TA的每日心情 | 开心
2024-12-9 18:45 |
|---|
签到天数: 124 天 [LV.7]常住居民III
|
|
欢迎您注册加入!这里有您将更精采!
您需要 登录 才可以下载或查看,没有账号?注册
x
- /*----------------------------------------------------
- * 函数名称: HideDllFromPEB
- * 函数功能: 将dll从LDT_DATA_TABLE_ENTRY中隐藏
- * 参数: szDllName : dll名字
- * dwLength : szDllName字符串长度,不包含终止符
- * 返回值: TRUE(成功), FALSE(失败)
- -----------------------------------------------------*/
- BOOL HideDllFromPEB(CONST PCHAR szDllName,
- DWORD dwLength)
- {
- PPEB pPeb;
- PLIST_ENTRY entry;
- PLIST_ENTRY pTempEntry;
- DWORD dwTranLen;
- PLDR_DATA_TABLE_ENTRY pLdrEntry;
- BOOL bRet;
- char DllName[MAX_PATH];
- if(dwLength > MAX_PATH - 1)
- {
- return FALSE;
- }
- __asm
- {
- mov eax, fs:[0x30]
- mov [pPeb], eax
- }
-
- // fix code: EnterCriticalSection(pPeb->LoadLock)
- bRet = FALSE;
- for(entry = pPeb->Ldr->InLoadOrderModuleList.Flink;
- entry != &pPeb->Ldr->InLoadOrderModuleList;
- entry = entry->Flink)
- {
- pLdrEntry = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
- if(TryRread(pLdrEntry->BaseDllName.Buffer, pLdrEntry->BaseDllName.Length))
- {
- dwTranLen = WideCharToMultiByte(CP_ACP,
- 0,
- pLdrEntry->BaseDllName.Buffer,
- pLdrEntry->BaseDllName.Length / 2,
- DllName,
- MAX_PATH - 1,
- NULL,
- NULL);
- if(dwTranLen * 2 == pLdrEntry->BaseDllName.Length)
- {
- // 没有转换终止符
- DllName[dwTranLen] = '\0';
- dwTranLen++;
- }
- if((dwTranLen - 1) * 2 == pLdrEntry->BaseDllName.Length)
- {
- if(strcmp(szDllName, DllName) == 0)
- {
- // 找到模块,将其隐藏
- entry->Flink->Blink = entry->Blink;
- entry->Blink->Flink = entry->Flink;
- // 其他三个链表
- pTempEntry = &pLdrEntry->InMemoryOrderModuleList;
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- pTempEntry = &pLdrEntry->InInitializationOrderModuleList;
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- pTempEntry = &pLdrEntry->HashLinks;
- if(!IsListEmpty(pTempEntry)) // LdrpHashTable有个,所以有可能某个是空的链表
- {
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- }
- bRet = TRUE;
- }
- }
- }
- }
-
- // 保险起见,把剩余的两个链表也扫了.
- for(entry = pPeb->Ldr->InMemoryOrderModuleList.Flink;
- entry != &pPeb->Ldr->InMemoryOrderModuleList;
- entry = entry->Flink)
- {
- pLdrEntry = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InMemoryOrderModuleList);
- if(TryRread(pLdrEntry->BaseDllName.Buffer, pLdrEntry->BaseDllName.Length))
- {
- dwTranLen = WideCharToMultiByte(CP_ACP,
- 0,
- pLdrEntry->BaseDllName.Buffer,
- pLdrEntry->BaseDllName.Length / 2,
- DllName,
- MAX_PATH - 1,
- NULL,
- NULL);
- if(dwTranLen * 2 == pLdrEntry->BaseDllName.Length)
- {
- // 没有转换终止符
- DllName[dwTranLen] = '\0';
- dwTranLen++;
- }
- if((dwTranLen - 1) * 2 == pLdrEntry->BaseDllName.Length)
- {
- if(strcmp(szDllName, DllName) == 0)
- {
- // 找到模块,将其隐藏
- entry->Flink->Blink = entry->Blink;
- entry->Blink->Flink = entry->Flink;
- // 其他三个链表
- pTempEntry = &pLdrEntry->InLoadOrderLinks;
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- pTempEntry = &pLdrEntry->InInitializationOrderModuleList;
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- pTempEntry = &pLdrEntry->HashLinks;
- if(!IsListEmpty(pTempEntry))
- {
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- }
- bRet = TRUE;
- }
- }
- }
- }
-
- for(entry = pPeb->Ldr->InInitializationOrderModuleList.Flink;
- entry != &pPeb->Ldr->InInitializationOrderModuleList;
- entry = entry->Flink)
- {
- pLdrEntry = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InInitializationOrderModuleList);
- if(TryRread(pLdrEntry->BaseDllName.Buffer, pLdrEntry->BaseDllName.Length))
- {
- dwTranLen = WideCharToMultiByte(CP_ACP,
- 0,
- pLdrEntry->BaseDllName.Buffer,
- pLdrEntry->BaseDllName.Length / 2,
- DllName,
- MAX_PATH - 1,
- NULL,
- NULL);
- if(dwTranLen * 2 == pLdrEntry->BaseDllName.Length)
- {
- // 没有转换终止符
- DllName[dwTranLen] = '\0';
- dwTranLen++;
- }
- if((dwTranLen - 1) * 2 == pLdrEntry->BaseDllName.Length)
- {
- if(strcmp(szDllName, DllName) == 0)
- {
- // 找到模块,将其隐藏
- entry->Flink->Blink = entry->Blink;
- entry->Blink->Flink = entry->Flink;
- // 其他三个链表
- pTempEntry = &pLdrEntry->InLoadOrderLinks;
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- pTempEntry = &pLdrEntry->InMemoryOrderModuleList;
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- pTempEntry = &pLdrEntry->HashLinks;
- if(!IsListEmpty(pTempEntry))
- {
- pTempEntry->Flink->Blink = pTempEntry->Blink;
- pTempEntry->Blink->Flink = pTempEntry->Flink;
- }
- bRet = TRUE;
- }
- }
- }
- }
- // fix code: LeaveCriticalSection(pPeb->LoadLock)
- // LdrpHashTable 好蛋疼...
- if(!HideFromLdrpHashTable(szDllName, dwLength) && // LdrpHashTable如果断链失败,就说明已经被上边的操作给断了,表示成功
- 0 == GetModuleHandle(szDllName) && bRet)
- {
- printf("HideDllFromPEB()->HideFromLdrpHashTable失败, 这标志着dll成功被隐藏\n");
- }
- return bRet;
- }
|
|
[复制链接]
|Archiver|手机版|小黑屋|联系我们|宝峰科技
( 
滇公网安备 53050202000040号 | 滇ICP备09007156号-2 )
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡