Results 1 to 26 of 26

Thread: How to hide process by vb6?

  1. #1

    Thread Starter
    PowerPoster
    Join Date
    Jan 2020
    Posts
    3,725

    How to hide process by vb6?

    https://blog.csdn.net/wjn1206/article/details/8084630
    This link is only a learning reference.
    There may be many other ways.
    1,How to disable a terminated process. It will pop up a password, which can only be terminated if it is entered correctly.
    2,
    For example, delete a line from the process list in the task manager.
    Locate the ABC. Exe and delete the row data from the ListView control.
    Both 64-bit and 32-bit controls that are typically handled

    The article also needs to quote the source of the content of sleep AIDS, which is a respect for the author.

    There are some Chinese that can be completely ignored, or 100% of Google translation does not affect reading.


    How to convert this VC code into VB6 code or compile it into a DLL.
    The code is too long, so I can only copy part of it.
    I don't need to post this link if there is an existing VB6 solution.



    Code:
    ?#include "stdafx.h" 
    #include<windows.h> 
    #include<Accctrl.h> 
    #include<Aclapi.h> 
    #include"HideProcess.h" 
      
    #define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0) 
    #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 
    #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) 
      
    typedef LONG NTSTATUS; 
      
    typedef struct _IO_STATUS_BLOCK  
    { 
        NTSTATUS Status; 
        ULONG Information; 
    } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 
      
    typedef struct _UNICODE_STRING  
    { 
        USHORT Length; 
        USHORT MaximumLength; 
        PWSTR Buffer; 
    } UNICODE_STRING, *PUNICODE_STRING; 
      
    #define OBJ_INHERIT             0x00000002L 
    #define OBJ_PERMANENT           0x00000010L 
    #define OBJ_EXCLUSIVE           0x00000020L 
    #define OBJ_CASE_INSENSITIVE    0x00000040L 
    #define OBJ_OPENIF              0x00000080L 
    #define OBJ_OPENLINK            0x00000100L 
    #define OBJ_KERNEL_HANDLE       0x00000200L 
    #define OBJ_VALID_ATTRIBUTES    0x000003F2L 
      
    typedef struct _OBJECT_ATTRIBUTES  
    { 
        ULONG Length; 
        HANDLE RootDirectory; 
        PUNICODE_STRING ObjectName; 
        ULONG Attributes; 
        PVOID SecurityDescriptor; 
        PVOID SecurityQualityOfService; 
    } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 
      
    typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( 
        OUT PHANDLE SectionHandle, 
        IN ACCESS_MASK DesiredAccess, 
        IN POBJECT_ATTRIBUTES ObjectAttributes 
        ); 
      
    typedef VOID (CALLBACK* RTLINITUNICODESTRING)( 
        IN OUT PUNICODE_STRING DestinationString, 
        IN PCWSTR SourceString 
        ); 
      
    RTLINITUNICODESTRING RtlInitUnicodeString; 
    ZWOPENSECTION ZwOpenSection; 
    HMODULE g_hNtDLL = NULL; 
    PVOID g_pMapPhysicalMemory = NULL; 
    HANDLE g_hMPM = NULL; 
    OSVERSIONINFO g_osvi; 
      
    //--------------------------------------------------------------------------- 
    BOOL InitNTDLL() 
    { 
        g_hNtDLL = LoadLibrary("ntdll.dll"); 
      
        if (NULL == g_hNtDLL) 
            return FALSE; 
      
        RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL, "RtlInitUnicodeString"); 
        ZwOpenSection = (ZWOPENSECTION)GetProcAddress(g_hNtDLL, "ZwOpenSection"); 
      
        return TRUE; 
    }
    Last edited by xiaoyao; Nov 28th, 2023 at 01:10 PM.

  2. #2
    Member Dragokas's Avatar
    Join Date
    Aug 2015
    Location
    Ukraine
    Posts
    740

    Re: How to hide process by vb6?

    Only driver can open physical memory directly.

    What are you hiding from?
    Malware analyst, VirusNet developer, HiJackThis+ author || my CodeBank works

  3. #3
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,905

    Re: How to hide process by vb6?

    What is the value of that link? For one thing, it is untranslated Chinese, so it has to be translated for anybody else. If there is a question in the post, it would also have to be translated. If there isn't a question in the post, then the thread doesn't belong here and will be moved.
    My usual boring signature: Nothing

  4. #4

    Thread Starter
    PowerPoster
    Join Date
    Jan 2020
    Posts
    3,725

    Re: How to hide process by vb6?

    Quote Originally Posted by Shaggy Hiker View Post
    What is the value of that link? For one thing, it is untranslated Chinese, so it has to be translated for anybody else. If there is a question in the post, it would also have to be translated. If there isn't a question in the post, then the thread doesn't belong here and will be moved.
    thats vc code *.h ,The direct code has nothing to do with Chinese language.

    Some introductions can be translated by Google Translate 90% successfully without affecting reading at all.
    chatgpt,And Google Translate can solve these different language problems 100% perfectly.

    For me, the biggest obstacle is IP blocking, such as not being able to open Google's website in China.
    Or I visit your forum and it's very, very slow, and it takes 10 seconds to 20 seconds for a page to open.

    It doesn't matter if you don't look at the author's explanation of the Chinese language.

    Sometimes the forum administrator does not look carefully, which is also a headache.

    First of all, I raised a question. If there is already a 100% solution, then I will definitely not ask questions, I will publish it to the code base.
    Last edited by xiaoyao; Nov 28th, 2023 at 01:13 PM.

  5. #5
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,562

    Re: How to hide process by vb6?

    I partially agree. It's an interesting link and the code itself uses english names and comments. The question seems to be how to translate to VB, since it's C++.

    The larger issue is hiding a process from task manager is malicious behavior I can't think of any good reason to do, and I'm normally the first to defend 'dual use' questions that have legitimate uses but are often abused.

    For protecting against termination, I'm actually writing a program for this right now. It is, and must be, a kernel mode driver. You cannot do this in VB6, but you can in twinBASIC.

    Preview with key technical points:

    Code:
            Public Function DriverEntry(ByRef DriverObject As DRIVER_OBJECT, ByRef RegistryPath As UNICODE_STRING) As Long
                InitUserIOCTLs
                InitStrings
                DbgPrint StrPtr(dbgsEntry)
                
                ExInitializeFastMutex LockData.Lock
                Dim ntStatus As Long
                
                Dim operation As OB_OPERATION_REGISTRATION
                operation.ObjectType = PsProcessType()
                'CopyMemory operation.ObjectType, ByVal PsProcessType, LenB(Of LongPtr)
                operation.Operations = OB_OPERATION_HANDLE_CREATE Or OB_OPERATION_HANDLE_DUPLICATE
                operation.PreOperation = AddressOf OnPreOpenProcess
                operation.PostOperation = 0
                
                Dim reg As OB_CALLBACK_REGISTRATION
                reg.Version = OB_FLT_REGISTRATION_VERSION
                reg.OperationRegistrationCount = 1
                reg.Altitude = usAltitude
                reg.RegistrationContext = 0
                reg.OperationRegistration = VarPtr(operation)
                
                ntStatus = ObRegisterCallbacks(reg, LockData.RegHandle)
                If NT_SUCCESS(ntStatus) = False Then
                    DbgPrint1 StrPtr(dbgsRegFail), ntStatus
                    Return ntStatus
                End If
    
            Public Function OnPreOpenProcess(ByVal RegistrationContext As LongPtr, info As OB_PRE_OPERATION_INFORMATION) As OB_PREOP_CALLBACK_STATUS
                If info.KernelHandle Then Return OB_PREOP_SUCCESS
                    
                Dim process As LongPtr = info.Object
                Dim pidF As LongPtr = PsGetProcessId(process)
                Dim pid As Long
                CopyMemory pid, pidF, 4 'CLng will overflow if value > max_signed; truncate instead
                
                ExAcquireFastMutex LockData.Lock
                If ProcessAdded(pid) Then
                    'Without unions and proper pointer support, we have to come at this a little different than C/C++
                    'Create a temporary instance of the union member, copy the actual data in, 
                    'then copy back to the original source, having removed the PROCESS_TERMINATE access right.
                    Dim tempParam As OB_PRE_CREATE_HANDLE_INFORMATION
                    CopyMemory tempParam, info.Parameters, LenB(Of OB_PRE_CREATE_HANDLE_INFORMATION)
                    tempParam.DesiredAccess = tempParam.DesiredAccess And Not PROCESS_TERMINATE
                    CopyMemory info.Parameters, tempParam, LenB(Of OB_PRE_CREATE_HANDLE_INFORMATION)
                End If
                ExReleaseFastMutex LockData.Lock
                ZeroMemory LockData.Lock, LenB(Of FAST_MUTEX)
                Return OB_PREOP_SUCCESS
            End Function
    This is a port of an example in Pavel Yosifovich's book Windows Kernel Programming.

    Basically, you place a callback for process creation, then remove the PROCESS_TERMINATE access right from anything that's not in kernel mode itself (if you try that, it will just bluescreen, terminating your process anyway).
    Last edited by fafalone; Nov 28th, 2023 at 02:33 PM.

  6. #6
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,562

    Re: How to hide process by vb6?

    The APIs and UDTs for the original post's link you can mostly find in my tbShellLib project (specifically if you don't want to use tB to access it, here in the main API file), they're trivially converted to VB6, just a couple extra syntax conveniences from tB.

    This isn't in there yet:

    Public Declare PtrSafe Function NtOpenSection Lib "ntdll" (SectionHandle As LongPtr, [ TypeHint (StandardAccessTypes, NTSectionAccessRights) ] ByVal DesiredAccess As Long, ObjectAttributes As OBJECT_ATTRIBUTES) As NTSTATUS
    or plain unembellished for VB6 Public Declare Function NtOpenSection Lib "ntdll" (SectionHandle As Long, ByVal DesiredAccess As Long, ObjectAttributes As OBJECT_ATTRIBUTES) As Long

    The rest are in there.

    The code linked is not a driver. Or at least, it's not running in kernel mode, because it imports from advapi32.dll, which you cannot do in a kernel mode driver. Usermode drivers exist. So you should use Nt* apis, not Zw* apis. Though they are the same if you're not a KM driver.

  7. #7
    Member Dragokas's Avatar
    Join Date
    Aug 2015
    Location
    Ukraine
    Posts
    740

    Re: How to hide process by vb6?

    Quote Originally Posted by fafalone View Post
    The larger issue is hiding a process from task manager is malicious behavior I can't think of any good reason to do, and I'm normally the first to defend 'dual use' questions that have legitimate uses but are often abused.
    It is sometimes useful when you try to hide monitor software from malware.

    P.S. Cool to know, you're already coding drivers ))
    Malware analyst, VirusNet developer, HiJackThis+ author || my CodeBank works

  8. #8
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,562

    Re: How to hide process by vb6?

    Trying to make a useful one.

    I actually made a proof-of-concept 'Hello world' driver for both VB6 and tB (the VB6 version only works on 32bit Windows-- that's a hard limit of VB6. There's no WOW64 32bit emulation for kernel mode, so it's for all practical purposes impossible to make a driver for Windows 64bit, though you could write in VB6 and compile with tB for x64).

    https://github.com/fafalone/HelloWorldDriver

    Based on The trick's MemReader driver; he's the one who originally figured out how to make them in VB6 (who else, lol).

  9. #9
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,905

    Re: How to hide process by vb6?

    Quote Originally Posted by fafalone View Post
    You cannot do this in VB6, but you can in twinBASIC.
    Obligate TB plug is obligatory
    My usual boring signature: Nothing

  10. #10
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,562

    Re: How to hide process by vb6?

    It's really an unprecedented situation... it's just not the same as telling people to do something in VB.NET or C++, which is usually unhelpful. It's the same language and can (mostly, pending bugs, a few unimplemented features, and substituting internals hacks) compile unmodified VB6 code, and you can of course opt to refrain from using any new syntax to keep code compatible with both. The only change required for the code I went on to post is using the old 'funcname = returnvalue' instead of 'Return returnvalue' and using LenB(variablename) instead of LenB(Of typename). I don't feel that syntactic sugar renders the code unhelpful to those wishing to pursue it in VB6; who'd only need tB to compile it for 64bit Windows, in the same way posting VB.NET/C++/etc code would. (Though even that would be helpful when no VBx/tB code exists, like the original link in this thread-- it's enough information that any advanced VB6 user could port it).
    Last edited by fafalone; Nov 28th, 2023 at 11:39 PM.

  11. #11
    Lively Member
    Join Date
    Nov 2023
    Posts
    75

    Re: How to hide process by vb6?

    How to protect your process from deletion:

    Code:
    'Native api NtSetInformationProcess by SqUeEzEr
    Option Explicit
    Private Const ANYSIZE_ARRAY = 1
    Private Const TOKEN_ADJUST_PRIVILEGES = &H20
    Private Const TOKEN_QUERY = &H8
    Private Const SE_PRIVILEGE_ENABLED = &H2
    
    Private Type LUID
    LowPart As Long
    HighPart As Long
    End Type
    Private Type LUID_AND_ATTRIBUTES
    pLuid As LUID
    Attributes As Long
    End Type
    Private Type TOKEN_PRIVILEGES
    PrivilegeCount As Long
    Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
    End Type
    
    
    Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
    Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLUID As LUID) As Long
    Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
    Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
    
    
    Private Const SE_CREATE_TOKEN_NAME As String = "SeCreateTokenPrivilege"
    Private Const SE_ASSIGNPRIMARYTOKEN_NAME As String = "SeAssignPrimaryTokenPrivilege"
    Private Const SE_LOCK_MEMORY_NAME As String = "SeLockMemoryPrivilege"
    Private Const SE_INCREASE_QUOTA_NAME As String = "SeIncreaseQuotaPrivilege"
    Private Const SE_UNSOLICITED_INPUT_NAME As String = "SeUnsolicitedInputPrivilege"
    Private Const SE_MACHINE_ACCOUNT_NAME As String = "SeMachineAccountPrivilege"
    Private Const SE_TCB_NAME As String = "SeTcbPrivilege"
    Private Const SE_SECURITY_NAME As String = "SeSecurityPrivilege"
    Private Const SE_TAKE_OWNERSHIP_NAME As String = "SeTakeOwnershipPrivilege"
    Private Const SE_LOAD_DRIVER_NAME As String = "SeLoadDriverPrivilege"
    Private Const SE_SYSTEM_PROFILE_NAME As String = "SeSystemProfilePrivilege"
    Private Const SE_SYSTEMTIME_NAME As String = "SeSystemtimePrivilege"
    Private Const SE_PROF_SINGLE_PROCESS_NAME As String = "SeProfileSingleProcessPrivilege"
    Private Const SE_INC_BASE_PRIORITY_NAME As String = "SeIncreaseBasePriorityPrivilege"
    Private Const SE_CREATE_PAGEFILE_NAME As String = "SeCreatePagefilePrivilege"
    Private Const SE_CREATE_PERMANENT_NAME As String = "SeCreatePermanentPrivilege"
    Private Const SE_BACKUP_NAME As String = "SeBackupPrivilege"
    Private Const SE_RESTORE_NAME As String = "SeRestorePrivilege"
    Private Const SE_SHUTDOWN_NAME As String = "SeShutdownPrivilege"
    Private Const SE_DEBUG_NAME As String = "SeDebugPrivilege"
    Private Const SE_AUDIT_NAME As String = "SeAuditPrivilege"
    Private Const SE_SYSTEM_ENVIRONMENT_NAME As String = "SeSystemEnvironmentPrivilege"
    Private Const SE_CHANGE_NOTIFY_NAME As String = "SeChangeNotifyPrivilege"
    Private Const SE_REMOTE_SHUTDOWN_NAME As String = "SeRemoteShutdownPrivilege"
    'THE api we need!
    Private Declare Function NtSetInformationProcess Lib "ntdll.dll" (ByVal hProcess As Integer, ByVal ProcessInformationClass As Integer, ByVal ProcessInformation As Long, ByVal ProcessInformationLength As Integer) As Integer
    Private Const ProcessBreakOnTermination As Long = 29
    'The api we need!
    Private Function MakeCritical(Phandle As Long, Value As Boolean)
    GetPrivilegs SE_DEBUG_NAME
    Dim ProcessInfo As Long
    
    If Value = True Then
    ProcessInfo = 29&
    Else
    ProcessInfo = 0&
    End If
    
    Call NtSetInformationProcess(Phandle, ProcessBreakOnTermination, VarPtr(ProcessInfo), Len(ProcessInfo))
    End Function
    Private Function GetPrivilegs(ByVal privilegio As String) As Long
    
    Dim lpLUID As LUID
    Dim lpToken As TOKEN_PRIVILEGES
    Dim lpAntToken As TOKEN_PRIVILEGES
    Dim hToken As Long
    Dim hProcess As Long
    Dim res As Long
    
    hProcess = GetCurrentProcess()
    res = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)
    If res = 0 Then
    Exit Function
    End If
    res = LookupPrivilegeValue(vbNullString, privilegio, lpLUID)
    If res = 0 Then
    Exit Function
    End If
    With lpToken
    .PrivilegeCount = 1
    .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
    .Privileges(0).pLuid = lpLUID
    End With
    
    res = AdjustTokenPrivileges(hToken, False, lpToken, Len(lpToken), lpAntToken, Len(lpAntToken))
    If res = 0 Then
    Exit Function
    End If
    GetPrivilegs = res
    End Function
    
    Private Sub Form_Load()
        MakeCritical GetCurrentProcess, True
    End Sub

  12. #12
    Lively Member
    Join Date
    Nov 2023
    Posts
    75

    Re: How to hide process by vb6?

    And by the way, you can even make any other processes process critical, too, I tried, any running program can

  13. #13

  14. #14
    Lively Member
    Join Date
    Nov 2023
    Posts
    75

    Re: How to hide process by vb6?

    Quote Originally Posted by wqweto View Post
    Two questions:

    1. Is this the same code from here: https://www.vbforums.com/showthread....itical-Process

    2. Who is "SqUeEzEr"?

    ChEeRs,
    </wqw>
    Well, I'm sorry then. Most likely I copied this code from there. I do not know who this person is.

  15. #15
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,562

    Re: How to hide process by vb6?

    Of course, any other elevated user mode process can remove that flag and terminate anyway.

    Driver protects from even SYSTEM processes; only other KM drivers and the kernel itself can terminate.


    Also, doesn't this just BSOD the system when it terminates? Rather than fail with access denied?


    Finally, 99% sure that code is wrong. The original post wqweto was from someone having trouble with it. I know *why* it's wrong and how to make it work, not sure you all aren't trying to make malware though.
    Last edited by fafalone; Nov 29th, 2023 at 04:27 AM.

  16. #16

    Thread Starter
    PowerPoster
    Join Date
    Jan 2020
    Posts
    3,725

    Re: How to hide process by vb6?

    If you use VC++ to call the file driver kernel, to achieve process protection, hide or prevent being closed (close the need to enter a password), VB6 just call the DLL, DLL call SYS driver can also, in any case, this is not a simple thing, but there will always be a lot of people need, and not for illegal purposes.

    I have been infected with the blackmailer virus, the development of the software source code has been eaten by him.

    If you write a file monitoring program, a large number of file names are changed, or the contents of the file are modified automatically shut down.
    If the hacker software tries to shut down my software, the system will automatically blue screen, which is also a good way.
    Last edited by xiaoyao; Nov 29th, 2023 at 05:33 AM.

  17. #17

    Thread Starter
    PowerPoster
    Join Date
    Jan 2020
    Posts
    3,725

    Re: How to hide process by vb6?

    Quote Originally Posted by HackerVlad View Post
    How to protect your process from deletion:

    Code:
    'Native api NtSetInformationProcess by SqUeEzEr
    Option Explicit
    Private Const ANYSIZE_ARRAY = 1
    Private Const TOKEN_ADJUST_PRIVILEGES = &H20
    Private Const TOKEN_QUERY = &H8
    Private Const SE_PRIVILEGE_ENABLED = &H2
    
    
    Private Sub Form_Load()
        MakeCritical GetCurrentProcess, True
    End Sub
    Hold the way to try. He didn't hide the process when I clicked end. He asked me if I wanted to save something, and I checked ignore. Then it can be closed, and the result is a blue screen.

    Prevent malicious shutdown. It's good to give him a warning of illegal operation and automatic shutdown.

  18. #18
    Lively Member
    Join Date
    Nov 2023
    Posts
    75

    Re: How to hide process by vb6?

    In fact, it is impossible to hide the process at all. Even if you hide it from the usual task manager, there are always third-party programs for terminating tasks.

  19. #19
    Member Dragokas's Avatar
    Join Date
    Aug 2015
    Location
    Ukraine
    Posts
    740

    Re: How to hide process by vb6?

    Finally, 99% sure that code is wrong. The original post wqweto was from someone having trouble with it. I know *why* it's wrong and how to make it work, not sure you all aren't trying to make malware though.
    Yeah, the structure is incorrect and lot of software aware of it to know how to "unlock". There is also a bug abusing on Win7 making app non-killable, but it is making app un-stable when accessing to external objects like WMI.
    Although, to avoid detection by malware, it is worth to obfuscate your software instead of attempt to hide it. Recently, I did such polymorph of monitor and its driver with just using WinHex to hide from Themida.
    Generally, I think this topic can only be interested to malware creators or anti-malware creators/reverse-engineers (how many such ppl are here?). Can't think about other possible good use of.
    Malware analyst, VirusNet developer, HiJackThis+ author || my CodeBank works

  20. #20
    Lively Member
    Join Date
    Nov 2023
    Posts
    75

    Re: How to hide process by vb6?

    Quote Originally Posted by Dragokas View Post
    Yeah, the structure is incorrect and lot of software aware of it to know how to "unlock". There is also a bug abusing on Win7 making app non-killable, but it is making app un-stable when accessing to external objects like WMI.
    Although, to avoid detection by malware, it is worth to obfuscate your software instead of attempt to hide it. Recently, I did such polymorph of monitor and its driver with just using WinHex to hide from Themida.
    Generally, I think this topic can only be interested to malware creators or anti-malware creators/reverse-engineers (how many such ppl are here?). Can't think about other possible good use of.
    I don't want to defend anyone, but I will say that there are times when it would be good to hide your process from all eyes. For example, for a program that limits the time spent working at a computer by a time timer (for computer clubs, for example). So that a person could not destroy this program.

    If you used to go to computer clubs, you should remember that the time spent at the computer there was limited by the number of hours that you bought.

    However, their timer programs used two processes that monitor each other. Well, I saw this in one of the computer clubs.

    I think that for the computers that you have at work, there could also be such utility programs developed by the system administrator of the network of your company where you work. For any restrictions on actions for employees (so that people are engaged in work and not games)

  21. #21
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,562

    Re: How to hide process by vb6?

    If I ran a computer club, the user accounts wouldn't have admin privileges. So there would be no need for techniques designed to keep admins from killing it. There's documented, easier ways to prevent e.g. usage timers from being killed by unprivileged users.

  22. #22
    Lively Member
    Join Date
    Nov 2023
    Posts
    75

    Re: How to hide process by vb6?

    But what if computer users still need administrator rights?

  23. #23
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,562

    Re: How to hide process by vb6?

    Then there's far bigger problems with how the business is operating their network.

  24. #24

    Thread Starter
    PowerPoster
    Join Date
    Jan 2020
    Posts
    3,725

    Re: How to hide process by vb6?

    Quote Originally Posted by HackerVlad View Post
    How to protect your process from deletion:

    Code:
    'Native api NtSetInformationProcess by SqUeEzEr
    Option Explicit
    Private Const ANYSIZE_ARRAY = 1
    Private Const TOKEN_ADJUST_PRIVILEGES = &H20
    Private Const TOKEN_QUERY = &H8
    Private Const SE_PRIVILEGE_ENABLED = &H2
    
    Private Type LUID
    LowPart As Long
    HighPart As Long
    End Type
    Private Type LUID_AND_ATTRIBUTES
    pLuid As LUID
    Attributes As Long
    End Type
    Private Type TOKEN_PRIVILEGES
    PrivilegeCount As Long
    Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
    End Type
    
    
    Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
    Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLUID As LUID) As Long
    Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
    Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
    
    
    Private Const SE_CREATE_TOKEN_NAME As String = "SeCreateTokenPrivilege"
    Private Const SE_ASSIGNPRIMARYTOKEN_NAME As String = "SeAssignPrimaryTokenPrivilege"
    Private Const SE_LOCK_MEMORY_NAME As String = "SeLockMemoryPrivilege"
    Private Const SE_INCREASE_QUOTA_NAME As String = "SeIncreaseQuotaPrivilege"
    Private Const SE_UNSOLICITED_INPUT_NAME As String = "SeUnsolicitedInputPrivilege"
    Private Const SE_MACHINE_ACCOUNT_NAME As String = "SeMachineAccountPrivilege"
    Private Const SE_TCB_NAME As String = "SeTcbPrivilege"
    Private Const SE_SECURITY_NAME As String = "SeSecurityPrivilege"
    Private Const SE_TAKE_OWNERSHIP_NAME As String = "SeTakeOwnershipPrivilege"
    Private Const SE_LOAD_DRIVER_NAME As String = "SeLoadDriverPrivilege"
    Private Const SE_SYSTEM_PROFILE_NAME As String = "SeSystemProfilePrivilege"
    Private Const SE_SYSTEMTIME_NAME As String = "SeSystemtimePrivilege"
    Private Const SE_PROF_SINGLE_PROCESS_NAME As String = "SeProfileSingleProcessPrivilege"
    Private Const SE_INC_BASE_PRIORITY_NAME As String = "SeIncreaseBasePriorityPrivilege"
    Private Const SE_CREATE_PAGEFILE_NAME As String = "SeCreatePagefilePrivilege"
    Private Const SE_CREATE_PERMANENT_NAME As String = "SeCreatePermanentPrivilege"
    Private Const SE_BACKUP_NAME As String = "SeBackupPrivilege"
    Private Const SE_RESTORE_NAME As String = "SeRestorePrivilege"
    Private Const SE_SHUTDOWN_NAME As String = "SeShutdownPrivilege"
    Private Const SE_DEBUG_NAME As String = "SeDebugPrivilege"
    Private Const SE_AUDIT_NAME As String = "SeAuditPrivilege"
    Private Const SE_SYSTEM_ENVIRONMENT_NAME As String = "SeSystemEnvironmentPrivilege"
    Private Const SE_CHANGE_NOTIFY_NAME As String = "SeChangeNotifyPrivilege"
    Private Const SE_REMOTE_SHUTDOWN_NAME As String = "SeRemoteShutdownPrivilege"
    'THE api we need!
    Private Declare Function NtSetInformationProcess Lib "ntdll.dll" (ByVal hProcess As Integer, ByVal ProcessInformationClass As Integer, ByVal ProcessInformation As Long, ByVal ProcessInformationLength As Integer) As Integer
    Private Const ProcessBreakOnTermination As Long = 29
    'The api we need!
    Private Function MakeCritical(Phandle As Long, Value As Boolean)
    GetPrivilegs SE_DEBUG_NAME
    Dim ProcessInfo As Long
    
    If Value = True Then
    ProcessInfo = 29&
    Else
    ProcessInfo = 0&
    End If
    
    Call NtSetInformationProcess(Phandle, ProcessBreakOnTermination, VarPtr(ProcessInfo), Len(ProcessInfo))
    End Function
    Private Function GetPrivilegs(ByVal privilegio As String) As Long
    
    Dim lpLUID As LUID
    Dim lpToken As TOKEN_PRIVILEGES
    Dim lpAntToken As TOKEN_PRIVILEGES
    Dim hToken As Long
    Dim hProcess As Long
    Dim res As Long
    
    hProcess = GetCurrentProcess()
    res = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)
    If res = 0 Then
    Exit Function
    End If
    res = LookupPrivilegeValue(vbNullString, privilegio, lpLUID)
    If res = 0 Then
    Exit Function
    End If
    With lpToken
    .PrivilegeCount = 1
    .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
    .Privileges(0).pLuid = lpLUID
    End With
    
    res = AdjustTokenPrivileges(hToken, False, lpToken, Len(lpToken), lpAntToken, Len(lpAntToken))
    If res = 0 Then
    Exit Function
    End If
    GetPrivilegs = res
    End Function
    
    Private Sub Form_Load()
        MakeCritical GetCurrentProcess, True
    End Sub
    After I run this code, the computer blue screen crashes, the system often crashes. After reinstalling the system, sometimes it will crash once or twice a day, I don't know why.
    Hard drive corrupted? Or is there something wrong with the motherboard?

  25. #25
    PowerPoster
    Join Date
    Jul 2010
    Location
    NYC
    Posts
    5,562

    Re: How to hide process by vb6?

    The code you are running is causing the intended effect. When ProcessBreakOnTermination is set, the computer blue screen crashes when that process is terminated.

  26. #26
    Member Dragokas's Avatar
    Join Date
    Aug 2015
    Location
    Ukraine
    Posts
    740

    Re: How to hide process by vb6?

    xiaoyao, surely you may damage hard drive by unexpected system shutdown. Run disk check.
    Also, I wouldn't run low-level API code, when 2 people told you it is incorrect.
    Malware analyst, VirusNet developer, HiJackThis+ author || my CodeBank works

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width