Einzelnen Beitrag anzeigen

nat

Registriert seit: 10. Nov 2005
216 Beiträge
 
RAD-Studio 2009 Pro
 
#35

Re: bestimmte Tasten Sperren.

  Alt 15. Mai 2006, 19:07
ich glaube strg+alt+entf (und auch alt+tab) kann man nicht so einfach sperren.
vll hilft es dir aber ja, wenn du dein programm aus der liste im taskmanager
entfernst. mit folgendem code kannste das bewerkstelligen (habe ich nicht selber
geschrieben, sondern ma irgendwo gefunden - funzt aber).
is wieder ne dll.


Delphi-Quellcode:
library HideProcessNT;

uses
  Windows,tlhelp32,ImageHlp,SysUtils;

var
  hmap: THandle;
  hFirstMapHandle:THandle;

type
  SYSTEM_INFORMATION_CLASS = (SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation,
    SystemTimeOfDayInformation, SystemNotImplemented1, SystemProcessesAndThreadsInformation, SystemCallCounts,
    SystemConfigurationInformation, SystemProcessorTimes, SystemGlobalFlag, SystemNotImplemented2, SystemModuleInformation,
    SystemLockInformation, SystemNotImplemented3, SystemNotImplemented4, SystemNotImplemented5,
    SystemHandleInformation, SystemObjectInformation, SystemPagefileInformation,
    SystemInstructionEmulationCounts, SystemInvalidInfoClass1, SystemCacheInformation,
    SystemPoolTagInformation, SystemProcessorStatistics, SystemDpcInformation,
    SystemNotImplemented6, SystemLoadImage, SystemUnloadImage, SystemTimeAdjustment,
    SystemNotImplemented7, SystemNotImplemented8, SystemNotImplemented9,
    SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation,
    SystemLoadAndCallImage, SystemPrioritySeparation, SystemNotImplemented10, SystemNotImplemented11,
    SystemInvalidInfoClass2, SystemInvalidInfoClass3, SystemTimeZoneInformation,
    SystemLookasideInformation, SystemSetTimeSlipEvent, SystemCreateSession, SystemDeleteSession, SystemInvalidInfoClass4,
    SystemRangeStartInformation, SystemVerifierInformation, SystemAddVerifier, SystemSessionProcessesInformation
  );
  PFARPROC = ^FARPROC;
  _IMAGE_IMPORT_DESCRIPTOR = packed record
    case Integer of
      0:(Characteristics: DWORD);
      1:(OriginalFirstThunk: DWORD; TimeDateStamp: DWORD; ForwarderChain: DWORD; Name: DWORD; FirstThunk: DWORD);
  end;
  IMAGE_IMPORT_DESCRIPTOR = _IMAGE_IMPORT_DESCRIPTOR;
  PIMAGE_IMPORT_DESCRIPTOR = ^IMAGE_IMPORT_DESCRIPTOR;

procedure RedirectIAT(pszCallerModName: Pchar; pfnCurrent: FarProc; pfnNew: FARPROC; hmodCaller: hModule);
var
  ulSize: ULONG;
  pImportDesc: PIMAGE_IMPORT_DESCRIPTOR;
  pszModName: PChar;
  pThunk: PDWORD;
  ppfn:PFARPROC;
  ffound: LongBool;
  written: DWORD;
begin
  pImportDesc:= ImageDirectoryEntryToData(Pointer(hmodCaller), TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT, ulSize);
  if pImportDesc = nil then exit;
  while pImportDesc.Name<>0 do
  begin
    pszModName := PChar(hmodCaller + pImportDesc.Name);
    if (lstrcmpiA(pszModName, pszCallerModName) = 0) then break;
    Inc(pImportDesc);
  end;
  if (pImportDesc.Name = 0) then exit;
  pThunk := PDWORD(hmodCaller + pImportDesc.FirstThunk);
  while pThunk^<>0 do
  begin
    ppfn := PFARPROC(pThunk);
    fFound := (ppfn^ = pfnCurrent);
    if (fFound) then
    begin
      VirtualProtectEx(GetCurrentProcess,ppfn,4,PAGE_EXECUTE_READWRITE,written);
      WriteProcessMemory(GetCurrentProcess, ppfn, @pfnNew, sizeof(pfnNew), Written);
      exit;
    end;
    Inc(pThunk);
  end;
end;

var
  addr_NtQuerySystemInformation: Pointer;
  mypid: DWORD;
  fname: PCHAR;
  mapaddr: PDWORD;
  hideOnlyTaskMan: PBOOL;

function myNtQuerySystemInfo(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation: Pointer;
  SystemInformationLength:ULONG; ReturnLength:PULONG):LongInt; stdcall;
label lop, nextpid, exit, fillzero;
asm
  push ReturnLength
  push SystemInformationLength
  push SystemInformation
  push dword ptr SystemInformationClass
  call dword ptr [addr_NtQuerySystemInformation]
  or eax,eax
  jl exit
  cmp SystemInformationClass, SystemProcessesAndThreadsInformation
  jne exit
lop:
  mov esi, SystemInformation
nextpid:
  mov ebx, esi
  cmp dword ptr [esi],0
  je exit
  add esi, [esi]
  mov ecx, [esi+44h]
  cmp ecx, mypid
  jne nextpid
  mov edx, [esi]
  test edx, edx
  je fillzero
  add [ebx], edx
  jmp lop
fillzero:
  and [ebx], edx
  jmp lop
exit:
  mov Result, eax
end;

procedure FuncIncept;
var
  hSnapShot: THandle;
  me32: MODULEENTRY32;
begin
  addr_NtQuerySystemInformation := GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');
  hSnapShot := CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);
  if hSnapshot = INVALID_HANDLE_VALUE then exit;
  try
    ZeroMemory(@me32,sizeof(MODULEENTRY32));
    me32.dwSize:=sizeof(MODULEENTRY32);
    Module32First(hSnapShot,me32);
    repeat
      RedirectIAT('ntdll.dll',addr_NtQuerySystemInformation,@MyNtQuerySystemInfo,me32.hModule);
    until not Module32Next(hSnapShot,me32);
  finally
    CloseHandle(hSnapShot);
  end;
end;

procedure FreeFunc;
var
  hSnapShot: THandle;
  me32: MODULEENTRY32;
begin
  addr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');
  hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);
  if hSnapshot=INVALID_HANDLE_VALUE then exit;
  try
    ZeroMemory(@me32,sizeof(MODULEENTRY32));
    me32.dwSize:=sizeof(MODULEENTRY32);
    Module32First(hSnapShot,me32);
    repeat
      RedirectIAT('ntdll.dll',@MyNtQuerySystemInfo,addr_NtQuerySystemInformation,me32.hModule);
    until not Module32Next(hSnapShot,me32);
  finally
    CloseHandle(hSnapShot);
  end;
end;


var
  HookHandle: THandle;

function CbtProc(code: integer; wparam: integer; lparam: integer):Integer; stdcall;
begin
  Result:=0;
end;

procedure AttachHook; stdcall;
begin
  HookHandle := SetWindowsHookEx(WH_CBT, @CbtProc, HInstance, 0);
end;

procedure LibraryProc(Reason: Integer);
begin
  if Reason = DLL_PROCESS_DETACH then
    if mypid > 0 then
      FreeFunc()
    else
      CloseHandle(hFirstMapHandle);
end;

function HideNtProcess(pid:DWORD):BOOL; stdcall;
var
  addrMap: PDWORD;
  ptr2: PBOOL;
  OnlyBlindTaskmgr: BOOL;
begin
  mypid:=0;
  result:=false;
  OnlyBlindTaskmgr:=False;
  hFirstMapHandle:=CreateFileMapping($FFFFFFFF,nil,PAGE_READWRITE,0,8,'NtHideFileMapping');
  if hFirstMapHandle=0 then exit;
  addrMap:=MapViewOfFile(hFirstMapHandle,FILE_MAP_WRITE,0,0,8);
  if addrMap=nil then
  begin
    CloseHandle(hFirstMapHandle);
    exit;
  end;
  addrMap^:=pid;
  ptr2:=PBOOL(DWORD(addrMap)+4);
  ptr2^:=OnlyBlindTaskmgr;
  UnmapViewOfFile(addrMap);
  AttachHook;
  result:=true;
end;

exports
  HideNtProcess;

begin
  hmap:=OpenFileMapping(FILE_MAP_READ,false,'NtHideFileMapping');
  if hmap=0 then exit;
  try
    mapaddr:=MapViewOfFile(hmap,FILE_MAP_READ,0,0,0);
    if mapaddr=nil then exit;
    mypid:=mapaddr^;
    hideOnlyTaskMan:=PBOOL(DWORD(mapaddr)+4);
    if hideOnlyTaskMan^ then
    begin
      fname:=allocMem(MAX_PATH+1);
      GetModuleFileName(GetModuleHandle(nil),fname,MAX_PATH+1);
      if not (ExtractFileName(fname)='taskmgr.exe') then exit;
    end;
    FuncIncept;
  finally
    UnmapViewOfFile(mapaddr);
    CloseHandle(Hmap);
    DLLProc:=@LibraryProc;
  end;
end.

so bindeste das ein
function HideNtProcess(pid:DWORD):BOOL; stdcall; external 'HideProcessNT.dll'; und aufrufen kannste das dann so
HideNtProcess(GetCurrentProcessId);
  Mit Zitat antworten Zitat