VC++隐藏dll代码
/*----------------------------------------------------* 函数名称: HideDllFromPEB
* 函数功能: 将dll从LDT_DATA_TABLE_ENTRY中隐藏
* 参数: szDllName : dll名字
* dwLength : szDllName字符串长度,不包含终止符
* 返回值: TRUE(成功), FALSE(失败)
-----------------------------------------------------*/
BOOL HideDllFromPEB(CONST PCHAR szDllName,
DWORD dwLength)
{
PPEB pPeb;
PLIST_ENTRY entry;
PLIST_ENTRY pTempEntry;
DWORD dwTranLen;
PLDR_DATA_TABLE_ENTRY pLdrEntry;
BOOL bRet;
char DllName;
if(dwLength > MAX_PATH - 1)
{
return FALSE;
}
__asm
{
mov eax, fs:
mov , eax
}
// fix code: EnterCriticalSection(pPeb->LoadLock)
bRet = FALSE;
for(entry = pPeb->Ldr->InLoadOrderModuleList.Flink;
entry != &pPeb->Ldr->InLoadOrderModuleList;
entry = entry->Flink)
{
pLdrEntry = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if(TryRread(pLdrEntry->BaseDllName.Buffer, pLdrEntry->BaseDllName.Length))
{
dwTranLen = WideCharToMultiByte(CP_ACP,
0,
pLdrEntry->BaseDllName.Buffer,
pLdrEntry->BaseDllName.Length / 2,
DllName,
MAX_PATH - 1,
NULL,
NULL);
if(dwTranLen * 2 == pLdrEntry->BaseDllName.Length)
{
// 没有转换终止符
DllName = '\0';
dwTranLen++;
}
if((dwTranLen - 1) * 2 == pLdrEntry->BaseDllName.Length)
{
if(strcmp(szDllName, DllName) == 0)
{
// 找到模块,将其隐藏
entry->Flink->Blink = entry->Blink;
entry->Blink->Flink = entry->Flink;
// 其他三个链表
pTempEntry = &pLdrEntry->InMemoryOrderModuleList;
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
pTempEntry = &pLdrEntry->InInitializationOrderModuleList;
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
pTempEntry = &pLdrEntry->HashLinks;
if(!IsListEmpty(pTempEntry)) // LdrpHashTable有个,所以有可能某个是空的链表
{
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
}
bRet = TRUE;
}
}
}
}
// 保险起见,把剩余的两个链表也扫了.
for(entry = pPeb->Ldr->InMemoryOrderModuleList.Flink;
entry != &pPeb->Ldr->InMemoryOrderModuleList;
entry = entry->Flink)
{
pLdrEntry = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InMemoryOrderModuleList);
if(TryRread(pLdrEntry->BaseDllName.Buffer, pLdrEntry->BaseDllName.Length))
{
dwTranLen = WideCharToMultiByte(CP_ACP,
0,
pLdrEntry->BaseDllName.Buffer,
pLdrEntry->BaseDllName.Length / 2,
DllName,
MAX_PATH - 1,
NULL,
NULL);
if(dwTranLen * 2 == pLdrEntry->BaseDllName.Length)
{
// 没有转换终止符
DllName = '\0';
dwTranLen++;
}
if((dwTranLen - 1) * 2 == pLdrEntry->BaseDllName.Length)
{
if(strcmp(szDllName, DllName) == 0)
{
// 找到模块,将其隐藏
entry->Flink->Blink = entry->Blink;
entry->Blink->Flink = entry->Flink;
// 其他三个链表
pTempEntry = &pLdrEntry->InLoadOrderLinks;
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
pTempEntry = &pLdrEntry->InInitializationOrderModuleList;
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
pTempEntry = &pLdrEntry->HashLinks;
if(!IsListEmpty(pTempEntry))
{
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
}
bRet = TRUE;
}
}
}
}
for(entry = pPeb->Ldr->InInitializationOrderModuleList.Flink;
entry != &pPeb->Ldr->InInitializationOrderModuleList;
entry = entry->Flink)
{
pLdrEntry = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InInitializationOrderModuleList);
if(TryRread(pLdrEntry->BaseDllName.Buffer, pLdrEntry->BaseDllName.Length))
{
dwTranLen = WideCharToMultiByte(CP_ACP,
0,
pLdrEntry->BaseDllName.Buffer,
pLdrEntry->BaseDllName.Length / 2,
DllName,
MAX_PATH - 1,
NULL,
NULL);
if(dwTranLen * 2 == pLdrEntry->BaseDllName.Length)
{
// 没有转换终止符
DllName = '\0';
dwTranLen++;
}
if((dwTranLen - 1) * 2 == pLdrEntry->BaseDllName.Length)
{
if(strcmp(szDllName, DllName) == 0)
{
// 找到模块,将其隐藏
entry->Flink->Blink = entry->Blink;
entry->Blink->Flink = entry->Flink;
// 其他三个链表
pTempEntry = &pLdrEntry->InLoadOrderLinks;
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
pTempEntry = &pLdrEntry->InMemoryOrderModuleList;
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
pTempEntry = &pLdrEntry->HashLinks;
if(!IsListEmpty(pTempEntry))
{
pTempEntry->Flink->Blink = pTempEntry->Blink;
pTempEntry->Blink->Flink = pTempEntry->Flink;
}
bRet = TRUE;
}
}
}
}
// fix code: LeaveCriticalSection(pPeb->LoadLock)
// LdrpHashTable 好蛋疼...
if(!HideFromLdrpHashTable(szDllName, dwLength) && // LdrpHashTable如果断链失败,就说明已经被上边的操作给断了,表示成功
0 == GetModuleHandle(szDllName) && bRet)
{
printf("HideDllFromPEB()->HideFromLdrpHashTable失败, 这标志着dll成功被隐藏\n");
}
return bRet;
} 不错,学习了 - -,晕了,没看懂 - -
页:
[1]