在Delphi中隐藏程序进程的方法.docx
《在Delphi中隐藏程序进程的方法.docx》由会员分享,可在线阅读,更多相关《在Delphi中隐藏程序进程的方法.docx(22页珍藏版)》请在冰豆网上搜索。
在Delphi中隐藏程序进程的方法
在Delphi中隐藏程序进程方法[1]
主要需要解决两个问题,即隐藏窗口和设定热键。
一.隐藏窗口
通过API函数GETACTIVEWINDOW获取当前窗口;函数ShowWindow(HWND,nCmdShow)的参数nCmdShow取SW_HIDE时将之隐藏,取SW_SHOW时将之显示。
例如:
showwindow(getactivewindow,sw_hide)。
隐藏好窗体后,须记住窗体句柄以便恢复。
二.键盘监控
为了实现键盘监控须用到钩子。
以下是程序的源文件:
一、创建一个动态链接库
unitHKHide;//链接库中的Unit文件
interface
uses
Windows,Messages,sysutils;
var
hNextHookHide:
HHook;
HideSaveExit:
Pointer;
hbefore:
longint;
functionKeyboardHookHandler(iCode:
Integer;wParam:
WPARAM;
lParam:
LPARAM):
LRESULT;stdcall;export;
functionEnableHideHook:
BOOL;export;
functionDisableHideHook:
BOOL;export;
procedureHideHookExit;far;
implementation
functionKeyboardHookHandler(iCode:
Integer;wParam:
WPARAM;
lParam:
LPARAM):
LRESULT;stdcall;export;
const_KeyPressMask=$80000000;
var
f:
textfile;
temp:
string;
begin
Result:
=0;
IfiCode<0Then
begin
Result:
=CallNextHookEx(hNextHookHide,iCode,wParam,lParam);
Exit;
end;
//侦测Ctrl+Alt+F12组合键
if((lParamand_KeyPressMask)=0) //按下时生效
and(GetKeyState(vk_Control)<0)
and(getkeystate(vk_menu)<0)
and(wParam=vk_F12)then
begin
Result:
=1;
//文件不存在则创建
ifnotfileexists('c:
\test.txt')then
begin
assignfile(f,'c:
\test.txt');
rewrite(f);
writeln(f,0);
closefile(f);
end
else
begin
assignfile(f,'c:
\test.txt');
reset(f);
readln(f,temp);
hbefore:
=strtoint(temp);
begin
hbefore:
=getactivewindow;
temp:
=inttostr(hbefore);
rewrite(f);
writeln(f,temp);
closefile(f);
ShowWindow(hbefore,SW_HIDE);
end;
end;//endifFileExists(....)
end
elsebegin
showwindow(hbefore,SW_SHOW);
rewrite(f);
writeln(f,0);
closefile(f);
end;//endifCtrl+Alt+F12按键
end;
functionEnableHideHook:
BOOL;export;
begin
Result:
=False;
ifhNextHookHide<>0thenExit;
//挂上WH_KEYBOARD这型的HOOK,同时,传回值必须保留下
//来,免得HOOK呼叫链结断掉
hNextHookHide:
=SetWindowsHookEx(WH_KEYBOARD,
KeyboardHookHandler,HInstance,0);
Result:
=hNextHookHide<>0;
end;
functionDisableHideHook:
BOOL;export;
begin
ifhNextHookHide<>0then
begin
Result:
=True;
UnhookWindowshookEx(hNextHookHide);//解除KeyboardHook
hNextHookHide:
=0;
end
else
Result:
=False;
end;
procedureHideHookExit;
begin
//如果忘了解除HOOK,自动代理解除的动作
ifhNextHookHide<>0thenDisableHideHook;
ExitProc:
=HideSaveExit;
end;
end.
libraryHKPHide;//动态链接库工程文件
uses
HKHideinHKHide.pas;
exports
EnableHideHook,
DisableHideHook;
begin
hNextHookHide:
=0;
hbefore:
=0;
HideSaveExit:
=ExitProc;
ExitProc:
=@HideHookExit;
end.
//文件制作好后先BuildAll编译成HKPHide.dll。
二、新建一个测试工程TestPrj
unitUnit1;//这是测试工程的窗体单元
interface
uses
Windows,Messages,SysUtils,Classes,Graphics,Controls,Forms,Dialogs,StdCtrls;
type
TForm1=class(TForm)
Button1:
TButton;
Button2:
TButton;
procedureButton1Click(Sender:
TObject);
procedureButton2Click(Sender:
TObject);
private
{Privatedeclarations}
public
{Publicdeclarations}
end;
var
Form1:
TForm1;
implementation
{$R*.DFM}
functionEnableHideHook:
BOOL;external'HKPHide.DLL';
functionDisableHideHook:
BOOL;external'HKPHide.DLL';
procedureTForm1.Button1Click(Sender:
TObject);
begin
ifEnableHideHookthen
ShowMessage('HotKeyTesting...');
end;
procedureTForm1.Button2Click(Sender:
TObject);
begin
ifDisableHideHookthen
ShowMessage('HotKeyTesting...,DONE!
);
end;
end.
DELPHI中隐藏程序进程,纯DELPHI代码方式,我在XP下通过测试。
下面是隐藏进程的unit HideProcess
unitHideProcess;
interface
functionMyHideProcess:
Boolean;
implementation
uses
Windows,SysUtils,Variants,Classes,AclAPI,accCtrl;
type
NTSTATUS=LongInt;
const
//NT_SUCCESS(Status)((NTSTATUS)(Status)>=0)
STATUS_INFO_LENGTH_MISMATCH=NTSTATUS($C0000004);
STATUS_ACCESS_DENIED=NTSTATUS($C0000022);
OBJ_INHERIT=$00000002;
OBJ_PERMANENT=$00000010;
OBJ_EXCLUSIVE=$00000020;
OBJ_CASE_INSENSITIVE=$00000040;
OBJ_OPENIF=$00000080;
OBJ_OPENLINK=$00000100;
OBJ_KERNEL_HANDLE=$00000200;
OBJ_VALID_ATTRIBUTES=$000003F2;
type
PIO_STATUS_BLOCK=^IO_STATUS_BLOCK;
IO_STATUS_BLOCK=record
Status:
NTSTATUS;
FObject:
DWORD;
end;
PUNICODE_STRING=^UNICODE_STRING;
UNICODE_STRING=record
Length:
Word;
MaximumLength:
Word;
Buffer:
PWideChar;
end;
POBJECT_ATTRIBUTES=^OBJECT_ATTRIBUTES;
OBJECT_ATTRIBUTES=record
Length:
DWORD;
RootDirectory:
Pointer;
ObjectName:
PUNICODE_STRING;
Attributes:
DWORD;
SecurityDescriptor:
Pointer;
SecurityQualityOfService:
Pointer;
end;
TZwOpenSection=function(SectionHandle:
PHandle;
DesiredAccess:
ACCESS_MASK;
ObjectAttributes:
POBJECT_ATTRIBUTES):
NTSTATUS;stdcall;
TRTLINITUNICODESTRING=procedure(DestinationString:
PUNICODE_STRING;
SourceString:
PWideChar);stdcall;
var
RtlInitUnicodeString:
TRTLINITUNICODESTRING=nil;
ZwOpenSection:
TZwOpenSection=nil;
g_hNtDLL:
THandle=0;
g_pMapPhysicalMemory:
Pointer=nil;
g_hMPM:
THandle=0;
g_hMPM2:
THandle=0;
g_osvi:
OSVERSIONINFO;
b_hide:
Boolean=false;
//---------------------------------------------------------------------------
functionInitNTDLL:
Boolean;
begin
g_hNtDLL:
=LoadLibrary('ntdll.dll');
if0=g_hNtDLLthen
begin
Result:
=false;
Exit;
end;
RtlInitUnicodeString:
=GetProcAddress(g_hNtDLL,'RtlInitUnicodeString');
ZwOpenSection:
=GetProcAddress(g_hNtDLL,'ZwOpenSection');
Result:
=True;
end;
//---------------------------------------------------------------------------
procedureCloseNTDLL;
begin
if(0<>g_hNtDLL)then
FreeLibrary(g_hNtDLL);
g_hNtDLL:
=0;
end;
//---------------------------------------------------------------------------
procedureSetPhyscialMemorySectionCanBeWrited(hSection:
THandle);
var
pDacl:
PACL;
pSD:
PPSECURITY_DESCRIPTOR;
pNewDacl:
PACL;
dwRes:
DWORD;
ea:
EXPLICIT_ACCESS;
begin
pDacl:
=nil;
pSD:
=nil;
pNewDacl:
=nil;
dwRes:
=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,nil,nil,pDacl,nil,pSD);
ifERROR_SUCCESS<>dwResthen
begin
ifAssigned(pSD)then
LocalFree(Hlocal(pSD^));
ifAssigned(pNewDacl)then
LocalFree(HLocal(pNewDacl));
end;
ZeroMemory(@ea,sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions:
=SECTION_MAP_WRITE;
ea.grfAccessMode:
=GRANT_ACCESS;
ea.grfInheritance:
=NO_INHERITANCE;
ea.Trustee.TrusteeForm:
=TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType:
=TRUSTEE_IS_USER;
ea.Trustee.ptstrName:
='CURRENT_USER';
dwRes:
=SetEntriesInAcl(1,@ea,pDacl,pNewDacl);
ifERROR_SUCCESS<>dwResthen
begin
ifAssigned(pSD)then
LocalFree(Hlocal(pSD^));
ifAssigned(pNewDacl)then
LocalFree(HLocal(pNewDacl));
end;
dwRes:
=SetSecurityInfo
(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,nil,nil,pNewDacl,nil);
ifERROR_SUCCESS<>dwResthen
begin
ifAssigned(pSD)then
LocalFree(Hlocal(pSD^));
ifAssigned(pNewDacl)then
LocalFree(HLocal(pNewDacl));
end;
end;
//---------------------------------------------------------------------------
functionOpenPhysicalMemory:
THandle;
var
status:
NTSTATUS;
physmemString:
UNICODE_STRING;
attributes:
OBJECT_ATTRIBUTES;
PhyDirectory:
DWORD;
begin
g_osvi.dwOSVersionInfoSize:
=sizeof(OSVERSIONINFO);
GetVersionEx(g_osvi);
if(5<>g_osvi.dwMajorVersion)then
begin
Result:
=0;
Exit;
end;
caseg_osvi.dwMinorVersionof
0:
PhyDirectory:
=$30000;
1:
PhyDirectory:
=$39000;
else
begin
Result:
=0;
Exit;
end;
end;
RtlInitUnicodeString(@physmemString,'\Device\PhysicalMemory');
attributes.Length:
=SizeOf(OBJECT_ATTRIBUTES);
attributes.RootDirectory:
=nil;
attributes.ObjectName:
=@physmemString;
attributes.Attributes:
=0;
attributes.SecurityDescriptor:
=nil;
attributes.SecurityQualityOfService:
=nil;
status:
=ZwOpenSection(@g_hMPM,SECTION_MAP_READorSECTION_MAP_WRITE,@attributes);
if(status=STATUS_ACCESS_DENIED)then
begin
ZwOpenSection(@g_hMPM,READ_CONTROLorWRITE_DAC,@attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status:
=ZwOpenSection(@g_hMPM,SECTION_MAP_READorSECTION_MAP_WRITE,@attributes);
end;
ifnot(LongInt(status)>=0)then
begin
Result:
=0;
Exit;
end;
g_pMapPhysicalMemory:
=MapViewOfFile(g_hMPM,
FILE_MAP_READorFILE_MAP_WRITE,0,PhyDirectory,$1000);
if(g_pMapPhysicalMemory=nil)then
begin
Result:
=0;
Exit;
end;
Result:
=g_hMPM;
end;
//---------------------------------------------------------------------------
functionLinearToPhys(BaseAddress:
PULONG;addr:
Pointer):
Pointer;
var
VAddr,PGDE,PTE,PAddr,tmp:
DWORD;
begin
VAddr:
=DWORD(addr);
// PGDE:
=BaseAddress[VAddrshr22];
PGDE:
=PULONG(DWORD(BaseAddress)+(VAddrshr22)*SizeOf(ULONG))^;//Modifybydot.
if0=(PGDEand1)then
begin
Result:
=nil;
Exit;
end;
tmp:
=PGDEand$00000080;
if(0<>tmp)then
begin
PAddr:
=(PGDEand$FFC00000)+(VAddrand$003FFFFF);
end
else
begin
PGDE:
=DWORD(MapViewOfFile(g_hMPM,4,0,PGDEand$FFFFF000,$1000));
//PTE:
=(PDWORD(PGDE))[(VAddrand$003FF000)shr12];
PTE:
=PDWORD(PGDE+((VAddrand$003FF000)shr12)*SizeOf(DWord))^;//Modifybydot.
if(0=(PTEand1))then
begin
Result:
=nil;
Exit;
end;
PAddr:
=(PTEand$FFFFF000)+(VAddrand$00000FFF);
UnmapViewOfFile(Pointer(PGDE));
end;
Result:
=Pointer(PAddr);
end;
//---------------------------------