-
-
[旧帖] [求助][求助]隐藏注入的DLL模块! 0.00雪花
-
发表于: 2010-4-24 14:47
-
[CODE]typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING,*PUNICODE_STRING;
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_MODULE
{
LIST_ENTRY InLoadOrderModuleList; //+0x00
LIST_ENTRY InMemoryOrderModuleList; //+0x08
LIST_ENTRY InInitializationOrderModuleList; //+0x10
void* BaseAddress; //+0x18
void* EntryPoint; //+0x1c
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
HANDLE SectionHandle;
ULONG CheckSum;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
void HideDll ()
{
HMODULE hMod = :: GetModuleHandle ( "i.dll" );
PLIST_ENTRY Head , Cur ;
PPEB_LDR_DATA ldr ;
PLDR_MODULE ldm ;
__asm
{
mov eax , fs :[ 0x30 ]
mov ecx , [ eax + 0x0c ] //Ldr
mov ldr , ecx
}
Head = &( ldr -> InLoadOrderModuleList );
Cur = Head -> Flink ;
do
{
ldm = CONTAINING_RECORD ( Cur , LDR_MODULE , InLoadOrderModuleList );
//printf("EntryPoint [0x%X]\n",ldm->BaseAddress);
if ( hMod == ldm -> BaseAddress )
{
ldm -> InLoadOrderModuleList . Blink -> Flink =
ldm -> InLoadOrderModuleList . Flink ;
ldm -> InLoadOrderModuleList . Flink -> Blink =
ldm -> InLoadOrderModuleList . Blink ;
ldm -> InInitializationOrderModuleList . Blink -> Flink =
ldm -> InInitializationOrderModuleList . Flink ;
ldm -> InInitializationOrderModuleList . Flink -> Blink =
ldm -> InInitializationOrderModuleList . Blink ;
ldm -> InMemoryOrderModuleList . Blink -> Flink =
ldm -> InMemoryOrderModuleList . Flink ;
ldm -> InMemoryOrderModuleList . Flink -> Blink =
ldm -> InMemoryOrderModuleList . Blink ;
break ;
}
Cur = Cur -> Flink ;
} while ( Head != Cur );
}
BOOL CIApp::InitInstance()
{
if (AfxSocketInit())
{
HideDll();
if (mainform==NULL) { mainform=new CWGForm;mainform->Create(IDD_DLG_MAIN);}
mainform->ShowWindow(true);//显示窗口
HideDll();
}
return TRUE;
}CODE]
为什么把显示窗口的代码注释掉-注入后DLL模块是隐藏的,但是如果显示窗口的话-却能看看注入的DLL模块?
怎样能显示窗口的时候DLL模块仍然是隐藏的?
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING,*PUNICODE_STRING;
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_MODULE
{
LIST_ENTRY InLoadOrderModuleList; //+0x00
LIST_ENTRY InMemoryOrderModuleList; //+0x08
LIST_ENTRY InInitializationOrderModuleList; //+0x10
void* BaseAddress; //+0x18
void* EntryPoint; //+0x1c
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
HANDLE SectionHandle;
ULONG CheckSum;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
void HideDll ()
{
HMODULE hMod = :: GetModuleHandle ( "i.dll" );
PLIST_ENTRY Head , Cur ;
PPEB_LDR_DATA ldr ;
PLDR_MODULE ldm ;
__asm
{
mov eax , fs :[ 0x30 ]
mov ecx , [ eax + 0x0c ] //Ldr
mov ldr , ecx
}
Head = &( ldr -> InLoadOrderModuleList );
Cur = Head -> Flink ;
do
{
ldm = CONTAINING_RECORD ( Cur , LDR_MODULE , InLoadOrderModuleList );
//printf("EntryPoint [0x%X]\n",ldm->BaseAddress);
if ( hMod == ldm -> BaseAddress )
{
ldm -> InLoadOrderModuleList . Blink -> Flink =
ldm -> InLoadOrderModuleList . Flink ;
ldm -> InLoadOrderModuleList . Flink -> Blink =
ldm -> InLoadOrderModuleList . Blink ;
ldm -> InInitializationOrderModuleList . Blink -> Flink =
ldm -> InInitializationOrderModuleList . Flink ;
ldm -> InInitializationOrderModuleList . Flink -> Blink =
ldm -> InInitializationOrderModuleList . Blink ;
ldm -> InMemoryOrderModuleList . Blink -> Flink =
ldm -> InMemoryOrderModuleList . Flink ;
ldm -> InMemoryOrderModuleList . Flink -> Blink =
ldm -> InMemoryOrderModuleList . Blink ;
break ;
}
Cur = Cur -> Flink ;
} while ( Head != Cur );
}
BOOL CIApp::InitInstance()
{
if (AfxSocketInit())
{
HideDll();
if (mainform==NULL) { mainform=new CWGForm;mainform->Create(IDD_DLG_MAIN);}
mainform->ShowWindow(true);//显示窗口
HideDll();
}
return TRUE;
}CODE]
为什么把显示窗口的代码注释掉-注入后DLL模块是隐藏的,但是如果显示窗口的话-却能看看注入的DLL模块?
怎样能显示窗口的时候DLL模块仍然是隐藏的?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
没明白人?
|
|
|
|
|
|
|
