Kill_Vagaa_Process完整版
今天才完成这个代码,把它放在同事的电脑上,免得他用Vagaa.exe拖AV,他爽了,我却麻烦了..
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include AdvApi32.inc
includelib AdvApi32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
szFileName db 'vagaa.exe',0
szServiceEXE db 'VagaaProcess.exe',0 ;在这里定义运行服务的 exe 文件名
szServiceName db 'ServiceTemplate',0 ;在这里定义服务的名称
szDisplayName db 'Service Template',0 ;在这里定义服务显示的名称
.data?
stSS SERVICE_STATUS <> ;服务的状态
hSS dd ? ;服务的状态句柄
dwOption dd ?
F_STOP equ 0001h ;停止服务
hSnapShot dd ?
stProcess PROCESSENTRY32 <?>
stStartUp STARTUPINFO <?>
stProcInfo PROCESS_INFORMATION <?>
hInstance dd ?
pid dd ?
stMsg MSG<?>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WorkThread proc
GetProcess:
invoke RtlZeroMemory,addr stProcess,sizeof stProcess ;清空stProcess,不然进程会重叠
mov stProcess.dwSize,sizeof stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,addr stProcess ;开始历遍快照
mov hSnapShot,eax ;保存到句柄中
invoke Process32First,hSnapShot,addr stProcess;历遍第一个进程
.while eax
invoke CompareString,LOCALE_USER_DEFAULT,NORM_IGNORECASE,addr szFileName,-1,addr stProcess.szExeFile,-1
.if eax==2
push stProcess.th32ProcessID
pop pid
.endif
invoke Process32Next,hSnapShot,addr stProcess
.endw
invoke OpenProcess,PROCESS_TERMINATE,FALSE,pid
.if eax
mov ebx,eax
invoke TerminateProcess,ebx,-1
.endif
invoke Sleep,1000
jmp GetProcess
ret
_WorkThread endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 服务控制程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcHandler proc _dwControl
pushad
mov eax,_dwControl
.if eax == SERVICE_CONTROL_STOP
or dwOption,F_STOP
mov stSS.dwCurrentState,SERVICE_STOPPED
invoke SetServiceStatus,hSS,addr stSS
.elseif eax == SERVICE_CONTROL_INTERROGATE
invoke SetServiceStatus,hSS,addr stSS
.endif
popad
ret
_ProcHandler endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 服务主程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ServiceMain proc _dwArgc,_lpszArgv
pushad
invoke RegisterServiceCtrlHandler,addr szServiceName,offset _ProcHandler
mov hSS,eax
mov stSS.dwServiceType,SERVICE_WIN32_OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS
mov stSS.dwCurrentState,SERVICE_START_PENDING
mov stSS.dwControlsAccepted,SERVICE_ACCEPT_STOP
mov stSS.dwWin32ExitCode,NO_ERROR
invoke SetServiceStatus,hSS,addr stSS
;********************************************************************
; 如果初始化代码比较多,那么需要首先把状态设置为 pending,等完成以后
; 再设置为 Running。(在这里加入初始化代码)
;********************************************************************
mov stSS.dwCurrentState,SERVICE_RUNNING
invoke SetServiceStatus,hSS,addr stSS
;********************************************************************
; 服务的具体执行代码
; 在这里执行结束vagaa.exe进程,免得同事拖AV
;********************************************************************
invoke _WorkThread
popad
ret
_ServiceMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 主程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WinMain proc
local @stSTE[2]:SERVICE_TABLE_ENTRY
invoke RtlZeroMemory,addr @stSTE,sizeof @stSTE
mov @stSTE[0].lpServiceName,offset szServiceName
mov @stSTE[0].lpServiceProc,offset _ServiceMain
invoke StartServiceCtrlDispatcher,addr @stSTE
ret
_WinMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke _WinMain
;********************************************************************
; 消息循环
;********************************************************************
.while TRUE
invoke GetMessage,addr stMsg,NULL,0,0
invoke DispatchMessage,addr stMsg
.endw
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include AdvApi32.inc
includelib AdvApi32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
szFileName db 'vagaa.exe',0
szServiceEXE db 'VagaaProcess.exe',0 ;在这里定义运行服务的 exe 文件名
szServiceName db 'ServiceTemplate',0 ;在这里定义服务的名称
szDisplayName db 'Service Template',0 ;在这里定义服务显示的名称
.data?
stSS SERVICE_STATUS <> ;服务的状态
hSS dd ? ;服务的状态句柄
dwOption dd ?
F_STOP equ 0001h ;停止服务
hSnapShot dd ?
stProcess PROCESSENTRY32 <?>
stStartUp STARTUPINFO <?>
stProcInfo PROCESS_INFORMATION <?>
hInstance dd ?
pid dd ?
stMsg MSG<?>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WorkThread proc
GetProcess:
invoke RtlZeroMemory,addr stProcess,sizeof stProcess ;清空stProcess,不然进程会重叠
mov stProcess.dwSize,sizeof stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,addr stProcess ;开始历遍快照
mov hSnapShot,eax ;保存到句柄中
invoke Process32First,hSnapShot,addr stProcess;历遍第一个进程
.while eax
invoke CompareString,LOCALE_USER_DEFAULT,NORM_IGNORECASE,addr szFileName,-1,addr stProcess.szExeFile,-1
.if eax==2
push stProcess.th32ProcessID
pop pid
.endif
invoke Process32Next,hSnapShot,addr stProcess
.endw
invoke OpenProcess,PROCESS_TERMINATE,FALSE,pid
.if eax
mov ebx,eax
invoke TerminateProcess,ebx,-1
.endif
invoke Sleep,1000
jmp GetProcess
ret
_WorkThread endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 服务控制程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcHandler proc _dwControl
pushad
mov eax,_dwControl
.if eax == SERVICE_CONTROL_STOP
or dwOption,F_STOP
mov stSS.dwCurrentState,SERVICE_STOPPED
invoke SetServiceStatus,hSS,addr stSS
.elseif eax == SERVICE_CONTROL_INTERROGATE
invoke SetServiceStatus,hSS,addr stSS
.endif
popad
ret
_ProcHandler endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 服务主程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ServiceMain proc _dwArgc,_lpszArgv
pushad
invoke RegisterServiceCtrlHandler,addr szServiceName,offset _ProcHandler
mov hSS,eax
mov stSS.dwServiceType,SERVICE_WIN32_OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS
mov stSS.dwCurrentState,SERVICE_START_PENDING
mov stSS.dwControlsAccepted,SERVICE_ACCEPT_STOP
mov stSS.dwWin32ExitCode,NO_ERROR
invoke SetServiceStatus,hSS,addr stSS
;********************************************************************
; 如果初始化代码比较多,那么需要首先把状态设置为 pending,等完成以后
; 再设置为 Running。(在这里加入初始化代码)
;********************************************************************
mov stSS.dwCurrentState,SERVICE_RUNNING
invoke SetServiceStatus,hSS,addr stSS
;********************************************************************
; 服务的具体执行代码
; 在这里执行结束vagaa.exe进程,免得同事拖AV
;********************************************************************
invoke _WorkThread
popad
ret
_ServiceMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 主程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WinMain proc
local @stSTE[2]:SERVICE_TABLE_ENTRY
invoke RtlZeroMemory,addr @stSTE,sizeof @stSTE
mov @stSTE[0].lpServiceName,offset szServiceName
mov @stSTE[0].lpServiceProc,offset _ServiceMain
invoke StartServiceCtrlDispatcher,addr @stSTE
ret
_WinMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke _WinMain
;********************************************************************
; 消息循环
;********************************************************************
.while TRUE
invoke GetMessage,addr stMsg,NULL,0,0
invoke DispatchMessage,addr stMsg
.endw
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start