一個簡單的windows HOOK - 隱藏進程管理器中特定的進程
(適用平台:windows 2000 sp4,windows XP sp2)
屏蔽工作管理員中的進程名稱有很多種方法,可以在ring0級做文章:
修改核心進程鏈表,攔截核心API等。我這裡只給出win32下的實現,原
理是最普通的 windows 鉤子機制。實現語言 win32 彙編 (masm32):
0 在DllEntry中處理資源取得和產生"工作"線程:
mov eax,_hinstance
mov hinstance,eax
.if _dwreason == DLL_PROCESS_ATTACH
.if cutme == 0
mov cutme,1
.else
invoke CreateThread,NULL,0,addr CTProcEx,0,0,/
addr tid
.endif
.elseif _dwreason == DLL_PROCESS_DETACH
.if oldLVProc == 0
jmp quit
.endif
invoke SetWindowLong,hlv,GWL_WNDPROC,/
oldLVProc
.endif
1 鉤住WH_CALLWNDPROC後,改變list控制項預設訊息處理過
程,從而監視任何list插入訊息:
;*********************************************************************
NewLVProc proc uses esi edi ebx hwnd,umsg,wparam,lparam
local retbyte:dword
mov eax,umsg
.if eax == LVM_INSERTITEMW
assume esi:ptr LV_ITEM
mov esi,lparam
mov ebx,[esi].pszText
invoke WideCharToMultiByte,CP_ACP,0,/
ebx,-1,addr buf,/
sizeof buf,NULL,NULL
assume esi:nothing
invoke lstrcmp,addr buf,addr stxt
.if eax == 0
.else
invoke CallWindowProc,oldLVProc,/
hwnd,umsg,wparam,lparam
ret
.endif
.elseif eax == LVM_SETITEMW
assume esi:ptr LV_ITEM
mov esi,lparam
mov ebx,[esi].pszText
invoke WideCharToMultiByte,CP_ACP,0,/
ebx,-1,addr buf,/
sizeof buf,NULL,NULL
assume esi:nothing
invoke lstrcmp,addr buf,addr stxt
.if eax == 0
.else
invoke CallWindowProc,oldLVProc,/
hwnd,umsg,wparam,lparam
ret
.endif
.else
invoke CallWindowProc,oldLVProc,hwnd,umsg,/
wparam,lparam
ret
.endif
xor eax,eax
ret
NewLVProc endp
;*********************************************************************
CTProcEx proc uses esi edi ebx _pm
local ii:dword
local lvfi:LV_FINDINFO
mov lvfi.flags,LVFI_STRING
lea eax,stxt
mov lvfi.psz,eax
invoke SendMessage,hlv,LVM_FINDITEM,-1,addr lvfi
.if eax != 0ffffffffh
mov ii,eax
invoke SendMessage,hlv,LVM_DELETEITEM,ii,0
.endif
mov lvfi.flags,LVFI_STRING
lea eax,stxt2
mov lvfi.psz,eax
invoke SendMessage,hlv,LVM_FINDITEM,-1,addr lvfi
.if eax != 0ffffffffh
mov ii,eax
invoke SendMessage,hlv,LVM_DELETEITEM,ii,0
.endif
invoke SetWindowLong,hlv,GWL_WNDPROC,addr NewLVProc
mov oldLVProc,eax
quit:
ret
CTProcEx endp
;*********************************************************************
(注意:在windows xp sp2 可執行檔保護開啟時,退出時可能會有異常)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
