szWinTitle                 db         'Windows 任务管理器', 0
szProcName                 db         'taskmgr.exe', 0
stStartup                 STARTUPINFO     <>
stProcInfo                 PROCESS_INFORMATION     <>
_ZeroMemory         proc         _lpDest, _dwSize
     push     edi
     mov     edi, _lpDest
     mov     ecx, _dwSize
     xor     eax, eax
     cld
     rep     stosb
     pop     edi
     ret
_ZeroMemory         endp
_InstallHook         proc     uses esi
     local     @hProcess
     call     @F
     @@:
     pop     ebx
     sub     ebx, offset @B
     lea     edi, [ebx + offset stProcInfo]
     invoke     _ZeroMemory, edi, sizeof PROCESS_INFORMATION
     lea     edi, [ebx + offset stStartup]
     _invoke     [ebx + _lpGetStartupInfo], edi
     .while     TRUE
         lea     esi, [ebx + offset szProcName]
         lea     eax, [ebx + offset stStartup]
         lea     edi, [ebx + offset stProcInfo]
         _invoke     [ebx + _lpCreateProcess], NULL, esi, NULL, NULL, NULL, NORMAL_PRIORITY_CLASS, NULL, NULL, eax, edi
         .if     eax != 0
             assume     edi: ptr PROCESS_INFORMATION
             mov     eax, [edi].hProcess
             mov     @hProcess, eax


             _invoke     [ebx + _lpWaitForSingleObject], @hProcess, INFINITE
             _invoke     [ebx + _lpCloseHandle], @hProcess
             assume     edi: nothing
         .else
             ret
         .endif
     .endw
     xor     eax, eax
     ret
_InstallHook         endp
_RemoteThread             proc         uses edi esi ebx lParam
     local     @hModule
     call     @F
     @@:
     pop     ebx
     sub     ebx, offset @B
     _invoke     [ebx + _lpGetModuleHandle], NULL
     mov     [ebx + _hInstance], eax
     lea     eax, [ebx + offset _szDllUser]
     _invoke     [ebx + _lpGetModuleHandle], eax
     mov     @hModule, eax
     lea     esi, [ebx + offset _szDestroyWindow]
     lea     edi, [ebx + offset _lpDestroyWindow]
     ; 获取地址：所有用到的函数
     .while     TRUE
         _invoke     [ebx + _lpGetProcAddress], @hModule, esi
         mov     [edi], eax
         add     edi, 4
         ; add     esi, 4
         @@:
         lodsb
         or     al, al
         jnz     @B
         .break     .if     ! BYTE ptr [esi + 1]
     .endw
     call     _InstallHook
     ; call     _WinMain
     ret
_RemoteThread             endp
REMOTE_CODE_END         equ         this     BYTE
REMOTE_CODE_LENGTH     equ         offset REMOTE_CODE_END - offset REMOTE_CODE_START

; 第二部分，启动代码。
         .386
         .model flat, stdcall
         option casemap: none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include          windows.inc
include          user32.inc
includelib       user32.lib
include          kernel32.inc
includelib       kernel32.lib
include          Macro.inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
         .data?
lpLoadLibrary             dd         ?
lpGetProcAddress         dd         ?
lpGetModuleHandle         dd         ?
lpWaitForSingleObject     dd         ?
lpCreateProcess             dd         ?
lpGetStartupInfo         dd         ?
lpCloseHandle             dd         ?
dwProcessID                 dd         ?
dwThreadID                 dd         ?


hProcess                 dd         ?
lpRemoteCode             dd         ?
dwTemp                     dd         ?
         .const
szErrOpen                 db         '无法打开远程线程!', 0
szDesktopClass             db         'Progman', 0
szDesktopWindow             db         'Program Manager', 0
szDllKernel                 db         'Kernel32.dll', 0
szLoadLibrary             db         'LoadLibraryA', 0
szGetProcAddress         db         'GetProcAddress', 0
szGetModuleHandle         db         'GetModuleHandleA', 0
szWaitForSingleObject     db         'WaitForSingleObject', 0
szCreateProcess             db         'CreateProcessA', 0
szGetStartupInfo         db         'GetStartupInfoA', 0
szCloseHandle             db         'CloseHandle', 0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
                     .code
;**********************************************************************************
include             RemoteCode.asm
;***************************************************************************************
start:
     invoke     GetModuleHandle, addr szDllKernel
     mov     ebx,eax


     invoke     GetProcAddress, ebx, offset szLoadLibrary
     mov     lpLoadLibrary, eax
     invoke     GetProcAddress, ebx, offset szGetProcAddress
     mov     lpGetProcAddress, eax
     invoke     GetProcAddress, ebx, offset szGetModuleHandle
     mov     lpGetModuleHandle, eax
     invoke     GetProcAddress, ebx, offset szWaitForSingleObject
     mov     lpWaitForSingleObject, eax
     invoke     GetProcAddress, ebx, offset szCreateProcess
     mov     lpCreateProcess, eax
     invoke     GetProcAddress, ebx, offset szGetStartupInfo
     mov     lpGetStartupInfo, eax
     invoke     GetProcAddress, ebx, offset szCloseHandle
     mov     lpCloseHandle, eax
     ; 查找文件管理器窗口并获取进程ID，然后打开进程
     invoke     FindWindow, addr szDesktopClass, addr szDesktopWindow
     invoke     GetWindowThreadProcessId, eax, offset dwProcessID
     mov     dwThreadID,eax
     invoke     OpenProcess, PROCESS_CREATE_THREAD or PROCESS_VM_WRITE or \
                 PROCESS_VM_OPERATION, FALSE, dwProcessID
     .if     eax
         mov         hProcess, eax
         ; 在进程中分配空间并将执行代码拷贝过去，然后创建一个远程线程
         invoke     VirtualAllocEx, hProcess, NULL, REMOTE_CODE_LENGTH, MEM_COMMIT,\
                     PAGE_EXECUTE_READWRITE
         .if     eax
             mov     lpRemoteCode, eax
             ; 先入全部远程代码
             invoke     WriteProcessMemory, hProcess, lpRemoteCode, \
                         offset REMOTE_CODE_START, REMOTE_CODE_LENGTH, offset dwTemp


             ; 写入七个函数地址
             invoke     WriteProcessMemory, hProcess, lpRemoteCode, \
                         offset lpLoadLibrary, sizeof DWORD   * 7, offset dwTemp
             mov     eax, lpRemoteCode
             add     eax, offset _RemoteThread - offset REMOTE_CODE_START
             .if     eax == 0
                 invoke     MessageBox, 0, 0, 0, 0
             .endif
             invoke     CreateRemoteThread,   hProcess, NULL, 0, eax, 0, 0, NULL
             ; invoke     MessageBox, NULL, 0, 0, 0
             invoke     CloseHandle, eax
         .endif
         invoke     CloseHandle, hProcess
     .else
         invoke     MessageBox, NULL, addr szErrOpen, NULL, MB_OK or MB_ICONWARNING
     .endif
     invoke   ExitProcess,NULL
end      start


; 用到的模拟invoke的宏，虽然知道是怎么回事，但是不会写宏
reverseArgs      macro    arglist:VARARG
     local    txt,count
     txt      TEXTEQU <>
     count    = 0
     for      i,<arglist>
         count    = count + 1
                     txt      TEXTEQU @CatStr(i,<!,>,<%txt>)
             endm
             if       count GT 0
                     txt      SUBSTR   txt,1,@SizeStr(%txt)-1
             endif
             exitm    txt
endm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 建立一个类似于 invoke 的 Macro
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_invoke         macro    _Proc,     args:VARARG
     local    count
     count    = 0
%        for      i,< reverseArgs( args ) >
                     count    = count + 1
                     push         i
             endm
             call         DWORD   ptr _Proc    
endm


要想关掉任务管理器，杀死explorer先。
一下就被杀软杀了应该。