• 所有问题

    • 用VB实现隐藏进程

    网上隐藏模块在有杀毒软件下就不可用了,看看下面提示:

    需要通过写入注册表来启动隐藏程序的驱动的。隐藏成功后在进程管理器里是找不到挂的程序的,其它程序也无法读取挂的内存

    其它程序也无法读取挂的内存,这样隐藏是怎么实现的,高分相送
    不用VB也可以,原理讲清楚(用哪些API),代码可以我自己写。
    2楼在有杀毒软件下不可用
    不要线程插入技术。。。那个VB做不了,而且那样内存也是可以被读取

    举报该问题
    推荐答案   2008-05-06
    晕,二楼的代码怎么那么熟悉?似乎我去年发的。。
    隐藏进程现在常用的是进程插入技术,找一个进程:如Explorer.exe,将自身隐藏在这个进程之内

    不过这样的代码还是会被杀毒软件发现,代码就用现成的了:

    第一步,提升本进程的系统权限。
    因为我们要操作的是系统中的其他进程,没有足够的系统权限是无法读取甚至写入其他进程的内存地址的。提升进程权限可能用到以下的函数:
    1.函数OpenProcessToken(
    HANDLE ProcessHandle, // 进程的句柄
    DWORD DesiredAccess, // 对进程的访问描述
    PHANDLE TokenHandle // 打开进程令牌的句柄指针
    );
    这个函数的作用是打开进程令牌。

    2.函数LookupPrivilegeValue(
    LPCTSTR lpSystemName, //系统名称
    LPCTSTR lpName, // 特权名称
    PLUID lpLuid // 本地系统唯一的ID号
    );
    这个函数将会返回一个本地系统内独一无二的ID,来用于系统权限的更改,它的第1个参数是系统名,nil表示本系统。第2个参数是特权的名字。第3个参数用来接收函数返回的ID。

    3.函数AdjustTokenPrivileges(
    HANDLE TokenHandle, //更改权限的令牌环句柄
    BOOL DisableAllPrivileges, //是否修改所有权限的标志位
    PTOKEN_PRIVILEGES NewState, //新的系统权限信息
    DWORD BufferLength, //上一个参数的长度
    PTOKEN_PRIVILEGES PreviousState, // 返回更改系统特权以前的权限
    PDWORD ReturnLength //上一个参数的长度
    );
    这个函数用于更改进程的系统权限 ,第1个参数是要更改权限的令牌环句柄。第2个参数如果为true表示更改所有的系统权限 ,false表示更改部分。第3个参数是要更改的系统特权的值。第4个参数是第3个参数的大小。第5个参数返回更改系统特权以前的权限,我们不需要就设为nil。第6个参数是第5个参数的大小。
    把上面的东西合并起来写成一个函数,我们在其他代码中间直接调用PromoteDebugPrivilege就可以提升本进程的系统权限了。代码如下:
    ======================================================================
    function PromoteDebugPrivilege(const PromoteEnabled: Boolean): Boolean;
    var
    hToken: THandle;
    TokenPriv: TOKEN_PRIVILEGES;
    Length: DWORD;
    begin
    Result := False;
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
    begin
    TokenPriv.PrivilegeCount := 1;
    LookupPrivilegeValue(nil, 'SeDebugPrivilege', TokenPriv.Privileges[0].Luid);
    if PromoteEnabled then
    TokenPriv.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
    else
    TokenPriv.Privileges[0].Attributes := 0;
    Length := 0;
    AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(TokenPriv), nil, Length);
    Result := GetLastError = ERROR_SUCCESS;
    CloseHandle(hToken);
    end;
    end;
    第二步,进入宿主的内存空间
    在拥有了进入宿主程序内存的权限之后,我们所要做的是在其内存空间加入一些新的程序代码,或者是让其载入一个Dll文件里面的函数并运行起来。加入新的代码可以省掉一个dll文件,而加载dll文件可以安装一些系统级的钩子,如果我们的隐形程序是一个截获密码的程序,加载dll就是一个很好的选择。
    Kernel32.dll中的函数LoadLibraryW可以加载dll,它只需要dll文件的文件路径就可以完成操作,我们可以很容易的在程序代码中实现取出一个文件路径的操作。但是,我们希望在宿主程序中加载,而我们取出的dll文件路径并不存在于宿主程序的内存空间里面,所以我们需要把dll的文件路径写入宿主的内存空间。这些操作可能用到以下的函数:
    1.函数OpenProcess(
    DWORD dwDesiredAccess, //访问标志
    BOOL bInheritHandle, //继承句柄标志
    DWORD dwProcessId // 进程Id
    );
    这个函数用于修改我们宿主进程的一些属性,这些属性放在第一个参数里面,比如PROCESS_VM_OPERATION就是允许远程VM操作,即允许VirtualProtectEx和WriteProcessMemory函数操作本进程内存空间。PROCESS_CREATE_THREAD 就是允许远程创建线程。PROCESS_VM_WRITE就是允许远程VM写,即允许 WriteProcessMemory函数访问本进程的内存空间。第二个参数是一个标志参数,用来确定返回的句柄是否可以被新的进程继承。我们的程序中设为False。第三个参数需要操作的进程Id,也就是我们的宿主进程的Id。
    2.函数VirtualAllocEx(
    HANDLE hProcess, //要进行操作的进程句柄,当然是我们的宿主了
    LPVOID lpAddress, //分配空间的起始地址
    DWORD dwSize, //分配空间的大小
    DWORD flAllocationType, // 分配空间的类型
    DWORD flProtect // 访问保护类型
    );
    我们使用 VirtualAllocEx函数在宿主进程中开辟一块内存空间,用于存放dll的文件名。VirtualAllocEx的第1个参数是要操作的进程,第2个是起始地址,第3个是长度,第4,5个是操作参数。其中MEM_COMMIT表示本函数分配的是物理内存或者是内存的页面文件,PAGE_READWRITE表示分配的区域内允许读写。
    3.函数WriteProcessMemory (
    HANDLE hProcess, //所要操作进程的句柄
    LPVOID lpBaseAddress, //开始进行些操作的起始地址
    LPVOID lpBuffer, //要写入数据的缓冲区指针
    DWORD nSize, // 要写的bytes数
    LPDWORD lpNumberOfBytesWritten // 实际写入的bytes数
    );
    前面在宿主内存中创建好空间后,现在往里面写入dll的名称,而我们的WriteProcessMemory函数就可以胜任这一项工作。WriteProcessMemory函数的第一个参数 是需要往其内存里面写入dd的进程句柄,第二个参数是 “要进行写操作”的目标内存起始地址,第三个参数是 “需要被写入的数据”的地址,第四个参数是准备要写入的长度,第五个参数是实际操作中写的长度,这个参数是被函数输出的。到这里我们就已经能成功把dll的路径名称写进了宿主的内存空间。
    第三步,在宿主中启动新的线程!
    刚才我们已经在宿主程序中创建了一个用于存放一个dll文件路径的缓冲区,现在我们就要让这个dll在宿主的内存空间中运行起来。我们是用LoadLibraryW函数来加载的,而使用LoadLibraryW,又需要知道LoadLibraryW函数的入口地址。所以在加载dll之前,我们要用GetProcAddress来得到LoadLibraryW的入口地址。我们来看看这几个函数的使用方法:
    1.GetProcAddress(
    HMODULE hModule, //dll模块的句柄
    LPCSTR lpProcName // 函数名称
    );
    我们用这个函数主要想得到kernel32.dll中的函数LoadLibraryW的入口地址,所以
    GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW')就可以了,当然有些细节得符合程序编译器的要求,VC下使用就要改成
    GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW")的形式。
    2.CreateRemoteThread (
    HANDLE hProcess, //要进行操作的进程句柄,也就是我们的宿主句柄
    LPSECURITY_ATTRIBUTES lpThreadAttributes, //线程安全属性的指针
    DWORD dwStackSize, //初始化堆(stack)的大小
    LPTHREAD_START_ROUTINE lpStartAddress,//新建线程函数的指针,或叫做地址
    LPVOID lpParameter, //新建线程函数的参数
    DWORD dwCreationFlags, //标志位
    LPDWORD lpThreadId //线程返回值
    );
    这个函数就是本文的点睛之笔了,我们之前所做所有的一切,都是在为它做准备工作,它的功能就是在其他任何进程中创建新的线程,让其他的程序或进程附加执行我们的代码。
    温馨提示:答案为网友推荐,仅供参考
    其他回答
    第1个回答  2008-05-05
    找到一高手的答案呵

    在XP/2K系统中隐藏进程的VB代码
    Attribute VB_Name = "modHideProcess"

    '-------------------------------------------------------------------------------------
    '模块名称:modHideProcess.bas
    '
    '模块功能:在 XP/2K 任务管理器的进程列表中隐藏当前进程
    '
    '使用方法:直接调用 HideCurrentProcess()
    '
    '模块作者:检索自互联网,原作者不详。
    '
    '修改日期:2006/08/26
    '---------------------------------------------------------------------------------------

    Option Explicit

    Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004
    Private Const STATUS_ACCESS_DENIED = &HC0000022
    Private Const STATUS_INVALID_HandLE = &HC0000008
    Private Const ERROR_SUCCESS = 0&
    Private Const SECTION_MAP_WRITE = &H2
    Private Const SECTION_MAP_READ = &H4
    Private Const READ_CONTROL = &H20000
    Private Const WRITE_DAC = &H40000
    Private Const NO_INHERITANCE = 0
    Private Const DACL_SECURITY_INFORMATION = &H4

    Private Type IO_STATUS_BLOCK
    Status As Long
    Information As Long
    End Type

    Private Type UNICODE_STRING
    Length As Integer
    MaximumLength As Integer
    Buffer As Long
    End Type

    Private Const OBJ_INHERIT = &H2
    Private Const OBJ_PERMANENT = &H10
    Private Const OBJ_EXCLUSIVE = &H20
    Private Const OBJ_CASE_INSENSITIVE = &H40
    Private Const OBJ_OPENIF = &H80
    Private Const OBJ_OPENLINK = &H100
    Private Const OBJ_KERNEL_HandLE = &H200
    Private Const OBJ_VALID_ATTRIBUTES = &H3F2

    Private Type OBJECT_ATTRIBUTES
    Length As Long
    RootDirectory As Long
    ObjectName As Long
    Attributes As Long
    SecurityDeor As Long
    SecurityQualityOfService As Long
    End Type

    Private Type ACL
    AclRevision As Byte
    Sbz1 As Byte
    AclSize As Integer
    AceCount As Integer
    Sbz2 As Integer
    End Type

    Private Enum ACCESS_MODE
    NOT_USED_ACCESS
    GRANT_ACCESS
    SET_ACCESS
    DENY_ACCESS
    REVOKE_ACCESS
    SET_AUDIT_SUCCESS
    SET_AUDIT_FAILURE
    End Enum

    Private Enum MULTIPLE_TRUSTEE_OPERATION
    NO_MULTIPLE_TRUSTEE
    TRUSTEE_IS_IMPERSONATE
    End Enum

    Private Enum TRUSTEE_FORM
    TRUSTEE_IS_SID
    TRUSTEE_IS_NAME
    End Enum

    Private Enum TRUSTEE_TYPE
    TRUSTEE_IS_UNKNOWN
    TRUSTEE_IS_USER
    TRUSTEE_IS_GROUP
    End Enum

    Private Type TRUSTEE
    pMultipleTrustee As Long
    MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
    TrusteeForm As TRUSTEE_FORM
    TrusteeType As TRUSTEE_TYPE
    ptstrName As String
    End Type

    Private Type EXPLICIT_ACCESS
    grfAccessPermissions As Long
    grfAccessMode As ACCESS_MODE
    grfInheritance As Long
    TRUSTEE As TRUSTEE
    End Type

    Private Type AceArray
    List() As EXPLICIT_ACCESS
    End Type

    Private Enum SE_OBJECT_TYPE
    SE_UNKNOWN_OBJECT_TYPE = 0
    SE_FILE_OBJECT
    SE_SERVICE
    SE_PRINTER
    SE_REGISTRY_KEY
    SE_LMSHARE
    SE_KERNEL_OBJECT
    SE_WINDOW_OBJECT
    SE_DS_OBJECT
    SE_DS_OBJECT_ALL
    SE_PROVIDER_DEFINED_OBJECT
    SE_WMIGUID_OBJECT
    End Enum

    Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long,

    ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As

    Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
    Private Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long,

    ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As

    Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDeor As Long) As

    Long

    Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias

    "SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries

    As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As Long
    Private Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias

    "BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, ByVal

    pTrusteeName As String, ByVal AccessPermissions As Long, ByVal AccessMode As

    ACCESS_MODE, ByVal Inheritance As Long)

    Private Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As

    UNICODE_STRING, ByVal SourceString As Long)
    Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long,

    ByVal DesiredAccess As Long, ObjectAttributes As Any) As Long
    Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As

    Long
    Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As

    Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal

    dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long
    Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As

    Long
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination

    As Any, Source As Any, ByVal Length As Long)
    Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA"

    (LpVersionInformation As OSVERSIONINFO) As Long

    Private Type OSVERSIONINFO
    dwOSVersionInfoSize As Long
    dwMajorVersion As Long
    dwMinorVersion As Long
    dwBuildNumber As Long
    dwPlatformId As Long
    szCSDVersion As String * 128
    End Type

    Private verinfo As OSVERSIONINFO

    Private g_hNtDLL As Long
    Private g_pMapPhysicalMemory As Long
    Private g_hMPM As Long
    Private aByte(3) As Byte

    Public Sub HideCurrentProcess()
    '在进程列表中隐藏当前应用程序进程

    Dim thread As Long, process As Long, fw As Long, bw As Long
    Dim lOffsetFlink As Long, lOffsetBlink As Long, lOffsetPID As Long

    verinfo.dwOSVersionInfoSize = Len(verinfo)
    If (GetVersionEx(verinfo)) <> 0 Then
    If verinfo.dwPlatformId = 2 Then
    If verinfo.dwMajorVersion = 5 Then
    select Case verinfo.dwMinorVersion
    Case 0
    lOffsetFlink = &HA0
    lOffsetBlink = &HA4
    lOffsetPID = &H9C
    Case 1
    lOffsetFlink = &H88
    lOffsetBlink = &H8C
    lOffsetPID = &H84
    End select
    End If
    End If
    End If

    If OpenPhysicalMemory <> 0 Then
    thread = GetData(&HFFDFF124)
    process = GetData(thread + &H44)
    fw = GetData(process + lOffsetFlink)
    bw = GetData(process + lOffsetBlink)
    SetData fw + 4, bw
    SetData bw, fw
    CloseHandle g_hMPM
    End If
    End Sub

    Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long)
    Dim pDacl As Long
    Dim pNewDacl As Long
    Dim pSD As Long
    Dim dwRes As Long
    Dim ea As EXPLICIT_ACCESS

    GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0,

    pDacl, 0, pSD

    ea.grfAccessPermissions = SECTION_MAP_WRITE
    ea.grfAccessMode = GRANT_ACCESS
    ea.grfInheritance = NO_INHERITANCE
    ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME
    ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER
    ea.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar

    SetEntriesInAcl 1, ea, pDacl, pNewDacl

    SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0,

    ByVal pNewDacl, 0

    CleanUp:
    LocalFree pSD
    LocalFree pNewDacl
    End Sub

    Private Function OpenPhysicalMemory() As Long
    Dim Status As Long
    Dim PhysmemString As UNICODE_STRING
    Dim Attributes As OBJECT_ATTRIBUTES

    RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory")
    Attributes.Length = Len(Attributes)
    Attributes.RootDirectory = 0
    Attributes.ObjectName = VarPtr(PhysmemString)
    Attributes.Attributes = 0
    Attributes.SecurityDeor = 0
    Attributes.SecurityQualityOfService = 0

    Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE,

    Attributes)
    If Status = STATUS_ACCESS_DENIED Then
    Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes)
    SetPhyscialMemorySectionCanBeWrited g_hMPM
    CloseHandle g_hMPM
    Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE,

    Attributes)
    End If

    Dim lDirectoty As Long
    verinfo.dwOSVersionInfoSize = Len(verinfo)
    If (GetVersionEx(verinfo)) <> 0 Then
    If verinfo.dwPlatformId = 2 Then
    If verinfo.dwMajorVersion = 5 Then
    select Case verinfo.dwMinorVersion
    Case 0
    lDirectoty = &H30000
    Case 1
    lDirectoty = &H39000
    End select
    End If
    End If
    End If

    If Status = 0 Then
    g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, lDirectoty, &H1000)
    If g_pMapPhysicalMemory <> 0 Then OpenPhysicalMemory = g_hMPM
    End If
    End Function

    Private Function LinearToPhys(BaseAddress As Long, addr As Long) As Long
    Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long
    Dim lTemp As Long

    VAddr = addr
    CopyMemory aByte(0), VAddr, 4
    lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22))

    PGDE = BaseAddress + lTemp * 4
    CopyMemory PGDE, ByVal PGDE, 4

    If (PGDE and 1) <> 0 Then
    lTemp = PGDE and &H80
    If lTemp <> 0 Then
    PAddr = (PGDE and &HFFC00000) + (VAddr and &H3FFFFF)
    Else
    PGDE = MapViewOfFile(g_hMPM, 4, 0, PGDE and &HFFFFF000, &H1000)
    lTemp = (VAddr and &H3FF000) / (2 ^ 12)
    PTE = PGDE + lTemp * 4
    CopyMemory PTE, ByVal PTE, 4

    If (PTE and 1) <> 0 Then
    PAddr = (PTE and &HFFFFF000) + (VAddr and &HFFF)
    UnmapViewOfFile PGDE
    End If
    End If
    End If

    LinearToPhys = PAddr
    End Function

    Private Function GetData(addr As Long) As Long
    Dim phys As Long, tmp As Long, ret As Long

    phys = LinearToPhys(g_pMapPhysicalMemory, addr)
    tmp = MapViewOfFile(g_hMPM, 4, 0, phys and &HFFFFF000, &H1000)
    If tmp <> 0 Then
    ret = tmp + ((phys and &HFFF) / (2 ^ 2)) * 4
    CopyMemory ret, ByVal ret, 4

    UnmapViewOfFile tmp
    GetData = ret
    End If
    End Function

    Private Function SetData(ByVal addr As Long, ByVal data As Long) As Boolean
    Dim phys As Long, tmp As Long, x As Long

    phys = LinearToPhys(g_pMapPhysicalMemory, addr)
    tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, phys and &HFFFFF000, &H1000)
    If tmp <> 0 Then
    x = tmp + ((phys and &HFFF) / (2 ^ 2)) * 4
    CopyMemory ByVal x, data, 4

    UnmapViewOfFile tmp
    SetData = True
    End If
    End Function

    Private Function ByteArrToLong(inByte() As Byte) As Double
    Dim I As Integer
    For I = 0 To 3
    ByteArrToLong = ByteArrToLong + inByte(I) * (&H100 ^ I)
    Next I
    End Function

    XP SP2 + VB6.0调试通过

    要在一个系统进程中修改或者杀死另一个进程,需要做以下步骤:
    1.提升进程自身身的权限,使之拥有高的特权级
    2.搜索宿主进程
    3.保存PCB
    3.修改进程
    4.如果出错,恢复PCB

    这样解释你清楚了吗?

    我想你可以把模块中的API的功能逐个了解一下,如果你不了解他们的作用,那么即使讲了也没有用,你可以去MSDN.microsoft上看一下相关的资料

    type的API资料可以在FoxApi中查到
    第2个回答  2008-05-05
    进程好像不可以隐藏吧
    如果能够隐藏那微软的那些系统进程怎么没有隐藏勒
    如果是有任务管理器里的用户程序隐藏还是可以的

    Private Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
    Private Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long

    Call ShowWindow(GetWindow(Me.hwnd, 4), 0)
    me.hwnd 是窗体的句柄

    就算你进程能够隐藏还是可能通过API 全部扫描到的
    包括扫描到你引用的第三方文件也能扫描到
    不过太长了
    这里不好发过来本回答被提问者采纳
    第3个回答  2008-05-05
    Private Sub Form_Load()
    App.TaskVisible = False
    End Sub
    虽然没有隐藏进程`但是可以隐藏在应用程序那里的显示``
    第4个回答  2008-05-06
    加油啦 OK!
    相似回答
    VB隐藏弹出窗口的进程?答:在模块中加入以下代码,在需要隐藏进程的窗体的load或Initialize事件中调用HideCurrentProcess即可。Option ExplicitPrivate Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004Private Const STATUS_ACCESS_DENIED = &HC0000022Private Const STATUS_INVALID_HandLE = &HC0000008Private Const ERROR_SUCCESS = 0&Private Const...
    大家正在搜
    进程隐藏怎么隐藏进程怎么显示被隐藏的进程隐藏进程软件安卓隐藏进程window隐藏进程手机隐藏进程如何隐藏进程不被检测手机隐藏运行进程工具