;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 隐藏DLL模块代码
; E-mail & MSN:since18a31h@hotmail.com
; by since18a31h
; http://hi.baidu.com/since18a31h
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 该代码编译后是一个Dll文件,调用Dll文件的_Test函数后,在进程空间就无
; 法找到本DLL模块了,但是实际上该DLL还在用循环的方式弹出一个MessageBox。
; 很早以前的代码,byshell就用过了,这个是直接翻译的lzx的C++代码,
; 随便翻译的,也没针对汇编做任何代码优化,编译出的DLL比较大,4.5KB,
; 经测试,运行稳定。
; 用到的API都很常用,原理很简单,就不添加注释了,凑合看吧。
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 一个普通的Dll,就不再啰嗦MakeFile的内容了
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.586
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include Psapi.inc
includelib Psapi.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
UNLOADLIB_CALLBACK struct
lpDllBase dd ?
lpNewDllBase dd ?
pAddress dd ?
lParam dd ?
UNLOADLIB_CALLBACK ends
MODULEINFO struct
lpBaseOfDll dd ?
SizeOfImage dd ?
EntryPoint dd ?
MODULEINFO ends
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
hInstance dd ?
.data
szError db 'error!',0
szEcho1 db 'CreateThread HideWork Failed.',0
szSucess db '用一些软件查看下,找不到这个dll吧',0
szKernel32 db 'Kernel32.dll',0
szntdll db 'ntdll.dll',0
szVirtualAlloc db 'VirtualAlloc',0
szLoadLibrary db 'LoadLibraryA',0
szCreateThread db 'CreateThread',0
szHeapDestroy db 'HeapDestroy',0
szmemcpy db 'memcpy',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
incLibraryCount proc hMe
local hModsSnap
local stME32:MODULEENTRY32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE, 0
.if eax == INVALID_HANDLE_VALUE
xor eax,eax
ret
.endif
mov hModsSnap,eax
invoke RtlZeroMemory,addr stME32,sizeof stME32
mov stME32.dwSize,sizeof stME32
invoke Module32First,hModsSnap,addr stME32
.if !eax
invoke CloseHandle,hModsSnap
xor eax,eax
ret
.endif
.repeat
invoke LoadLibrary,addr stME32.szModule
.if eax == hMe
invoke FreeLibrary,eax
.endif
invoke Module32Next,hModsSnap,addr stME32
.until !eax
invoke CloseHandle,hModsSnap
mov eax,TRUE
ret
incLibraryCount endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
EnumAndSetThreadState proc lParam
local hThreadSnap,hThread,myThreadId,pid
local stTE32:THREADENTRY32
invoke RtlZeroMemory,addr stTE32,sizeof stTE32
mov stTE32.dwSize,sizeof stTE32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPTHREAD,0
mov hThreadSnap,eax
invoke GetCurrentThreadId
mov myThreadId,eax
invoke GetCurrentProcessId
mov pid,eax
invoke Thread32First,hThreadSnap,addr stTE32
or eax,eax
jz _Ret
.repeat
mov eax,pid
.if eax == stTE32.th32OwnerProcessID
mov eax,myThreadId
.if eax != stTE32.th32ThreadID
invoke OpenThread,THREAD_SUSPEND_RESUME,\
FALSE,stTE32.th32ThreadID
.if eax
mov ebx,eax
.if lParam
invoke ResumeThread,ebx
.else
invoke SuspendThread,ebx
.endif
invoke CloseHandle,ebx
.endif
.endif
.endif
invoke Thread32Next,hThreadSnap,addr stTE32
.until !eax
_Ret:
invoke CloseHandle,hThreadSnap
ret
EnumAndSetThreadState endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
GotoCallBackAddr proc uses edi esi ebx, lParam
local dwThreadId,hThread
mov edi,lParam
assume edi:ptr UNLOADLIB_CALLBACK
.if [edi].pAddress
invoke CreateThread,0,0,[edi].pAddress,[edi].lParam,0,addr dwThreadId
.if eax
invoke CloseHandle,eax
.endif
.endif
invoke VirtualFree,[edi].lpNewDllBase,0,MEM_DECOMMIT
invoke VirtualFree,lParam,0,MEM_DECOMMIT
assume edi:nothing
xor eax,eax
ret
GotoCallBackAddr endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
UnLoadLibrary proc uses edi esi ebx, lParam
local stMI:MODULEINFO
local oldProtect,hDllInstance,hDll
local szDllPath[MAX_PATH]:byte
local @lpVirtualAlloc,@lpLoadLibrary,@lpCreateThread,@lpmemcpy,@lpHeapDestroy
local HeapDestroy_HookCode_bak,HeapDestroy_HookCode
mov HeapDestroy_HookCode,000004C2h ;Retn 4
mov edi,lParam
assume edi:ptr UNLOADLIB_CALLBACK
push [edi].lpDllBase
pop hDllInstance
invoke GetModuleFileName,hDllInstance,addr szDllPath,\
MAX_PATH
invoke GetCurrentProcess
lea ebx,stMI
invoke GetModuleInformation,eax,hDllInstance,ebx,sizeof stMI
;给所有DLL增加使用计数(除了自身)
invoke incLibraryCount,hDllInstance
;保险起见,挂起其他线程,搞定后再恢复
invoke EnumAndSetThreadState,FALSE
invoke GetModuleHandle,addr szKernel32
.if eax
mov ebx,eax
invoke GetProcAddress,ebx,addr szVirtualAlloc
mov @lpVirtualAlloc,eax
invoke GetProcAddress,ebx,addr szLoadLibrary
mov @lpLoadLibrary,eax
invoke GetProcAddress,ebx,addr szCreateThread
mov @lpCreateThread,eax
invoke GetProcAddress,ebx,addr szHeapDestroy
mov @lpHeapDestroy,eax
invoke GetModuleHandle,addr szntdll
.if eax
mov ebx,eax
invoke GetProcAddress,ebx,addr szmemcpy
mov @lpmemcpy,eax
.else
ret
.endif
.else
ret
.endif
.if !@lpHeapDestroy || !@lpVirtualAlloc || !@lpLoadLibrary || !@lpCreateThread || !@lpmemcpy
xor eax,eax
ret
.endif
invoke VirtualProtect,@lpHeapDestroy,3,\
PAGE_EXECUTE_READWRITE,addr oldProtect
push 3
push @lpHeapDestroy
lea eax,HeapDestroy_HookCode_bak
push eax
call @lpmemcpy
push 3
lea eax,HeapDestroy_HookCode
push eax
push @lpHeapDestroy
call @lpmemcpy
invoke Sleep,100
invoke FreeLibrary,hDllInstance
push 3
lea eax,HeapDestroy_HookCode_bak
push eax
push @lpHeapDestroy
call @lpmemcpy
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT or MEM_RESERVE
push stMI.SizeOfImage
push hDllInstance
call @lpVirtualAlloc
.if !eax
lea eax,szDllPath
push eax
call @lpLoadLibrary
.if !eax
;assume edi:nothing
ret
.endif
mov hDll,eax
mov eax,[edi].pAddress
sub eax,hDllInstance
add eax,hDll
mov [edi].pAddress,eax
mov eax,offset EnumAndSetThreadState
sub eax,hDllInstance
add eax,hDll
push 0
push 0
push TRUE
push eax
push 0
push 0
call @lpCreateThread
.if [edi].pAddress
push 0
push 0
push [edi].lParam
push [edi].pAddress
push 0
push 0
call @lpCreateThread
.endif
xor eax,eax
;assume edi:nothing
ret
.endif
push stMI.SizeOfImage
push [edi].lpNewDllBase
push hDllInstance
call @lpmemcpy
invoke EnumAndSetThreadState,TRUE
push 0
push 0
push edi
push offset GotoCallBackAddr
push 0
push 0
call @lpCreateThread
xor eax,eax
assume edi:nothing
ret
UnLoadLibrary endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HideWork proc uses edi esi ebx, lParam
local stMI:MODULEINFO
local dwThreadId
mov edi,lParam
assume edi:ptr UNLOADLIB_CALLBACK
invoke GetCurrentProcess
lea ebx,stMI
invoke GetModuleInformation,eax,[edi].lpDllBase,ebx,sizeof stMI
invoke VirtualAlloc,NULL,stMI.SizeOfImage,\
MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
.if !eax
;assume edi:nothing
ret
.endif
mov [edi].lpNewDllBase,eax
invoke RtlMoveMemory,[edi].lpNewDllBase,stMI.lpBaseOfDll,stMI.SizeOfImage
mov eax,[edi].lpNewDllBase
add eax,offset UnLoadLibrary
sub eax,stMI.lpBaseOfDll
mov ebx,eax
invoke CreateThread,0,0,\
ebx,edi, CREATE_SUSPENDED,addr dwThreadId
.if !eax
invoke VirtualFree,[edi].lpNewDllBase,0,MEM_DECOMMIT
xor eax,eax
;assume edi:nothing
ret
.endif
push eax
invoke ResumeThread,eax
pop eax
invoke CloseHandle,eax
;assume edi:nothing
ret
HideWork endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HideLibrary proc hModule,pCallBackAddr,lParam
invoke VirtualAlloc,NULL,sizeof UNLOADLIB_CALLBACK,\
MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
.if !eax
ret
.endif
assume eax:ptr UNLOADLIB_CALLBACK
push hModule
pop [eax].lpDllBase
push NULL
pop [eax].lpNewDllBase
push pCallBackAddr
pop [eax].pAddress
push lParam
pop [eax].lParam
invoke CreateThread,0,0,offset HideWork,eax,0,NULL
.if !eax
invoke MessageBox,NULL,offset szEcho1,offset szError,NULL
ret
.endif
invoke CloseHandle,eax
ret
HideLibrary endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
testThread proc uses edi esi ebx, lParam
.while TRUE
invoke MessageBox,NULL,lParam,lParam,NULL
.endw
ret
testThread endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Test proc
invoke HideLibrary,hInstance,offset testThread,addr szSucess
invoke Sleep,60 * 1000
ret
_Test endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DllEntry proc hModule,_dwReason,_dwReserved
.if _dwReason == DLL_PROCESS_ATTACH
push hModule
pop hInstance
.endif
mov eax,TRUE
ret
DllEntry Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
End DllEntry
[课程]Linux pwn 探索篇!
