Code for easy language NTAPI process manipulation

.Version 2
.DLLOrder Open the process_, Integer type, "", "OpenProcess", public, return the handle to the procedure object
   . Parameters Process object, integer type, dwDesiredAccess
   . Parameters inherit handle, integer type, bInheritHandle
   . Parameters Process Identifier, Integer, , dwProcessId
 .DLL command ZwOpenProcess, integer type, "", "ZwOpenProcess", public
   . Parameters hProcess, integer type, address
   . Parameters DesiredAccess, integer type
   . Parameters ObjectAttributes, OBJECT_ATTRIBUTES
   . Parameters ClientId, CLIENT_ID
 .DLL command ZwQuerySystemInformation, integer type, "", "ZwQuerySystemInformation"
   . Parameters SystemInformationClass, integer type, , unknown type: SYSTEM_INFORMATION_CLASS.
   . Parameters SystemInformation, byte set, , any
   . Parameters SystemInformationLength, integer type
   . Parameters ReturnLength, integer type, address
 .DLL command takes pointer_byte set, integer type, "lstrcpyn", public, regular API
   . Parameters To take its pointer, byte set, pass address
   . Parameters To take its pointer, byte set, pass address
   . Parameters reserved, integer type, , 0
 .DLL command RtlMoveMemory3, integer type, "RtlMoveMemory", public, regular API, read an integer from the address
   . Parameters dest, integer type, address
   . Parameter Source, integer type
   . Parameters len, , , 4
 .DLL command RtlMoveMemory1, integer type, "RtlMoveMemory", , regular API
   . Parameters dest, SYSTEM_HANDLE_TABLE_ENTRY_INFO
   . Parameter Source, integer type
   . Parameters len
 .DLL command ZwDuplicateObject, integer type, "", , public
   . Parameters SourceProcessHandle, integer type
   . Parameters SourceHandle, integer type
   . Parameters TargetProcessHandle, integer type
   . Parameters TargetHandle, integer type, address
   . Parameters DesiredAccess, integer type
   . Parameters HandleAttributes, integer type
   . Parameters Options, integer type
 .DLL command ZwQueryInformationProcess, integer type, "", "ZwQueryInformationProcess"
   . Parameters SystemInformationClass, integer type, , unknown type: SYSTEM_INFORMATION_CLASS.
   . Parameters dd, integer type
   . Parameters SystemInformation, PROCESS_BASIC_INFORMATION, , any
   . Parameters SystemInformationLength, integer type
   . Parameters ReturnLength, integer type, address
 .DLL command ZwClose, integer type, "", "ZwClose", public, close process handle
   .parameter handle
 .DLL command to get the function address_, integer type, "kernel32", "GetProcAddress", , Return the function address
   . Parameters Module Handle, Integer
   . Parameters Function name, text type
 .DLL command to take module handle_, integer type, "kernel32", "GetModuleHandleA", , Get the module handle of an application or dynamic link library. If the execution is successful, the module handle is returned. Zero indicates failure. GetLastError will be set
   . Parameters Module name, text type, , specifies the module name, which is usually the same name as the module's file name.  For example, the module file name of the program is called NOTEPAD;
 .DLL command _Dynamic call subroutine, integer type, "CallWindowProcA"
  .parameter Dynamic call code, Byte set, , Byte set代码
  .parameter Subprogram, Integer type, , Subprogram指针 to integer(Subprogram指针)
  .parameter parameter, Integer type, Array, 为整数Array，parameter1As a member1…analogy；文本型和Byte set型（Custom structure）As a pointer
  .parameter parameter数目, Integer type, , 一定要和parameterArray相符，Otherwise there will be an error
  .parameter whetherCCall, Logical, , TruecdeclCallWay，FakestdcallCallWay（That is, standardWINAPIWay）
.DLLOrder ZwCreateJobObject, Integer type, "", , public
   . Parameters JobHandle, integer type, address
   . Parameters DesiredAccess, integer type
   . Parameters ObjectAttributes, OBJECT_ATTRIBUTES
 .DLL command closes kernel object_, integer type, "", "CloseHandle", public, $(b)Non-zero means success，Zero means failure
  .parameter Object handle, Integer type, , hObject，The handle of an object to be closed
.DLLOrder TerminateProcess_, Integer type, "kernel32", "TerminateProcess", , End a process Non-zero means success，Zero means failure。Will setGetLastError
  .parameter hProcess, Integer type, , Specifies the handle to a process to be interrupted
  .parameter uExitCode, Integer type, , An exit code for the process;
.DLLOrder ZwAssignProcessToJobObject, Integer type, "", , public
   . Parameters JobHandle, integer type
   . Parameters ProcessHandle, integer type
 .DLL command ZwTerminateJobObject, integer type, "", , public
   . Parameters JobHandle, integer type
   . Parameters ExitStatus, integer type
 .DLL command ZwTerminateProcess, integer type, "", , public
   . Parameters ProcessHandle, integer type
   . Parameters ExitStatus, integer type
 .DLL command ZwProtectVirtualMemory, integer type, "", "ZwProtectVirtualMemory"
   . Parameters ProcessHandle, integer type
   .Parameter BaseAddress, integer type
   . Parameter RegionSize, integer type
   .Parameters NewProtect, integer type
   . Parameters OldProtect, integer type
 .DLL command ZwWriteVirtualMemory, integer type, "", "ZwWriteVirtualMemory"
   . Parameters ProcessHandle, integer type
   .Parameter BaseAddress, integer type
   . Parameters pBuffer, byte set
   . Parameter NumberOfBytesToWrite, integer type
   . Parameter NumberOfBytesWritten, integer type, address
 .DLL command RtlAdjustPrivilegeA, integer type, "", "RtlAdjustPrivilege"
   .Parameter Privilege, integer type
   . Parameter Enable, logical
   .Parameter Client, logical type
   . Parameters WasEnabled, integer type, address
 .DLL command API_CreateRemoteThread, integer type, "kernel32", "CreateRemoteThread", , Create a clue in another process
   . Parameters hProcess, integer type
   . Parameters lpThreadAttributes, SECURITY_ATTRIBUTES
   . Parameters dwStackSize, integer type
   . Parameters lpStartAddress, integer type
   . Parameter lpParameter, integer type
   . Parameters dwCreationFlags, integer type
   . Parameters lpThreadId, integer type
 .DLL command CreateToolhelp32Snapshot, integer type, "", "CreateToolhelp32Snapshot"
   .Parameter falg, integer type
   . Parameter id, integer type
 .DLL command Thread32First, integer type, "kernel32", "Thread32First"
   . Parameter hSnapshot, integer type
   . Parameters lppe, THREADENTRY32
 .DLL command OpenThread, integer type, "kernel32", "OpenThread"
   . Parameter h, integer type
   .Parameter a, logical type
   . Parameter b, integer type
 .DLL command TerminateThread, integer type, "", "ZwTerminateThread"
   . Parameters hThread, integer type
   . Parameters dwExitCode, integer type
 .DLL command Thread32Next, integer type, "kernel32", "Thread32Next"
   . Parameter hSnapshot, integer type
   . Parameters lppe, THREADENTRY32
 .DLL command NtUnmapViewOfSection, integer type, "", "NtUnmapViewOfSection"
   . Parameters hProcess
   . Parameters addr
 .DLL command LoadLibrary, integer type, "kernel32", "LoadLibraryA", public
   . Parameter lpLibFileName, text type
 .DLL command DebugActiveProcess, logical, "kernel32", "DebugActiveProcess"
  .parameter dwProcessId, Integer type

.Version 2
.Data Type CLIENT_ID, public, CLIENT_IDStructure contains the identifiers of processes and threads。
  .member UniqueProcess, Integer type, , , Process Identifier
  .member UniqueThread, Integer type, , , Thread identifier
.Data Type OBJECT_ATTRIBUTES, public, OBJECT_ATTRIBUTESStructure Specifies Properties,Create objects and routines that can be applied to object or object processing/or return object processing。
  .member Length, Integer type
  .member RootDirectory, Integer type
  .member ObjectName, Integer type
  .member Attributes, Integer type
  .member SecurityDescriptor, Integer type
  .member SecurityQualityOfService, Integer type
.Data Type SECURITY_ATTRIBUTES, , Security structure;
  .member nLength, Integer type
  .member lpSecurityDescriptor, Integer type
  .member bInheritHandle, Integer type
.Data Type PROCESS_BASIC_INFORMATION, public
  .member ExitStatus, Integer type
  .member PebBaseAddress, Integer type
  .member AffinityMask, Integer type
  .member BasePriority, Integer type
  .member UniqueProcessId, Integer type
  .member InheritedFromUniqueProcessId, Integer type
.Data Type MEMORY_BASIC_INFORMATION, public
  .member BaseAddress, Integer type
  .member AllocationBase, Integer type
  .member AllocattionProtect, Integer type
  .member RegionSize, Integer type
  .member State, Integer type
  .member Protect, Integer type
  .member Type, Integer type
.Data Type SYSTEM_HANDLE_TABLE_ENTRY_INFO, public
  .member UniqueProcessId, 短Integer type
  .member CreatorBackTraceIndex, 短Integer type
  .member ObjectTypeIndex, Byte type
  .member HandleAttributes, Byte type
  .member HandleValue, 短Integer type
  .member pObject, Integer type
  .member GrantedAccess, Integer type
.Data Type THREADENTRY32
  .member dwsize, Integer type
  .member cntusage, Integer type
  .member th32threadID, Integer type
  .member th32OwnerProcessID, Integer type
  .member tpBasePri, Integer type
  .member tpDeltaPri, Integer type
  .member dwFlags, Integer type

.Version 2
.constant PROCESS_ALL_ACCESS, "2035711", public
.constant STATUS_INFO_LENGTH_MISMATCH, "-1073741820", public
.constant STATUS_SUCCESS, "0", public
.constant PROCESS_QUERY_INFORMATION, "1024", public
.constant STATUS_INVALID_PARAMETER, "-1073741811", public
.constant OBJ_INHERIT, "2", public
.constant DUPLICATE_CLOSE_SOURCE, "1", public
.constant DUPLICATE_SAME_ACCESS, "2", public
.constant DUPLICATE_SAME_ATTRIBUTES, "4", public
.constant OB_TYPE_PROCESS, "5", public
.constant ZwGetCurrentProcess, "-1", public
.constant PROCESS_DUP_HANDLE, "64", public
.constant PAGE_EXECUTE_READWRITE, "64"
.constant JOB_OBJECT_ALL_ACCESS, "2031647", public

.Version 2
.Assembly 主Assembly
.Subprogram _启动Subprogram, Integer type
process_Increase permissions ()
Information box (process暂停 (3796, Fake), 0, , )
return (0)
.Subprogram 打开process_Powerful, Integer type, public, MainlyNATIVE API
.parameter dwDesiredAccess, Integer type
.parameter bInhert, Logical
.parameter ProcessId, Integer type
.Local variables st, Integer type
.Local variables cid, CLIENT_ID, , , CLIENT_ID结构Includeprocess和线程的标识符。
.Local variables oa, OBJECT_ATTRIBUTES
.Local variables NumOfHandle, Integer type
.Local variables pbi, PROCESS_BASIC_INFORMATION
.Local variables i, Integer type
.Local variables hProcessToDup, Integer type
.Local variables hProcessCur, Integer type
.Local variables hProcessToRet, Integer type
.Local variables h_info, SYSTEM_HANDLE_TABLE_ENTRY_INFO
.Local variables retlen, Integer type
.Local variables a, Byte set
.Local variables b, Integer type
.Local variables c, Byte set
.Local variables ret, Integer type
.If true (ProcessId ＝ 0)
  return (0)
.If true结束
 ＝ 24
.If true (bInhert)
   ＝ bit or (, #OBJ_INHERIT)
.If true结束
 ＝ ProcessId ＋ 1
st ＝ ZwOpenProcess (hProcessToRet, dwDesiredAccess, oa, cid)
.If true (st ≥ 0)
  ret ＝ hProcessToRet
  return (ret)
.If true结束
retlen ＝ 1
.Cycle judgment first ()
  a ＝ Pick空白Byte set (retlen)
  ret ＝ ZwQuerySystemInformation (16, a, retlen, 0)
  .if (ret ＝ #STATUS_INFO_LENGTH_MISMATCH)
    retlen ＝ retlen × 2
    a ＝ Pick空白Byte set (retlen)
  .otherwise
    Break out of the loop ()
  .if结束
.Cycle judgment tail (ret ＝ #STATUS_INFO_LENGTH_MISMATCH)
b ＝ Get pointer_Byte set (a, a, 0)
RtlMoveMemory3 (NumOfHandle, b, 4)
b ＝ b ＋ 4
.Cycle first (NumOfHandle, i)
  RtlMoveMemory1 (h_info, b, 16)
  .If true (h_info.ObjectTypeIndex ＝ #OB_TYPE_PROCESS)
     ＝ h_info.UniqueProcessId
    st ＝ ZwOpenProcess (hProcessToDup, #PROCESS_DUP_HANDLE, oa, cid)
    .If true (st ≥ 0)
      st ＝ ZwDuplicateObject (hProcessToDup, h_info.HandleValue, #ZwGetCurrentProcess, hProcessCur, #PROCESS_ALL_ACCESS, 0, #DUPLICATE_SAME_ATTRIBUTES)
      .If true (st ≥ 0)
        st ＝ ZwQueryInformationProcess (hProcessCur, 0, pbi, 24, 0)
        .If true (st ≥ 0)
          .If true ( ＝ ProcessId)
            st ＝ ZwDuplicateObject (hProcessToDup, h_info.HandleValue, #ZwGetCurrentProcess, hProcessToRet, dwDesiredAccess, #OBJ_INHERIT, #DUPLICATE_SAME_ATTRIBUTES)
            .If true (st ≥ 0)
              ret ＝ hProcessToRet
            .If true结束
          .If true结束
        .If true结束
      .If true结束
      st ＝ ZwClose (hProcessCur)
    .If true结束
    st ＝ ZwClose (hProcessToDup)
  .If true结束
  b ＝ b ＋ 16
.Calculate the cycle ()
return (ret)
.Subprogram process暂停, Logical, public, process暂停(成功returnreal，失败Fake)
.parameter PID, Integer type
.parameter state, Logical, Available
.Local variables process句柄, Integer type
.Local variables a, Integer type
process句柄 ＝ 打开process_ (2035711, 0, PID)
.If true (process句柄 ＝ 0)
  process句柄 ＝ 打开process_Powerful (2035711, Fake, PID)
.If true结束
.If true (process句柄 ＝ 0)
  return (Fake)
.If true结束
.if (state)
  a ＝ API_ZwSuspendProcess (process句柄)
.otherwise
  a ＝ API_ZwResumeProcess (process句柄)
.if结束
Close the kernel object_ (process句柄)
return (a ＝ 0)
.Subprogram API_ZwSuspendProcess, Integer type, , ，API_ZwSuspendProcess
.parameter process句柄, Integer type
.Local variables address, Integer type
.Local variables parameter, Integer type, , "1"
address ＝ Pickapi函数address (“”, “ZwSuspendProcess”) ' Take out the address of the function ZwSuspendProcess in NTDLL
 Parameters [1] = Process handle ' ZwSuspendProcess的parameter，ZwSuspendProcess是系统自带的挂起process命令，Dynamic call to prevent hooks
return (_动态调用Subprogram (#Dynamic call code, address, parameter, 1, false)) 'Dynamic call.Subprogram Pickapi函数address, Integer type, public
.parameter dllfile name, Text type
.parameter dllCommand name, Text type
return (Pick函数address_ (Pick模块句柄_ (dllfile name), dllCommand name))
.Subprogram API_ZwResumeProcess, Integer type, , ，API_ZwResumeProcess
.parameter process句柄, Integer type
.Local variables address, Integer type
.Local variables parameter, Integer type, , "1"
address ＝ Pickapi函数address (“”, “ZwResumeProcess”) ' Remove the address of the function ZwResumeProcess in NTDLL
 Parameters [1] = Process handle ' ZwResumeProcess的parameter，ZwResumeProcess是系统自带的恢复process命令，Dynamic call to prevent hooks
return (_动态调用Subprogram (#Dynamic call code, address, parameter, 1, false)) 'Dynamic call.Subprogram process结束, Logical, public, 终止一个process(成功returnreal,失败returnFake)
.parameter processID, Integer type, , 欲结束的processID
.Local variables process句柄, Integer type
.Local variables a, Integer type
process句柄 ＝ 打开process_ (processID)
a ＝ TerminateProcess_ (process句柄, 0)
Close the kernel object_ (process句柄)
return (a ＞ 0)
.Subprogram process结束_Powerful, Logical, public, MainlyNATIVE API
.parameter hProcess, Integer type
.parameter ExitStatus, Integer type, , 0
.Local variables st, Integer type
.Local variables hJob, Integer type
.Local variables oa, OBJECT_ATTRIBUTES
.Local variables ret, Logical
ret ＝ Fake
 ＝ 24
st ＝ ZwCreateJobObject (hJob, #JOB_OBJECT_ALL_ACCESS, oa)
.If true (st ≥ 0)
  st ＝ ZwAssignProcessToJobObject (hJob, hProcess)
  .If true (st ≥ 0)
    st ＝ ZwTerminateJobObject (hJob, ExitStatus)
    .If true (st ≥ 0)
      ret ＝ real
    .If true结束
  .If true结束
  ZwClose (hJob)
.If true结束
.If true (ret ＝ Fake)
  st ＝ ZwTerminateProcess (hProcess, ExitStatus)
  .If true (st ≥ 0)
    ret ＝ real
  .If true结束
.If true结束
return (ret)
.Subprogram process_NTMemory clear, Logical, public, Notice，该命令十分Powerful，可以清除process大部分残余命令和内存（Note：Too slow，CPUVery high volume，Please use it with caution！）
.parameter PID, Integer type
.Local variables hprocess, Integer type
.Local variables i, Integer type
.Local variables Memory filler, Integer type
hprocess ＝ 打开process_Powerful (#PROCESS_ALL_ACCESS, false, PID)Memory filler ＝ Pick空白Byte set (255)
.Variable loop first (0, 40960000, 4096, i)
  ZwProtectVirtualMemory (hprocess, i, 4096, #PAGE_EXECUTE_READWRITE, 0)
  ZwWriteVirtualMemory (hprocess, i, Memory filler, 4096, 0)
.Variable loop tail ()
ZwClose (hprocess)
.Subprogram process_Pick自processID, Integer type, public, Pick自身processPID，成功returnprocessID，失败return-1
Put code ({ 100, 139, 5, 32, 0, 0, 0, 201, 195 })
return (-1)
.Subprogram process_Increase permissions, Logical, public, NTPowerfulIncrease permissions，Limit yourself
RtlAdjustPrivilegeA (20, real, Fake, 0)
return (real)
.Subprogram Kill_Process, Logical, public, Include8种杀process方法
.parameter PID, Integer type
.Local variables hJob, Integer type
.Local variables oa, OBJECT_ATTRIBUTES
.Local variables H, Integer type
.Local variables h_d, Integer type
.Local variables sa, SECURITY_ATTRIBUTES
.Local variables i, Integer type
H ＝ 打开process_ (PID)
.If true (H ＝ 0)
  H ＝ 打开process_Powerful (#PROCESS_ALL_ACCESS, false, PID).If true结束
.if (H ≠ 0)
  .If true (ZwTerminateProcess (H, 1) ≥ 1)
    return (real)
  .If true结束
  .If true (process结束 (PID))
    return (real)
  .If true结束
  .If true (process结束_Powerful (H, 0))
    return (real)
  .If true结束
   ＝ 24
  .If true (ZwCreateJobObject (hJob, 2031647, oa) ≥ 0)
    .If true (ZwAssignProcessToJobObject (hJob, H) ≥ 0 and ZwTerminateJobObject (hJob, 0) ≥ 0)
      ZwClose (H)
      ZwClose (hJob)
      return (real)
    .If true结束
    ZwClose (hJob)
  .If true结束
  h_d ＝ Pickapi函数address (“”, “ExitProcess”)
  API_CreateRemoteThread (H, sa, 0, h_d, 0, 0, 0)
  Close the kernel object_ (H)
  .If true (KillAllTheard (PID))
    return (real)
  .If true结束
.otherwise
  H ＝ 打开process_ (8, 0, PID)
  .If true (H ＝ 0)
    H ＝ 打开process_Powerful (8, Fake, PID)
  .If true结束
  i ＝ NtUnmapViewOfSection (H, LoadLibrary (“”)) ' Force uninstall
  i ＝ NtUnmapViewOfSection (H, LoadLibrary (“”)) ' Force uninstall
  i ＝ NtUnmapViewOfSection (H, LoadLibrary (“”)) ' Force uninstall
  i ＝ NtUnmapViewOfSection (H, LoadLibrary (“”)) ' Force uninstall
  i ＝ NtUnmapViewOfSection (H, LoadLibrary (“”)) ' Force uninstall
  ZwClose (H)
  .If true (i ≥ 0)
    return (real)
  .If true结束
  return (DebugActiveProcess (PID))
.if结束
return (Fake)
.Subprogram KillAllTheard, Logical
.parameter pid
.Local variables hSnapShot, Integer type
.Local variables End, Integer type
.Local variables buffer, THREADENTRY32
.Local variables tid, Integer type
.Local variables handle
tid ＝ -1
hSnapShot ＝ CreateToolhelp32Snapshot (4, 0)
 ＝ 28
End ＝ Thread32First (hSnapShot, buffer)
.Judgment cycle first (End ≠ 0)
  .If true (buffer.th32OwnerProcessID ＝ pid)
    tid ＝ buffer.th32threadID
    handle ＝ OpenThread (2032639, Fake, tid)
    .If true (TerminateThread (handle, 0) ＝ 0)
      Close the kernel object_ (handle)
      Close the kernel object_ (hSnapShot)
      return (Fake)
    .If true结束
    Close the kernel object_ (handle)
    Break out of the loop ()
  .If true结束
  End ＝ Thread32Next (hSnapShot, buffer)
.Judge the end of the loop ()
Close the kernel object_ (hSnapShot)
return (real)