by Hellspawn just4fun function CheckProcess PID dword dword var wnd1 T

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
// by Hellspawn
// just4fun
function CheckProcess(PID: dword): dword;
var
wnd1 : THandle;
Pe32 : tagPROCESSENTRY32;
begin
result := 0;
wnd1 := CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);
if (wnd1 = INVALID_HANDLE_VALUE) then Exit;
pe32.dwSize := SizeOf(TProcessEntry32);
If Process32First(wnd1,pe32) then
repeat
If (PID = pe32.th32ProcessID) then
begin
Result := 1;
break;
end;
until (not Process32Next(wnd1, pe32));
CloseHandle (wnd1);
end;
procedure KillStongOD();
var
ThreadID : dword;
hProcess : dword;
hThread : dword;
dwTmp : dword;
dwRes : dword;
pBuf : THREAD_BASIC_INFORMATION;
Cont : TContext;
begin
For ThreadID := 1 to $FFFF do
begin
hThread := OpenThread(THREAD_QUERY_INFORMATION or THREAD_GET_CONTEXT or THREAD_SET_CONTEXT,FALSE,ThreadID);
If (hThread <> 0) then
begin
dwRes := ZwQueryInformationThread(hThread,0,@pBuf,SizeOf(THREAD_BASIC_INFORMATION),@dwTmp);
If (dwRes = 0) then
begin
If (pBuf.ClientId.UniqueProcess<>GetCurrentProcessId) and (CheckProcess(pBuf.ClientId.UniqueProcess)=0)
then begin
hProcess := OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pBuf.ClientId.UniqueProcess);
If (hProcess <> 0) then
begin
CloseHandle(hProcess);
end else
begin
If (GetLastError() = 5) then
begin
log('Hiden thread detected - Process ID: ' + IntToHex(pBuf.ClientId.UniqueProcess,8));
Cont.ContextFlags := CONTEXT_CONTROL;
If GetThreadContext(hThread,cont) then
begin
cont.Eip := DWORD(GetProcAddress(GetModuleHandle('kernel32'),'ExitThread'));
SetThreadContext(hThread,cont)
end;
end;
end;
end;
end;
CloseHandle(hThread);
end;
end;
end;