VB隐藏进程问题的讨论由来已久,效果有好有坏,反正是各有各的招,偶然机会看到planet-source一段隐藏进程的文章,作者说采用了kernel mode driver!方法, 单从技术方法而言,这是目前见到隐藏进程中最强悍的了(个人见解,井底之蛙了),不过这种东西用在正义的人手上是一个除暴安良的利器,用心叵测者就不好说了,但是技术终归是技术,好的东西还是应该用心学习.




原贴中的程序已有更新,更新的程序中提供了VB.Net 8 的实现




http://www.1filesharing. com/download/ZF8AF3HZ/HideMyApp.rar
http://duc kload.com/download/187293/HideMyApp.rar




使用方法可以查看示例代码,示例代码直接支持会报Class has not been initialized的错误,可以按上面的方式编译,然后去掉对工程的直接引用,再在引用中重新选择生成后的Dll文件.





    Since the DOS age, people have been trying to figure out ways to hide their
    processes from being detected. One can recall the Interruption Hook method used
    in the early DOS. With the introduction of the new operating system, Microsoft
    Windows 95 and the new security issues, the old method simply didn't work.
    So, people had to find a new way, and they did indeed. They convinced the OS that
    their program was a service. That way, it didn't show up in the task manager.
    These tricks used to work well until Windows NT, and its successors were released.
    Everything has changed, the task manager now includes a list of all currently
    running processes (CRPs) that makes completely hiding a process almost impossible.

    As a result of many hours of hard work, and about 8 Blue Screens of Death, and a
    couple of unexpected reboots, I finally figured out how to completely hide
    a process from being listed in *ANY* program that lists CRPs.

How did I do it?

    The key to this problem is the Kernel-Mode Drivers' ability to do whatever they
    wish to the system, there're no restrictions, they simply run in Ring-0!
    So, i had to write a simple kernel mode driver that does the dirty job :)
    NOTE: To compile the driver's source (.c), you have to have the NTDDK.

    The CRPs list is formed by interlinking the "ActiveProcessLinks" member of
    the "EPROCESS" structure. The head of this list is stored in the internal
    global variable "PsActiveProcessHead". Unfortunately, the "PsActiveProcessHead"
    variable is not exported by "ntoskrnl.exe", but we can use the function
    "PsGetCurrentProcess" that returns a pointer to our EPROCESS structure
    from which we can traverse the list.

    typedef struct _EPROCESS
    /*000*/ KPROCESS            Pcb;
    /*06C*/ NTSTATUS            ExitStatus;
    /*070*/ KEVENT                LockEvent;
    /*080*/ DWORD                LockCount;
    /*084*/ DWORD                d084;
    /*088*/ LARGE_INTEGER            CreateTime;
    /*090*/ LARGE_INTEGER            ExitTime;
    /*098*/ PVOID                LockOwner;
    /*09C*/ DWORD                UniqueProcessId;
    /*0A0*/ LIST_ENTRY            ActiveProcessLinks;
the    ...
list goes on...    }

    As you can see from the above structure (EPROCESS), the offset to
    "ActiveProcessLinks" is +0xA0 (+160) and the offset to "UniqueProcessId"
    which is the current process id is +0x9C (+156), both relative to the EPROCESS
    structure. These offsets apply to Windows 2000, but using the kernel debugger,
    we can obtain the new offsets for Windows XP and NT easily.

    So, as these offsets depend mainly on the version of windows currently running,
    they're given to the driver from the user mode program. Currently, only
    Windows NT4.0, XP, 2000, and 2003 server are supported by the driver, earlier
    versions of windows (9x/ME) are also supported through the old method of
    convincing the operating system that the process is a service.

    Back to where we where! So, as i was saying, hiding a process is as simple as
    removing it from the CRPs chain! Take a look at the LIST_ENTRY structure:

    typedef struct _LIST_ENTRY
     struct _LIST_ENTRY *Flink;
     struct _LIST_ENTRY *Blink;

    As you can see, all CRPs are interlinked through that structure (by the pointer
    "ActiveProcessLinks"). So, by changing the flink of the previous entry to point
    to the flink of the following entry, we can remove our entry from the chain.
    Not only that, we also need to change the blink of the following entry to point
    to the flink of the previous entry. Sounds confusing, isn't it? Well, take a look
    at following illustration:

    ==========        ==========        ==========
    |   1    |        |   2    |        |   3    |
    ==========        ==========        ==========
    | Flink  |<-----*------>| Flink  |<-----*------>| Flink  |
    |--------|    |    |--------|    |    |--------|
    | Blink  |    |-------| Blink  |    |-------| Blink  |
    |________|        |________|        |________|

    1, 2, and 3 represent three distinct processes and assuming that our process
    is the middle one (2). Now the situation is:

    Blink of (2) points to Flink of (1), Flink of (1) points to Flink of (2) and
    Blink of (3) points to Flink of (2).

    So, by making Flink of (1) points to Flink of (3) and Blink of (3) points to
    Flink of (1), we can effectively remove our process from the CRPs chain!

How to use it?

    See the included example. It's really easy!
    Just add a reference to the DLL (after it's compiled) and include the DLL file with your
    exe distribution package.

What's included?

    Included are the VB source code for the user mode test project, the source code
    for the kernel mode driver, this ReadMe, and the binaries of the driver compiled
    for Windows NT/2000 and XP included in the resource file (/Files/Project1.RES).

    Don't worry about extracting the binaries (.sys files) and putting them into your
    system32/drivers directory as the example included does everything for you easily.

    Just run the example and enjoy the show!


    I'm sure that this library won't be perfectly stable, on some systems it may
    cause the system to behave unpredictably, for example, the system may reboot,
    or even worse, might show up the infamous BSoD (Blue Screen of Death).
    So, here is a small disclaimer:

    In no way will the author (Islam Adel) be held any responsibility for the
    actions or damages resulting from the use or misuse of the library (hideproc).

    Anyway, hope you find that useful, and if it is, please vote for me at PSC.
    All constructive comments are welcomed.











  • 1
  • 0
    觉得还不错? 一键收藏
  • 打赏
  • 0
### 回答1: Win10隐藏进程方法有多种,以下是其中几种比较常用的方法: 1. 使用任务管理器。按下“Ctrl+Shift+Esc”组合键打开任务管理器,在“进程”选项卡中找到需要隐藏进程,右键点击选择“详细信息”,在打开的“详细信息”窗口中单击“隐藏”即可隐藏进程。 2. 使用命令行。打开命令提示符窗口,输入“taskkill /f /im 进程名.exe”命令,即可结束该进程隐藏它。 3. 使用第三方软件。有些第三方软件可以帮助用户隐藏进程,如“Process Hacker”、“Process Explorer”等,使用这些软件可以更加便捷地隐藏进程。 需要注意的是,隐藏进程并不是一个常规的操作,一般只有在特殊情况下才需要使用。同时,隐蔽进程可能会引起一些意料之外的问题,如系统不稳定、病毒入侵等,因此在操作之前一定要谨慎。 ### 回答2: Win10隐藏进程方法如下: 1.按下“Ctrl + Alt + Del”组合键,打开任务管理器。 2.在任务管理器中,点击“详细信息”选项卡,展开所有正在运行的进程。 3.在列表中找到需要隐藏进程,右击它,选择“打开文件位置”。 4.在打开的文件夹中,找到这个进程的可执行文件(通常是.exe文件),右键点击该文件,选择“属性”。 5.在文件属性对话框中,选择“安全”选项卡,然后点击“高级”按钮。 6.在高级安全设置对话框中,选择“禁止继承权限”选项,并选择“转移所有权”选项。 7.在打开的对话框中,选择当前用户或管理员账户,勾选“替换所❤有子容器和对象的所有权限项”。 8.确认设置后,点击“确定”按钮并关闭对话框。 9.返回到任务管理器中,刷新进程列表,该进程即被隐藏。 值得注意的是,隐藏进程可能涉及到系统安全和稳定性问题,请谨慎使用。一旦隐藏进程对系统产生危害,可能会导致一系列问题产生。如果不熟悉相关知识,最好不要私自修改系统文件。 ### 回答3: Win10隐藏进程方法有多种,以下介绍其中两种比较常见的方法。 一、使用任务管理器 1. 打开任务管理器:按下"Ctrl+Shift+Esc"组合键或者右键任务栏空白处,选择“任务管理器”。 2. 切换到“详细信息”选项卡:如果没有“详细信息”选项卡,可以点击“展开”或者“更多详情”。 3. 找到要隐藏进程:在进程列表中找到要隐藏进程,右键点击该进程,选择“打开文件位置”。 4. 隐藏进程:在弹出的文件夹窗口中,选中该进程的可执行文件,右键点击该文件,选择“属性”->“安全”->“高级”。 5. 更改文件所有者:在“高级安全设置”窗口中,点击“更改”按钮,输入你的用户名并点击“检查名称”和“确定”。 6. 更改文件权限:在“高级安全设置”窗口中,点击“确认”按钮,在“权限”选项卡中,选择你的用户名,然后点击“编辑”按钮。 7. 隐藏文件:在“编辑”权限窗口中,将“读取和执行”、“读取”、“写入”、“创建文件夹/添加数据”权限都勾选上,然后将“删除”、“更改权限”、“取得所有权”权限都取消勾选,点击“确定”。 二、使用第三方工具 Win10隐藏进程的另外一种方法是使用第三方工具,比如Process Hacker、Process Explorer等工具。这些工具可以隐藏进程、服务和驱动程序,常用于保护系统安全、保密性和操作隐私等方面。 总之,Win10隐藏进程方法有很多,通过运用不同的技巧和工具,可以实现多种层次的进程隐藏,提高系统安全和保密性。但是需要注意的是,若因不当使用或其他原因导致系统出现故障,后果自负。


  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助




当前余额3.43前往充值 >
领取后你会自动成为博主和红包主的粉丝 规则




¥1 ¥2 ¥4 ¥6 ¥10 ¥20



钱包余额 0