各位朋友,小弟想防止自己的程序被用户通过按Ctrl+Alt+Del而结束,下面的代码是在网上搜索的,但由于自己水平有限,虽然有了现成的代码,但具体的操作步聚却不知道,希望有朋友能将详细的步聚告知,假如自己新建了一个应用程序,接着怎样做,将下面的代码加入到自己的程序中,才能防止自己的程序被任务管理器结束呢?请各位大虾赐教,万分感谢!!!
自己程序中的一段代码,进程防杀。根据网上面流传的进程防杀的C++代码改编。 DLL部分:
PIMAGE_IMPORT_DESCRIPTOR = ^_IMAGE_IMPORT_DESCRIPTOR;
PImageImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR;
_IMAGE_IMPORT_DESCRIPTOR = packed record
CharacteristicsOrOriginalFirstThunk: DWord;
TimeDateStamp: DWord;
ForwarderChain: DWord;
Name: DWord;
FirstThunk: DWord;
end;
PIMAGE_THUNK_DATA = ^_IMAGE_THUNK_DATA;
PImageThunkData = PIMAGE_THUNK_DATA;
_IMAGE_THUNK_DATA = packed record
Case Integer of
0 : (ForwarderString: DWord);
1 : (Function_: DWord);
2 : (Ordinal: DWord);
3 : (AddressOfData: DWord);
end; var OriginalOpenProcess : function (dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall; function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer;
var
pfnOriginalProc: Pointer;
pDosHeader: PImageDosHeader;
pNTHeader: PImageNtHeaders;
pImportDesc: PImageImportDescriptor;
pThunk: PImageThunkData;
dwProtectionFlags,dwScratch: DWORD;
pszModName: PAnsiChar;
begin
Result := nil;
pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule),
pszFunctionName);
pDosHeader := PImageDosHeader(hFromModule);
pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^._lfanew));
pImportDesc := PImageImportDescriptor(DWORD(pDosHeader)+
DWORD(pNTHeader^.OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
VirtualAddress));
while pImportDesc^.Name <> 0 do
begin
pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name)));
if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break;
Inc(pImportDesc);
end;
if pImportDesc^.Name = 0 then Exit;
pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk));
while pThunk^.Function_ <> 0 do
begin
if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then
begin
dwProtectionFlags := PAGE_READWRITE;
VirtualProtect(@pThunk^.Function_,4096,dwProtectionFlags,@dwScratch);
pThunk^.Function_ := DWORD(pfnNewProc);
Result := pfnOriginalProc ;
Break;
end;
Inc(pThunk);
end;
end; function OpenProcessHandler(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall;
begin
Result := OriginalOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
if (dwProcessID = PID) and (PID <> 0) then Result := 0;
end; //防杀的进程ID,从注册表中获得
procedure GetHookProcessID;
var
TempKey: HKEY;
DataType,Size: Integer;
begin
PID := 0;
Size := Sizeof(Integer);
if RegOpenKeyEx(HKEY_LOCAL_MACHINE,’Software\Vssoft’, 0,KEY_READ,
TempKey) = ERROR_SUCCESS then
begin
RegQueryValueEx(TempKey,’ProcessID’,nil,@DataType,PByte(@PID),@Size);
RegCloseKey(TempKey);
end;
end; function HookOpenProcess(nCode: Integer;wParam: WPARAM;lParam: LPARAM): LRESULT;stdcall;
begin
GetHookProcessID;
if not Assigned(OriginalOpenProcess) then
OriginalOpenProcess := HookAPIFunction(GetModuleHandle(nil),
’KERNEL32.DLL’,’OpenProcess’,@OpenProcessHandler);
Result := 0;
end; exports
HookOpenProcess
自己程序中的一段代码,进程防杀。根据网上面流传的进程防杀的C++代码改编。 DLL部分:
PIMAGE_IMPORT_DESCRIPTOR = ^_IMAGE_IMPORT_DESCRIPTOR;
PImageImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR;
_IMAGE_IMPORT_DESCRIPTOR = packed record
CharacteristicsOrOriginalFirstThunk: DWord;
TimeDateStamp: DWord;
ForwarderChain: DWord;
Name: DWord;
FirstThunk: DWord;
end;
PIMAGE_THUNK_DATA = ^_IMAGE_THUNK_DATA;
PImageThunkData = PIMAGE_THUNK_DATA;
_IMAGE_THUNK_DATA = packed record
Case Integer of
0 : (ForwarderString: DWord);
1 : (Function_: DWord);
2 : (Ordinal: DWord);
3 : (AddressOfData: DWord);
end; var OriginalOpenProcess : function (dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall; function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer;
var
pfnOriginalProc: Pointer;
pDosHeader: PImageDosHeader;
pNTHeader: PImageNtHeaders;
pImportDesc: PImageImportDescriptor;
pThunk: PImageThunkData;
dwProtectionFlags,dwScratch: DWORD;
pszModName: PAnsiChar;
begin
Result := nil;
pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule),
pszFunctionName);
pDosHeader := PImageDosHeader(hFromModule);
pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^._lfanew));
pImportDesc := PImageImportDescriptor(DWORD(pDosHeader)+
DWORD(pNTHeader^.OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
VirtualAddress));
while pImportDesc^.Name <> 0 do
begin
pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name)));
if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break;
Inc(pImportDesc);
end;
if pImportDesc^.Name = 0 then Exit;
pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk));
while pThunk^.Function_ <> 0 do
begin
if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then
begin
dwProtectionFlags := PAGE_READWRITE;
VirtualProtect(@pThunk^.Function_,4096,dwProtectionFlags,@dwScratch);
pThunk^.Function_ := DWORD(pfnNewProc);
Result := pfnOriginalProc ;
Break;
end;
Inc(pThunk);
end;
end; function OpenProcessHandler(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall;
begin
Result := OriginalOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
if (dwProcessID = PID) and (PID <> 0) then Result := 0;
end; //防杀的进程ID,从注册表中获得
procedure GetHookProcessID;
var
TempKey: HKEY;
DataType,Size: Integer;
begin
PID := 0;
Size := Sizeof(Integer);
if RegOpenKeyEx(HKEY_LOCAL_MACHINE,’Software\Vssoft’, 0,KEY_READ,
TempKey) = ERROR_SUCCESS then
begin
RegQueryValueEx(TempKey,’ProcessID’,nil,@DataType,PByte(@PID),@Size);
RegCloseKey(TempKey);
end;
end; function HookOpenProcess(nCode: Integer;wParam: WPARAM;lParam: LPARAM): LRESULT;stdcall;
begin
GetHookProcessID;
if not Assigned(OriginalOpenProcess) then
OriginalOpenProcess := HookAPIFunction(GetModuleHandle(nil),
’KERNEL32.DLL’,’OpenProcess’,@OpenProcessHandler);
Result := 0;
end; exports
HookOpenProcess
方法上网找去
function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer; //这个函数是用来替换原来的OpenProcess函数的,
function OpenProcessHandler(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
dwProcessId: DWORD): THandle; stdcall;
begin
//先调用旧的OpenProcess函数
Result := OriginalOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
//判断是否为需要禁止打开的进程ID,如果是,返回一个空的句柄,表示OpenProcess失败。
if (dwProcessID = PID) and (PID < > 0) then Result := 0;
end;//防杀的进程ID,从注册表中获得 这个已经有说明了
procedure GetHookProcessID; //调用HookAPIFunction开始Hook OpenProcess
function HookOpenProcess(nCode: Integer;wParam: WPARAM;lParam: LPARAM): LRESULT;stdcall; HookAPI就是截获对于API 的调用,使用新的函数替换掉。简单的举个例子,从A到B有一条公路,本来是很畅通的,突然某一天,有个路霸从中间C把路截断或者在这里建立一个收费站。因此,所有需要经过该路的人或车都需要先经过C,这样,如果路霸不想让你到B地去,那么他可以直接让你返回。或者,他先对你进行一番掠夺,然后放你到B。这个比喻就比较形象了吧?其实,许多杀毒软件就如同收费站,也进行API 截获,但是这些是正当的。许多病毒为了保护自己,也采取了这种方式,这些就是路霸了。
呵呵, 这下够清楚了吧....