我先说明一下,我不是写木马、病毒,我没有这么高的技术,怎样 找济南进销存管理软件
我写的一个文件备份软件,老板不要让员工能强制结束程式而怕丢了资料,谁有这方面的例子,代码,给我点明一下,再次感谢
2楼: 可能都是只能隐藏进程把。隐藏进程的帖子比较多 如库存商品进销存软件
3楼: (1)为了让程序用ALT+DEL+CTRL看不见(NT 下无效!!!!)
在implementation后添加声明:
function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer; stdcall; external ''KERNEL32.DLL'';
再在上面的窗口Create事件加上一句:RegisterServiceProcess(GetCurrentProcessID, 1);//隐藏
(2)procedure TForm1.FormCloseQuery(Sender: TObject; var CanClose: Boolean);
begin
CanClose := (工作是否已经完成);
end;
4楼: 你这个只能对付win9x,对win2000,winxp无效
5楼: ALT+DEL+CTRL不要禁用,要在2000、XP有效
6楼: 以前看过一片文章,说用户在利用任务管理器强制结束程序时.系统会首先调用OpenProcess函数,所以我们可以Hook API OpenProcess,做不处理.
仓库管理软件版7楼: 作个监护服务程序
8楼: 找找进程插入方面的资料,将自己的进程插入到系统进程中,不就完事了吗?好多垃圾软件都使用这种方式
9楼: 简单一点的,写两个服务进程,互相监视,被kill掉一个,另一个进程马上把它重新启动。
10楼: 如果重新启动的那个进程先被kill呢?那怎么办?
11楼: 我想要个例子
12楼: 通过截获OpenProcess函数来禁止终止本进程 13楼: 帮顶! 仓库管理软件版14楼: 至少需要Hook NTTerminateProcess和TerminateProcess 函数 15楼: linfinder:你写是c,我看不懂,不过谢谢了,我是用DELPHI 16楼: 等一下,我拿Delphi版的,前几天刚改的. 17楼: 下面就是了,比较完整. 18楼: linfinder,谢谢, 19楼: linfinder,学请教一个问题? 20楼: 问题已解决 仓库管理软件版21楼: 用静态加载.
// -----------------------------
// HOOKAPI - Matt Pietrek 1995
// -----------------------------
#include
#include "HookAPI.h"
// Macro for adding pointers/DWORDs together without C arithmetic interfering
#define MakePtr(cast, ptr, addValue) (cast)((DWORD)(ptr)+(DWORD)(addValue))
PROC HookAPIFunction(HMODULE hFromModule,
PSTR pszFunctionModule,
PSTR pszFunctionName,
PROC pfnNewProc)
{
PROC pfnOriginalProc;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk;
DWORD dwProtectionFlags;
DWORD dwScratch;
// Verify that a valid pfn was passed
if (IsBadCodePtr(pfnNewProc)) return 0;
// First, verify the the module and function names passed to use are valid
pfnOriginalProc = GetProcAddress(GetModuleHandle(pszFunctionModule), pszFunctionName);
if (!pfnOriginalProc) return 0;
pDosHeader = (PIMAGE_DOS_HEADER)hFromModule;
// Tests to make sure we''re looking at a module image (the ''MZ'' header)
if (IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER))) return 0;
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return 0;
// The MZ header has a pointer to the PE header
pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew);
// More tests to make sure we''re looking at a "PE" image
if (IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS))) return 0;
if (pNTHeader->Signature != IMAGE_NT_SIGNATURE) return 0;
// We know have a valid pointer to the module''s PE header.
// Now go get a pointer to its imports section
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader,
pNTHeader->OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
VirtualAddress);
// Bail out if the RVA of the imports section is 0 (it doesn''t exist)
if (pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader) return 0;
// Iterate through the array of imported module descriptors, looking
// for the module whose name matches the pszFunctionModule parameter
while (pImportDesc->Name)
{
PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);
if (stricmp(pszModName, pszFunctionModule) == 0) break;
// Advance to next imported module descriptor
pImportDesc++;
}
// Bail out if we didn''t find the import module descriptor for the
// specified module. pImportDesc->Name will be non-zero if we found it.
if (pImportDesc->Name == 0) return 0;
// Get a pointer to the found module''s import address table (IAT)
pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
// Blast through the table of import addresses, looking for the one
// that matches the address we got back from GetProcAddress above.
while (pThunk->u1.Function)
{
if (pThunk->u1.Function == (PDWORD)pfnOriginalProc)
{
dwProtectionFlags = PAGE_READWRITE;
VirtualProtect(&pThunk->u1.Function, 4096, dwProtectionFlags, &dwScratch);
// We found it! Overwrite the original address with the
// address of the interception function. Return the original
// address to the caller so that they can chain on to it.
pThunk->u1.Function = (PDWORD)pfnNewProc;
return pfnOriginalProc;
}
// Advance to next imported function address
pThunk++;
}
// Function not found
return 0;
}
头文件:
#ifndef HOOKAPI_H
#define HOOKAPI_H
PROC HookAPIFunction(HMODULE hFromModule,
PSTR pszFunctionModule,
PSTR pszFunctionName,
PROC pfnNewProc);
#endif
// ----------------------------------- //
// StickyApp32 v1.0 //
// Copyright 1997, 1998 Yariv Kaplan //
// WWW.INTERNALS.COM //
// ----------------------------------- //
#include
#include "HookAPI.h"
typedef HANDLE (__stdcall *OPENPROCESS_PROC)(DWORD, BOOL, DWORD);
OPENPROCESS_PROC pOpenProcess = NULL;
HANDLE __stdcall OpenProcess_Handler(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
HANDLE RetValue = NULL;
HWND hWnd;
DWORD ProcessId;
hWnd = FindWindow("ThunderRT5Form", "StickyApp32");
GetWindowThreadProcessId(hWnd, &ProcessId);
if (dwProcessId != ProcessId)
RetValue = pOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
return RetValue;
}
__declspec(dllexport) LRESULT CALLBACK HookFunction(int code, WPARAM wParam, LPARAM lParam)
{
if (pOpenProcess == NULL)
pOpenProcess = (OPENPROCESS_PROC)HookAPIFunction(GetModuleHandle(NULL), "KERNEL32.DLL", "OpenProcess", (PROC)OpenProcess_Handler);
return false;
}
BOOL WINAPI DllMain(HANDLE hInst, ULONG dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hInst);
break;
}
return true;
}
def导出文件
LIBRARY StickyApp32
EXPORTS
HookFunction 如济南进销存管理软件
╭=========================================╮
80G海量源代码,控件,书籍全免费狂下不停!
http://www.source520.com
╰=========================================╯
http://www.moufersoft.com/blog/attachments/month_0602/85wb_OpenProcess.rar
这个只是简单而防止利用任务管理器强行终止进程.
ntsd 可以终止进程的.
我要认程式一起启动就加Hook.dll,
procedure TfrmCannotKill.FormCreate(Sender: TObject);
var
ModuleHandle: THandle;
begin
ModuleHandle := LoadLibrary(''Hook.dll'');
if ModuleHandle = 0 then Exit;
@InstallHook := GetProcAddress(ModuleHandle, ''InstallHook'');
end;
这样无效啊!!,应怎么改下