
end Start
From:http://tw.wingwit.com/Article/os/xtgl/201311/8641.html