众所周知有很多病毒和木马可以无任何提示的情况下直接关闭防火墙,之所以会这样主要是利用的微软提供的API TerminateProcess,而且微软也没有提供PATCH的意思,所以只有靠自己了,自己HOOK ,API,然后当调用时跳出消息框询问是否要终止进程,当然HOOK的方法有很多,我下面的是看了关于研究变速齿轮的文章以后写的先申请2G以上空间,然后将TerminateProcess的前7个字节保存起来,然后修改其,使其指向2G以上空间,然后将驻留代码复制到该处,这样当调用TerminateProcess,时就会调用我的代码,跳出,MESSAGEBOX询问是否退出,NO则置失败标志(EAX=0),直接返回,CANCEL则先恢复原先的内容然后同NO,这样就解除了HOOK。
YES时先恢复原先的内容,然后压入TerminateProcess所需的参数,并压入返回的地址,即从API返回以后到我的代码中,然后再修改API,继续HOOK,并置成功标志(EAX=1)返回。
由于我所驻留的代码并不以任何进程形式存在,所以也不怕自己被TERMINATE掉,呵呵。
代码如下:
----------------------------------------------------------
;========================================
; WOWOCOCK 编写 ;
;========================================
.586
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
;-----------------------------------------
ddd MACRO Text
local name
.data
name db Text,0
.code
EXITM <addr name>
ENDM
;define data in .data section
;This and other can be used as: ddd("My god!")
;isn’t cool?
;------------------------------------(上面的)--
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
IFIDNI <y>,<>
sym db 0
else
sym db y,0
endif
CONST ends
EXITM <offset sym>
ENDM
;This is a good macro
;------------------------------------(上面的)--
m2m MACRO M1, M2
push M2
pop M1
ENDM
;mov is too boring sometimes!
;------------------------------------(上面的)--
Call32 macro Selector,Offsetv
db 09ah
dd Offsetv
dw Selector
endm
Arp_Mem equ 1000h
;用到的宏
;------------------------------------(上面的)--
.data
sztit db "Tested by Wowocock",0
aKernel32 db ’Kernel32.dll’,0
aUser32 db ’User32.dll’,0
AddrKernel32 dd ?
aTerminateProcess db ’TerminateProcess’,0
AddrTerminate dd ?
aMessageboxA db ’MessageBoxA’,0
AddrMessage dd ?
aExitProcess db ’ExitProcess’,0
AddrExitProcess dd ?
lpMappedObject dd ?
;;-----------------------------------------
.code
_Start:
invoke GetModuleHandle,addr aKernel32
mov AddrKernel32,eax
invoke GetProcAddress,eax,addr aTerminateProcess
mov AddrTerminate,eax
detect:
;---------------------------------------------
cmp word ptr[eax+5],90c3h
jz _ErrHooked
;判断是否已经HOOK
;------------------------------------(上面的)--
invoke GetProcAddress,AddrKernel32,addr aExitProcess
mov AddrExitProcess,eax
invoke GetModuleHandle,addr aUser32
invoke GetProcAddress,eax,addr aMessageboxA
mov AddrMessage,eax
;-----------------------------------------------
mov eax,080000000h-Arp_Mem
Try_next:
add eax,Arp_Mem
cmp eax,(-1-Arp_Mem)
jae _ErrCantAlloc
push eax
invoke
VirtualAlloc,eax,Arp_Mem,MEM_COMMIT,PAGE_EXECUTE_READWRITE
test eax,eax
xchg eax,ebx
pop eax
je Try_next
mov lpMappedObject, eax
;分配2GB以上地址空间
;------------------------------------(上面的)--
push offset MyProc
call ToRing0Code
;进行地址的拷贝
;------------------------------------(上面的)--
cld
mov edi,lpMappedObject
mov esi,offset Addr0Proc
mov ecx,Addr0ProcLength+1
rep movsb
;将代码复制到申请到的地址空间
;------------------------------------(上面的)--
invoke MessageBox,0,CTEXT("TerminateProcess
Probe..."),addr
sztit,MB_ICONWARNING
jmp Exit
_ErrCantAlloc:
invoke MessageBox,0,CTEXT("Can’t Alloc
Memory!"),CTEXT("ERROR"),0
jmp Exit
_ErrHooked:
invoke MessageBox,0,CTEXT("TerminateProcess is being
hooked!"),CTEXT("ERROR"),MB_ICONWARNING
Exit:
invoke ExitProcess,0
;-----------------------------------------
MyProc proc
push esi
push edi
lea esi,AddrMessage
lea edi,bAddrMessage
movsd
lea esi,AddrTerminate
lea edi,bTerminate
movsd
lea esi,lpMappedObject
lea edi,blpMappedObject
movsd
;----------------------------------------------
mov esi,AddrTerminate
lea edi,OldBytes
xor ecx,ecx
mov cl,7
rep movsb
;保存TerminateProcess 的前7个字节
;------------------------------------(上面的)--
mov eax,AddrTerminate
mov byte ptr[eax],68h
m2m dword ptr[eax+1],lpMappedObject
mov word ptr[eax+5],90c3h
;修改TerminateProcess 的前7个字节使其指向高端代码
;------------------------------------(上面的)--
pop edi
pop esi
retf
MyProc endp
