360 security guard programmer volunteers

In early September, 360 security guards were used by accident, and they felt very good.
In the past, I had this idea to write a small program to remove these hateful rogue software.
Now I have seen 360 security guards, and I feel very comfortable, so I am applying to join their programmer volunteers.
And I am honored to be one of them.

The following are the questions and answers they gave me. I hope to help you program them.

========================================================== ======================================

Compile a program, run a.exein the program, and make a.exethink that it is run by assumer.exe.

========================================================== ======================================

Assume that the program name I wrote is ddd.exe. Here, I will use the CreateProcess function to start a.exe. If the CreateProcess function is used directly to run a.exewithout any operation, the parent process of the specified program will be ddd.exe. In XP/NT, the CreateProcess function is called.
1: createprocessinternalw2: ntcreateprocessex/ntcreateprocess 3: pspcreateprocess where the handle of parentprocess, the parameter of ntcreateprocessex/ntcreateprocess, specifies who is the parent process

So what I need to do is intercept ntcreateprocessex/ntcreatprocess when the CreateProcess function calls it, and change the parentprocess parameter value passed by the CreateProcess function to the handler of assumer.exe for the purpose. Step 1: Use the hook to intercept the ntcreateprocess function Step 2: Get the handle of cmd.exe and replace the parentprocess parameter value, continue to call the key code segment of the ntcreateprocess function 1: Get the handle of cmd.exe handle hexplorer; // Save the handle variable of cmd.exe
......
...... // Retrieve all System Processes
Bool status = Process32first(Snapshot, & processinfo );
Int m_nprocess = 0;
While (Status)
{
Cstring str1;
Str1.format ("% s", processinfo. szexefile );
Processid [m_nprocess] = processinfo. th32processid;
 
If (str1 = "assumer.exe") // The table is installed with assumer.exe
{
Hexplorer = OpenProcess (Process_all_access, false, processid [m_nprocess]); // Save the assumer.exe handle to hexplorer
Break; // jump out of while
}
Status = process32next (snapshot, & processinfo );
M_nprocess ++;
} // End while ......
... Key code Segment 2: intercept the ntcreateprocess function and process the DLL key code :( Note:... omitted for the Code) // Replace the Function Definition Statement
Int _ stdcall hook_ntcreateprocess (phandle processhandle,
Access_mask desiredaccess,
Pobject_attributes objectattributes,
Handle parentprocess, // modify the value of this parameter.
Boolean inherithandles,
Handle sectionhandle,
Handle debugport,
Handle exceptionport
)

{
......
... // Here is the key code Segment 1: Take the handle of mongoer.exe and save it Hexplorer
......
Ntcreateprocess (processhandle, desiredaccess, objectattributes,
Hexplorer, // hcycleris the handle of assumer.exe
Inherithandles, sectionhandle, debugport, exceptionport );
......
......
......
} // Key code hmodule m_hntcp = in the dllmain Function Loadlibrary("NTDLL. dll ");
G_pntcp = (DWORD) Getprocaddress(M_hntcp, "ntcreateprocess "); Readprocessmemory(Invalid_handle_value, (void *) G_pntcp,
(Void *) g_dwoldbytes [0], sizeof (DWORD) * 2, null); // rewrite 00400000 to the address of our function
* (DWORD *)( G_btnewbytes+ 1) = (DWORD) hook_ntcreateprocess; Writeprocessmemory(Invalid_handle_value, (Void *) g_pntcp,
(Void *) G_btnewbytes, Sizeof (DWORD) * 2, null );