akservice.asm

服务防杀代码,服务防杀代码,服务防杀代码,服务防杀代码,服务防杀代码

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 服务程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
		.386
		.model flat, stdcall
		option casemap :none

include		/masm32/include/windows.inc
include		/masm32/include/user32.inc
includelib	/masm32/lib/user32.lib
include		/masm32/include/kernel32.inc
includelib	/masm32/lib/kernel32.lib
include		/masm32/include/AdvApi32.inc
includelib	/masm32/lib/AdvApi32.lib

		.data?

stSS		SERVICE_STATUS	<>	;服务的状态
hSS		dd	?		;服务的状态句柄
dwOption	dd	?
F_STOP		equ	0001h		;停止服务

dwAKServiceID	dd	?
dwTaskmgrID	dd	?

hHook		dd	?
hInstance	dd	?

hProcess	dd	?
lpLoadLibrary	dd	?
lpDllBase	dd	?
szMyDllFull	db	MAX_PATH dup (?)

		.const
szDllKernel	db	'Kernel32.dll',0
szLoadLibrary	db	'LoadLibraryA',0
szMyDll		db	'\HookAPI.dll',0
szTaskmgr	db	'taskmgr.exe',0

include		<Define.inc>


		.code

_RemoteThread	proc
;********************************************************************
; 准备工作：获取dll的全路径文件名、获取LoadLibrary函数地址等
;********************************************************************
		invoke	GetCurrentDirectory,MAX_PATH,addr szMyDllFull
		invoke	lstrcat,addr szMyDllFull,addr szMyDll
		invoke	GetModuleHandle,addr szDllKernel
		invoke	GetProcAddress,eax,offset szLoadLibrary
		mov	lpLoadLibrary,eax
;********************************************************************
; 打开进程
;********************************************************************
		invoke	OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or \
			PROCESS_VM_WRITE or PROCESS_VM_READ,FALSE,dwTaskmgrID
		.if	eax
			mov	hProcess,eax
;********************************************************************
; 在进程中分配空间并将DLL文件名拷贝过去，然后创建一个LoadLibrary线程
;********************************************************************
			invoke	VirtualAllocEx,hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE
			.if	eax
				mov	lpDllBase,eax
				invoke	WriteProcessMemory,hProcess,\
					eax,offset szMyDllFull,MAX_PATH,NULL
				invoke	CreateRemoteThread,hProcess,NULL,0,lpLoadLibrary,\
					lpDllBase,0,NULL
				invoke	CloseHandle,eax
			.endif
			invoke	CloseHandle,hProcess
		.endif
		invoke	ExitProcess,NULL
_RemoteThread	endp

_SearchProcess	proc
		local	@stProcess:PROCESSENTRY32 
		local	@hSnapShot

		invoke	RtlZeroMemory,addr @stProcess,sizeof @stProcess
		mov	@stProcess.dwSize,sizeof @stProcess
		invoke	CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
		mov	@hSnapShot,eax
		invoke	GetCurrentProcessId
		mov	dwAKServiceID,eax
		invoke	Process32First,@hSnapShot,addr @stProcess
		.while	eax			
			lea	eax,@stProcess.szExeFile
			mov	edx,eax
			invoke	lstrcmp,edx,addr szTaskmgr
			.if	eax==0
				mov	eax,@stProcess.th32ProcessID	;发现taskmgr
				mov	dwTaskmgrID,eax
				invoke	_RemoteThread			;创建远程线程于taskmgr进程空间中
				.break
			.endif
			invoke	Process32Next,@hSnapShot,addr @stProcess
		.endw
		invoke	CloseHandle,@hSnapShot
_SearchProcess	endp

_RecHookProc	proc	_dwCode,_wParam,_lParam	
		pushad
		.if	_dwCode==HC_ACTION 
			mov	ebx,_lParam
			assume	ebx:ptr EVENTMSG 
			.if	[ebx].message==WM_CREATE
				invoke	_SearchProcess
			.endif
			assume	ebx:nothing
		.endif
		invoke	CallNextHookEx,hHook,_dwCode,_wParam,_lParam
		popad		
_RecHookProc	endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 服务控制程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcHandler	proc	_dwControl

		pushad
		mov	eax,_dwControl
		.if	eax ==	SERVICE_CONTROL_STOP
			or	dwOption,F_STOP
			mov	stSS.dwCurrentState,SERVICE_STOPPED
			invoke	SetServiceStatus,hSS,addr stSS
		.elseif	eax ==	SERVICE_CONTROL_INTERROGATE
			invoke	SetServiceStatus,hSS,addr stSS
		.endif
		popad
		ret

_ProcHandler	endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 服务主程序
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ServiceMain	proc	_dwArgc,_lpszArgv
		local	@dwThreadID
		pushad
		invoke	SetWindowsHookEx,WH_JOURNALRECORD,addr _RecHookProc,hInstance,NULL ;安装日志钩子
		.if	eax
			mov	hHook,eax
		.endif
		
		invoke	RegisterServiceCtrlHandler,addr szServiceName,offset _ProcHandler
		mov	hSS,eax
		mov	stSS.dwServiceType,SERVICE_WIN32_OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS
		mov	stSS.dwCurrentState,SERVICE_START_PENDING
		mov	stSS.dwControlsAccepted,SERVICE_ACCEPT_STOP
		mov	stSS.dwWin32ExitCode,NO_ERROR
		invoke	SetServiceStatus,hSS,addr stSS

		mov	stSS.dwCurrentState,SERVICE_RUNNING
		invoke	SetServiceStatus,hSS,addr stSS
;********************************************************************
; 服务的具体执行代码:每隔1秒种让喇叭发声
;********************************************************************
		.repeat
			invoke	MessageBeep,-1
			invoke	Sleep,1000
		.until	dwOption & F_STOP
		popad
		ret

_ServiceMain	endp


_WinMain	proc
		local	@stSTE[2]:SERVICE_TABLE_ENTRY

		invoke	RtlZeroMemory,addr @stSTE,sizeof @stSTE
		mov	@stSTE[0].lpServiceName,offset szServiceName
		mov	@stSTE[0].lpServiceProc,offset _ServiceMain
		invoke	StartServiceCtrlDispatcher,addr @stSTE
		ret

_WinMain	endp

start:
		invoke	GetModuleHandle,NULL 
		mov	hInstance,eax
		invoke	_WinMain
		invoke	ExitProcess,NULL
		end	start