It is important for such joke programs that a normal user can't find and stop them. If you use TCVirus, the hiding of the program is simple, because you can use the methode HideFromTaskManager to remove its entry in the task manager and the methode Hide together with the Parameter (form1.)handle to hide it from the screen and from the task list. When you are using the Win-API this is more difficult: You can hide the program from the task manager if you call RegisterServiceProcess(GetCurrentprocessID,1), but at first you have to import this procedure. In Delphi you can do this with typing: function RegisterServiceProcess(dwProcessId,dwType:Dword):DWord; stdcall; external 'KERNEL32.DLL'. However the program doesn't start on newer Windows versions than WinME anymore after you have written this line. TCVirus doesn't have this problem because it loads the function dynamically. How this works you can read in Assarbad's DLL Tutorial. Another possibility (which also works only on W9x) to "remove" the program from the task manager is to prevent the user from calling the task manager, by simulating a screen saver: SystemParametersInfo(SPI_SCREENSAVERRUNNING,1,0,0); If you want to activate the keys, you can call: SystemParametersInfo(SPI_SCREENSAVERRUNNING,0,0,0); Achieving this effect on newer NT systems is much more difficult, for example you could rewrite the (Graphical Identification and Authentication DLL) or the keyboard driver. But most of the users don't know the processes running on their system, so if you name your program like VeryImportantMouseDriver.exe, they will not stop them. The hiding from the task list is much more simple: ShowWindow(application.handle,sw_hide). With Application.handle you get the handle of the main window of your application. After calling the procedure it will be hidden.
Cant Find Dll Entry Point Registerserviceprocess In Kernel32
You also can change the LEDs on the keyboard: TCVirus has the methode SetKeyBoardLEDs(numlock, caps, scroll) for this purpose. The parameter are boolean values. If you type true the LED is on, by false it is off. The order of the arguments is equal to the order of the keyboard. The Win API need this way: At first you create a variable with type pbKeyState(in Delphi = TKeyboardState). Then you call GetKeyboardState with this variable to get the current keyboard status. You can now set the status of the LEDs with keyState[LED Code] := 0 or 1; You should replace LED Code with the code of the LED (in the order of the key board:VK_NUMLOCK, VK_CAPITAL und VK_SCROLL). Another very surprising effect is to hide the icons on the desktop. At first you need the handle of the window containing the icons. TCVirus returns such a handle, if you call GetIconDesktop. If you use the Win API you can write: handle:=FindWindowEx(FindWindowEx(FindWindow('Progman',nil),0,'SHELLDLL_DefView',nil),0,'SysListView32',nil); (This means that the program searchs the handle of the windows "SysListView32" of windows "SHELLDLL_DefView" of the top level Windows "Progman", these names you can find out with programs like APIV.). When you have the handle you can type to hide them: EnableWindow(handle ,false); SetWindowPos(handle,HWND_BOTTOM, 0, 0, 0, 0, SWP_HIDEWINDOW); To show them again, write: EnableWindow(handle ,false); SetWindowPos(handle,HWND_BOTTOM, 0, 0, 1, 1, SWP_SHOWWINDOW); You can also let windows call the program by each start of the computer, when you know the name and position of your program. (you get this information withParamStr(0)) Then you write this into a certain registry key:: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run The entry must be a string, and its value must be the name and position of the program. Delphi has got registry methodes which make this really simple, more you can find in the Delphi help. On a NT system you can't write into the "local lachine" key, when the user has no admistrator rights. But if you write in "local machine" the program is called independent of the user logged in.
Each entry in the process list has an FLink and BLink pointer, which point to the next and previous processes in the list. If you identify your target process and make its FLink and BLink pointers point back to themselves, and the FLink and BLink of its siblings point to each other, the OS simply skips over your process when doing any housekeeping operations, e.g. killing processes. This trick is called unlinking. Not only does this render the process invisible to the user, but it also prevents all user-mode APIs from targeting the process unless a handle to the process was generated before it was unlinked. This is a very powerful rootkit technique, especially because it's difficult to recover from. 2ff7e9595c
Comments