Only for more than 2000 systems, don't ask me, don't ask me, 4 years didn't work :)
There are generally four ways:
1) DLL method
The program is rewritten as the DLL structure, which is running on Explorer.exe.
Benefits: No process entity, ordinary process view invalid
Disadvantages: You can call Explorer.exe Unload Your DLL, huh, you will be re-enabled, you need to re-rely on your DLL at that time.
Improvement: Using Debug permission to hack, haha, the safety factor is much higher, Winlogon is dead, you also crash
Lysoft Home http://ly.activepower.net/projects/no ctrl alt del.ra is an example of a DLL-relying method, modifying
2) API HOOK method
What is the essence of a shutdown? TerminateProcess's API!
As long as your application.title: = '' does not appear on the first page of the task manager
The second page will appear, but not afraid, I hook TerminateProcess can guarantee security.
TerminateProcess can hook? Yes, but hook is useless, handle is unknown
So in essence, hook is openprocess, as long as it is my process, I refuse to open.
Benefits: Not afraid that you can see it, you can't get me
Disadvantages: The command line method under cmd hook is not
Improvement: You can Hook System Services can be, but unfortunately difficult, need to write drive
Lysoft Home http://ly.activepower.net/projects/api hook.rar is an example of the API Hook method, which is available
3) NT kernel modification method
Modify the ActiveProcessLink list on the NT system kernel object PslineDModuleList to "miss" on the system, but implement this feature requires driving support, no drive method can only fit XP / 2003, because NT5.1 The ZWSystemDebugControl API can support kernel access
Benefits: I can't see the process.
Disadvantages: Excessive difficulty, can still be seen with kernel tools, many rootkit Trojans use this method
Improvement: Almost the ultimate Dafa, there is no other good way.
Lysoft homepage
http://ly.activepower.net/projects/ntlowlevel.exe is a demos
Key code is as follows
Function hideprocess: bolean;
Label ERR;
VAR
Eprocess: DWORD;
HPM, FLINK, BLINK: Cardinal
Begin
Result: = FALSE;
Eprocess: = getcurrenteprocess;
IF EPROCESS <1 THEN EXIT;
IF not ReadvirtualMemory (EPRocess $ 88, @flink, 4) THEN EXIT;
IF not ReadvirtualMemory (Eprocess $ 8c, @BLINK, 4) THEN EXIT;
IF not WritevirtualMemory (Flink 4, @BLINK, 4) THEN EXIT;
IF not WritevirtualMemory (Blink, @flink, 4)..
END;
Don't ask why, you need NTDDK knowledge to understand :)
4) Remote thread method
There is no entity, there is no process, no DLL, only code
Turn the code directly into the process space VirtualaLalk, run with CreateremoteThread,
Benefits: No visible entity, the strongest concealedness
Disadvantages: Suitable for simple code, complex difficult to ensure its reliability and stability, the most love of viruses
Improved: No need?
This is not demonstrated, huh, :)
Inject a certain process space to involve a series of viral operations such as API positioning, running on the other party
Simple code, complex features are very unsuitable, the general procedures are not suitable at all, so this method is not recommended unless the virus is written, because the adjustment is difficult
Lysoft http://lysoft.7u7.net
