在Delphi中隐藏程序进程的方法.docx

1、在Delphi中隐藏程序进程的方法在Delphi中隐藏程序进程方法1主要需要解决两个问题，即隐藏窗口和设定热键。一. 隐藏窗口通过API函数GETACTIVEWINDOW获取当前窗口；函数ShowWindow(HWND,nCmdShow)的参数nCmdShow取SW_HIDE时将之隐藏，取SW_SHOW时将之显示。例如：showwindow(getactivewindow,sw_hide)。隐藏好窗体后，须记住窗体句柄以便恢复。二. 键盘监控为了实现键盘监控须用到钩子。以下是程序的源文件：一、创建一个动态链接库unit HKHide; /链接库中的Unit文件interfaceuses Win

2、dows, Messages, sysutils;var hNextHookHide: HHook; HideSaveExit: Pointer; hbefore:longint;function KeyboardHookHandler(iCode: Integer;wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall; export;function EnableHideHook: BOOL; export;function DisableHideHook: BOOL; export;procedure HideHookExit; far;imp

3、lementationfunction KeyboardHookHandler(iCode: Integer;wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall; export;const _KeyPressMask = $80000000;var f:textfile; temp:string;begin Result := 0; If iCode 0 Then beginResult := CallNextHookEx(hNextHookHide, iCode, wParam, lParam);Exit; end; /侦测 Ctrl + Al

4、t + F12 组合键 if (lParam and _KeyPressMask) = 0) /按下时生效 and (GetKeyState(vk_Control) 0) and (getkeystate(vk_menu)0) and (wParam = vk_F12) then beginResult := 1;/文件不存在则创建if not fileexists(c:test.txt) thenbegin assignfile(f,c:test.txt); rewrite(f); writeln(f,0); closefile(f);endelsebegin assignfile(f,c:

5、test.txt); reset(f); readln(f,temp); hbefore:=strtoint(temp); begin hbefore:=getactivewindow; temp:=inttostr(hbefore); rewrite(f); writeln(f,temp); closefile(f); ShowWindow(hbefore, SW_HIDE); end;end; /end if FileExists(.) end else beginshowwindow(hbefore,SW_SHOW);rewrite(f);writeln(f,0);closefile(f

6、); end;/end if Ctrl+Alt+F12按键end;function EnableHideHook: BOOL; export;begin Result := False; if hNextHookHide 0 then Exit; / 挂上 WH_KEYBOARD 这型的 HOOK, 同时, 传回值必须保留下 / 来, 免得 HOOK 呼叫链结断掉 hNextHookHide := SetWindowsHookEx(WH_KEYBOARD, KeyboardHookHandler,HInstance,0); Result := hNextHookHide 0;end;funct

7、ion DisableHideHook: BOOL; export;begin if hNextHookHide 0 then beginResult:=True;UnhookWindowshookEx(hNextHookHide); / 解除 Keyboard HookhNextHookHide:=0; end elseResult:=False;end;procedure HideHookExit;begin / 如果忘了解除 HOOK, 自动代理解除的动作 if hNextHookHide 0 then DisableHideHook; ExitProc := HideSaveExit;

8、end;end.library HKPHide; /动态链接库工程文件uses HKHide in HKHide.pas;exports EnableHideHook, DisableHideHook;begin hNextHookHide := 0; hbefore:=0; HideSaveExit := ExitProc; ExitProc := HideHookExit;end./文件制作好后先Build All编译成HKPHide.dll。二、新建一个测试工程TestPrjunit Unit1;/这是测试工程的窗体单元interfaceuses Windows, Messages, S

9、ysUtils, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls;type TForm1 = class(TForm)Button1: TButton;Button2: TButton;procedure Button1Click(Sender: TObject);procedure Button2Click(Sender: TObject); private Private declarations public Public declarations end;var Form1: TForm1;implementation$R *

10、.DFMfunction EnableHideHook: BOOL; external HKPHide.DLL;function DisableHideHook: BOOL; external HKPHide.DLL;procedure TForm1.Button1Click(Sender: TObject);begin if EnableHideHook then ShowMessage(HotKey Testing.);end;procedure TForm1.Button2Click(Sender: TObject);begin if DisableHideHook then ShowM

11、essage(HotKey Testing., DONE！);end;end.DELPHI中隐藏程序进程，纯DELPHI代码方式，我在XP下通过测试。下面是隐藏进程的unit HideProcessunit HideProcess;interfacefunction MyHideProcess: Boolean;implementationuses Windows, SysUtils, Variants, Classes, AclAPI, accCtrl;type NTSTATUS = LongInt;const /NT_SUCCESS(Status) (NTSTATUS)(Status) =

12、 0) STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004); STATUS_ACCESS_DENIED = NTSTATUS($C0000022); OBJ_INHERIT = $00000002; OBJ_PERMANENT = $00000010; OBJ_EXCLUSIVE = $00000020; OBJ_CASE_INSENSITIVE = $00000040; OBJ_OPENIF = $00000080; OBJ_OPENLINK = $00000100; OBJ_KERNEL_HANDLE = $00000200; OBJ_VAL

13、ID_ATTRIBUTES = $000003F2;type PIO_STATUS_BLOCK = IO_STATUS_BLOCK; IO_STATUS_BLOCK = recordStatus: NTSTATUS;FObject: DWORD; end; PUNICODE_STRING = UNICODE_STRING; UNICODE_STRING = recordLength: Word;MaximumLength: Word;Buffer: PWideChar; end; POBJECT_ATTRIBUTES = OBJECT_ATTRIBUTES; OBJECT_ATTRIBUTES

14、 = recordLength: DWORD;RootDirectory: Pointer;ObjectName: PUNICODE_STRING;Attributes: DWORD;SecurityDescriptor: Pointer;SecurityQualityOfService: Pointer; end; TZwOpenSection = function(SectionHandle: PHandle;DesiredAccess: ACCESS_MASK;ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall; TRTLIN

15、ITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;SourceString: PWideChar); stdcall;var RtlInitUnicodeString: TRTLINITUNICODESTRING = nil; ZwOpenSection: TZwOpenSection = nil; g_hNtDLL: THandle = 0; g_pMapPhysicalMemory: Pointer = nil; g_hMPM: THandle = 0; g_hMPM2: THandle = 0; g_osvi:

16、OSVERSIONINFO; b_hide: Boolean = false;/-function InitNTDLL: Boolean;begin g_hNtDLL := LoadLibrary(ntdll.dll); if 0 = g_hNtDLL then beginResult := false;Exit; end; RtlInitUnicodeString := GetProcAddress(g_hNtDLL, RtlInitUnicodeString); ZwOpenSection := GetProcAddress(g_hNtDLL, ZwOpenSection); Result

17、 := True;end;/-procedure CloseNTDLL;begin if (0 g_hNtDLL) thenFreeLibrary(g_hNtDLL); g_hNtDLL := 0;end;/-procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);var pDacl: PACL; pSD: PPSECURITY_DESCRIPTOR; pNewDacl: PACL; dwRes: DWORD; ea: EXPLICIT_ACCESS;begin pDacl := nil; pSD := nil; pNe

18、wDacl := nil; dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD); if ERROR_SUCCESS dwRes then beginif Assigned(pSD) then LocalFree(Hlocal(pSD);if Assigned(pNewDacl) then LocalFree(HLocal(pNewDacl); end; ZeroMemory(ea, sizeof(EXPLICIT_ACCESS); e

19、a.grfAccessPermissions := SECTION_MAP_WRITE; ea.grfAccessMode := GRANT_ACCESS; ea.grfInheritance := NO_INHERITANCE; ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME; ea.Trustee.TrusteeType := TRUSTEE_IS_USER; ea.Trustee.ptstrName := CURRENT_USER; dwRes := SetEntriesInAcl(1, ea, pDacl, pNewDacl); if ERROR_S

20、UCCESS dwRes then beginif Assigned(pSD) then LocalFree(Hlocal(pSD);if Assigned(pNewDacl) then LocalFree(HLocal(pNewDacl); end; dwRes := SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil); if ERROR_SUCCESS dwRes then beginif Assigned(pSD) then LocalFree(H

21、local(pSD);if Assigned(pNewDacl) then LocalFree(HLocal(pNewDacl); end;end;/-function OpenPhysicalMemory: THandle;var status: NTSTATUS; physmemString: UNICODE_STRING; attributes: OBJECT_ATTRIBUTES; PhyDirectory: DWORD;begin g_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO); GetVersionEx(g_osvi); if

22、 (5 g_osvi.dwMajorVersion) then beginResult := 0;Exit; end; case g_osvi.dwMinorVersion of0: PhyDirectory := $30000;1: PhyDirectory := $39000; elsebegin Result := 0; Exit;end; end; RtlInitUnicodeString(physmemString, DevicePhysicalMemory); attributes.Length := SizeOf(OBJECT_ATTRIBUTES); attributes.Ro

23、otDirectory := nil; attributes.ObjectName := physmemString; attributes.Attributes := 0; attributes.SecurityDescriptor := nil; attributes.SecurityQualityOfService := nil; status := ZwOpenSection(g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, attributes); if (status = STATUS_ACCESS_DENIED) then beginZ

24、wOpenSection(g_hMPM, READ_CONTROL or WRITE_DAC, attributes);SetPhyscialMemorySectionCanBeWrited(g_hMPM);CloseHandle(g_hMPM);status := ZwOpenSection(g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, attributes); end; if not (LongInt(status) = 0) then beginResult := 0;Exit; end; g_pMapPhysicalMemory := M

25、apViewOfFile(g_hMPM,FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000); if (g_pMapPhysicalMemory = nil) then beginResult := 0;Exit; end; Result := g_hMPM;end;/-function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;var VAddr, PGDE, PTE, PAddr, tmp: DWORD;begin VAddr := DWORD(addr);

26、/ PGDE := BaseAddressVAddr shr 22; PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG); / Modify by dot. if 0 = (PGDE and 1) then beginResult := nil;Exit; end; tmp := PGDE and $00000080; if (0 tmp) then beginPAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF); end else beginPGDE :=

27、DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000);/ PTE := (PDWORD(PGDE)(VAddr and $003FF000) shr 12;PTE := PDWORD(PGDE + (VAddr and $003FF000) shr 12) * SizeOf(DWord); / Modify by dot.if (0 = (PTE and 1) thenbegin Result := nil; Exit;end;PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF);UnmapViewOfFile(Pointer(PGDE); end; Result := Pointer(PAddr);end;/-