With Windows's * .dll royal cross-hole, you can implement the depth of Win9X, NT, W2K, press Ctrl Alt DEL, can not see it with the ultimate line, this is my latest discovery, I want to discuss with everyone, I have implemented this feature, the source is at http://njhhack.freehomepages.com/source/hideproc.zip My OICQ: 10772919E-mail: NJHHHHACK@21cn.comHomePage: Hotsky.363. Net
-----------------
Oh, everyone, with my Delphi source code, tell the principle of its work, but everyone should not be used to do bad things, I am never black, who makes me a people's teacher, the principle is as follows: I have compiled Start the program Winexec.exe to start install.dll this installation library, there is a installation function in install.dll to start the getKey.dll this execution library, there is my Trojan in getKey.dll, this getKey.dll library is Hanging to Explorer.exe in the spatial, then Winexec.exe and Install.dll automatically rushed in memory, but getKey.dll is still running in memory (this is * .dll's royal vulnerability), because There is no Winexec.exe exists, so press CTRL Alt DEL to find some of my process is running, this is the process three-level jump. Oh,, everyone knows how getKey.dll is hung to Explorer. Exe this system shell process address space, please listen to me slowly: In the Windows system, there are many ways to enter another process, the most standard method is the system-level hook function provided by Microsoft. When an HOOK is put in * .dll, it will be system-level hook. This is what it can receive the message transmitted in the system, and if the message is issued or received, then the * .dll (ie INSTALL.DLL in my program will be forcibly mapped to the address space of the process (for example, my install.dll is mapped to the process space of Explorer.exe), then install.dll will become Explorer.exe A call module for the process, at this time, the thread created with the CreateThread function in install.dll will become the sub-thread of the Explorer.exe process main thread so that we have a legitimate land for the time of Explorer.exe, but this is just Start, because our goal is to hide your own process, so you have to remove Winexec.exe in memory, but this is not the result we want. Everyone thinks, install.dll is called by Winexec.exe, so when After Winexec.exe died, Install.dll couldn't live. We didn't have a place in Explorer.exe. How to do it, huh, huh, listen to me: Top it, when INSTALL After. DLL in Explorer.exe, the thread we created is the sub-thread of Explorer.exe, then call the * .dll in install.dll (that is, getk in our program) Ey.dll also becomes the submoduption of Explorer.exe, according to * .dll's specialty (that is, I think * .dll's royal vulnerability), after INSTALL.DLL is rushed from memory, it is called by it. getKey.dll is still good in memory, huh, huh, Microsoft is really a good baby, providing us with such a good opportunity to stay in memory, what I think is because * .dll can not be another * The owner of .dll, only * .exe can become the owner of * .dll, so Explorer.exe will become a legal owner of getKey.dll, huh, because Explorer.exe is a good stuff in Microsoft, so forever Alive in memory, then our good warrior getKey.dll, of course, in this big tree, also lives in memory,
