美文网首页
win32模块隐藏

win32模块隐藏

作者: Fa1se003 | 来源:发表于2017-05-23 10:41 被阅读56次
    // 999.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>  

typedef struct _UNICODE_STRING {  
    USHORT  Length;  
    USHORT  MaximumLength;  
    PWSTR  Buffer;  
} UNICODE_STRING, *PUNICODE_STRING;  


typedef struct _PEB_LDR_DATA 
{  
    DWORD dwLength;
    DWORD dwInitialized;  
    LPVOID lpSsHandle;  
    LIST_ENTRY InLoadOrderModuleList;  
    LIST_ENTRY InMemoryOrderModuleList;  
    LIST_ENTRY InInitializationOrderModuleList;  
    LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;  


typedef struct _LDR_DATA_TABLE_ENTRY  
{  
   LIST_ENTRY InLoadOrderLinks;  
   LIST_ENTRY InMemoryOrderLinks;
   LIST_ENTRY InInitializationOrderLinks;  
   PVOID DllBase;  
   PVOID EntryPoint;  
   DWORD SizeOfImage;  
   UNICODE_STRING FullDllName;  
   UNICODE_STRING BaseDllName;  //模块名
   DWORD Flags;  
   WORD LoadCount;  
   WORD TlsIndex;  
   LIST_ENTRY HashLinks;  
   PVOID SectionPointer;  
   DWORD CheckSum;  
   DWORD TimeDateStamp;  
   PVOID LoadedImports;  
   PVOID EntryPointActivationContext;  
   PVOID PatchInformation;  
}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;  

int main(int argc, char* argv[])
{
    PPEB_LDR_DATA peb ;
    __asm
        {
            mov eax , FS:[0x30] //peb
            mov eax , [eax + 0x0c] //peb ldr data
            mov peb , eax
        }
    //保存第一个结构体InLoadOrderModuleList的地址,链表循环完成之后会到再次到这里  
    PLIST_ENTRY pebStartAddress = &(peb->InLoadOrderModuleList);
    PLIST_ENTRY curEntry = peb->InLoadOrderModuleList.Flink;//第一个模块
    do 
    {
        PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)curEntry;
        printf("%ls\n",ldr->BaseDllName.Buffer);

        wchar_t *ch=L"kernel32.dll";
        if(wcsicmp(ch,ldr->BaseDllName.Buffer)==0)
        {
            curEntry->Blink->Flink = curEntry->Flink;
            curEntry->Flink->Blink = curEntry->Blink;

        //  printf("字符串相等\n");
            //字符串相等
        }
        else
        {
            //字符串不相等
        }


        curEntry = curEntry->Flink;
    } while (curEntry != pebStartAddress);

    printf("--------------------------------------\n");

    curEntry = peb->InLoadOrderModuleList.Flink;//第一个模块
    do 
    {
        PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)curEntry;
        printf("%ls\n",ldr->BaseDllName.Buffer);
        curEntry = curEntry->Flink;
    } while (curEntry != pebStartAddress);
    
    return 0;
}

    三个链表都隐藏

    // HideDll.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
typedef struct _LSA_UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

typedef struct _PEB_LDR_DATA 
{  
    DWORD dwLength;
    DWORD dwInitialized;  
    LPVOID lpSsHandle;  
    LIST_ENTRY InLoadOrderModuleList;  
    LIST_ENTRY InMemoryOrderModuleList;  
    LIST_ENTRY InInitializationOrderModuleList;  
    LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;  

typedef struct _LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

int main(int argc, char* argv[])
{
    PPEB_LDR_DATA peb = NULL;
    __asm
    {
            mov eax , FS:[0x30] //peb
            mov eax , [eax + 0x0c] 
            mov peb , eax
    }

    printf("\n--------Memory----------\n");

    PLIST_ENTRY header1 =  &(peb->InMemoryOrderModuleList);
    PLIST_ENTRY current1 = peb->InMemoryOrderModuleList.Flink;       
    do 
    {
        PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)((DWORD)current1 - 0x8);
        
        printf("%ls\n",ldr->BaseDllName.Buffer);
        
        current1 = current1->Flink;
    } while (current1 != header1);
    
    printf("\n--------Load----------\n");
    PLIST_ENTRY header2 =  &(peb->InLoadOrderModuleList);
    PLIST_ENTRY current2 = peb->InLoadOrderModuleList.Flink;      
    do 
    {
        PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)current2;
        
        printf("%ls\n",ldr->BaseDllName.Buffer);
        
        current2 = current2->Flink;
    } while (current2 != header2);
    
    
    printf("\n--------Init----------\n");
    PLIST_ENTRY header3 =  &(peb->InInitializationOrderModuleList);
    PLIST_ENTRY current3 = peb->InInitializationOrderModuleList.Flink;       
    do 
    {
        PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)((DWORD)current3 - 0x8*2);
        
        printf("%ls\n",ldr->BaseDllName.Buffer);
        
        current3 = current3->Flink;  
    } while (current3 != header3);
    
    
    printf("\n---------隐藏--------\n\n");

    PLIST_ENTRY header =  &(peb->InLoadOrderModuleList);
    PLIST_ENTRY current = peb->InLoadOrderModuleList.Flink;        
    do 
    {
        PLDR_DATA_TABLE_ENTRY tmp = (PLDR_DATA_TABLE_ENTRY)current;
        
        //printf("%ls\n",tmp->BaseDllName.Buffer);        
        
        wchar_t *ch = L"kernel32.dll";
        
        if(wcsicmp(ch,tmp->BaseDllName.Buffer)==0)
        {
            tmp->InLoadOrderLinks.Flink->Blink = tmp->InLoadOrderLinks.Blink;
            tmp->InLoadOrderLinks.Blink->Flink = tmp->InLoadOrderLinks.Flink;
            
            tmp->InMemoryOrderModuleList.Flink->Blink = tmp->InMemoryOrderModuleList.Blink;
            tmp->InMemoryOrderModuleList.Blink->Flink = tmp->InMemoryOrderModuleList.Flink;

            tmp->InInitializationOrderModuleList.Flink->Blink = tmp->InInitializationOrderModuleList.Blink;
            tmp->InInitializationOrderModuleList.Blink->Flink = tmp->InInitializationOrderModuleList.Flink;
        }
        current = current->Flink;
        
    } while (current != header);
    
    printf("\n---------Hide Load--------\n");
    current = peb->InLoadOrderModuleList.Flink;
    do 
    {
        PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)current;
        printf("%ls\n",ldr->BaseDllName.Buffer);
        current = current->Flink;
    } while (current != header);
    
    
    printf("\n---------Hide Memory--------\n");
    current1 = peb->InMemoryOrderModuleList.Flink;       
    do 
    {
        PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)((DWORD)current1 - 0x8) ;
        
        printf("%ls\n",ldr->BaseDllName.Buffer);
        
        current1 = current1->Flink;
    } while (current1 != header1);
    
    printf("\n--------Hide Init----------\n");
    current3 = peb->InInitializationOrderModuleList.Flink;       
    do 
    {
        PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)((DWORD)current3 - 0x8*2);
        
        printf("%ls\n",ldr->BaseDllName.Buffer);
        
        current3 = current3->Flink;  
    } while (current3 != header3);

    
    
    getchar();
    printf("Hello World!\n");
    return 0;
}
    image.png

    这个例子只隐藏3环当前进程中的模块,隐藏其他进程中的模块同理。

    相关文章

      网友评论

          本文标题:win32模块隐藏

          本文链接:https://www.haomeiwen.com/subject/mdpwxxtx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|win32模块隐藏|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!