用过卡巴斯基的朋友都知道，卡巴斯基的进程是无法杀掉的，在任务管理器中杀卡巴进程的话，会弹出一个消息框提示拒绝访问！那么这是怎么实现的呢？很简单，就是使用了HOOK API的方法。

我用delphi来写程序好了，先写个dll。

const 
PRG_NAME = 'ddos.exe';

var TerminateProcessNext : function (processHandle, exitCode: dword) : bool; stdcall; 
NtTerminateProcessNext : function (processHandle, exitCode: dword) : dword; stdcall; 


{$R *.res}
function ThisIsOurProcess(processHandle: dword) : boolean; 
var pid : dword; 
arrCh : array [0..MAX_PATH] of char; 
begin 
pid := ProcessHandleToId(processHandle); 
result := (pid <> 0) and ProcessIdToFileName(pid, arrCh) and 
(PosText(PRG_NAME, arrCh) > 0); 
end; 

function TerminateProcessCallback(processHandle, exitCode: dword) : bool; stdcall; 
begin 
if ThisIsOurProcess(processHandle) then 
begin 
result := false; 
SetLastError(ERROR_ACCESS_DENIED); 
end 
else 
result := TerminateProcessNext(processHandle, exitCode); 

end; 

function NtTerminateProcessCallback(processHandle, exitCode: dword) : dword; stdcall; 
const STATUS_ACCESS_DENIED = $C0000022; 
begin 
if ThisIsOurProcess(processHandle) then 
begin 
result := STATUS_ACCESS_DENIED 
end 
else 
result := NtTerminateProcessNext(processHandle, exitCode); 
end; 

begin
if GetVersion and $80000000 = 0 then 
HookAPI( 'ntdll.dll', 'NtTerminateProcess', @NtTerminateProcessCallback, @NtTerminateProcessNext) 
else HookAPI('kernel32.dll', 'TerminateProcess', @TerminateProcessCallback, @TerminateProcessNext); 
end.

再写个exe调用这个dll，把这个dll插入到系统进程中去。

procedure inject; 
begin 
try 
if not InjectLibrary((CURRENT_SESSION or CURRENT_PROCESS), 'hook.dll') then 
begin
ExitProcess(0); //如果没有把hook.dll插入到进程中去，那么程序就自动关闭
end; 
except 
// 
end; 
end;


procedure uninject; //把hook.dll从插入的进程中卸载掉
begin 
try 
UninjectLibrary((CURRENT_SESSION or CURRENT_PROCESS), 'hook.dll');
except 
end; 
end; 


procedure TForm1.FormCreate(Sender: TObject);
begin
inject; //程序一启动就插入dll
end;

procedure TForm1.FormDestroy(Sender: TObject);
begin
uninject; //程序退出把dll从进程中卸载，保护进程功能也就失效了。
end;