[注意]Win8中另类链表检测 DLL-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
红绡枫叶雪币： 1556 活跃值： (878) 能力值： ( LV9，RANK：320 ) 在线值：发帖 25 回帖 154 粉丝 9 关注私信	红绡枫叶 6 2 楼受教了..... 2014-4-25 20:57 0
cvcvxk 雪币： 8835 活跃值： (2404) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 234 关注私信	cvcvxk 10 3 楼还真没注意到~ 2014-4-25 22:42 0
bujin888 雪币： 193 活跃值： (26) 能力值： ( LV9，RANK：210 ) 在线值：发帖 74 回帖 365 粉丝 3 关注私信	bujin888 4 4 楼 win8 win8.1隐藏修改注意 ldm^.InLoadOrderModuleList.Blink^.Flink := ldm^.InLoadOrderModuleList.Flink; ldm^.InLoadOrderModuleList.Flink^.Blink := ldm^.InLoadOrderModuleList.Blink; ldm^.InInitializationOrderModuleList.Blink^.Flink := ldm^.InInitializationOrderModuleList.Flink; ldm^.InInitializationOrderModuleList.Flink^.Blink := ldm^.InInitializationOrderModuleList.Blink; ldm^.InMemoryOrderModuleList.Blink^.Flink := ldm^.InMemoryOrderModuleList.Flink; ldm^.InMemoryOrderModuleList.Flink^.Blink := ldm^.InMemoryOrderModuleList.Blink; //ldm^.BaseAddress:=nil; //如果设置nil loadlibrary会显示失败 if (Win32MajorVersion>=6) and (Win32MinorVersion>=2) then //win8 win8.1 begin // ldm+$68 为ldm^.BaseAddressIndexNode地址 hide_InNode(Pointer( DWORD(ldm)+$68 )); end; function GetLdrpModuleBaseAddressIndex:DWORD; var ntdll:THandle; I,curAdd:Cardinal; LdrDisableThreadCalloutsForDll, //LdrDisableThreadCalloutsForDll win8 win8.1都存在 LdrpFindLoadedDllByHandle:Cardinal; findAsmKey:TarrasmCodeKey; begin Result:=0; ntdll:=GetModuleHandle('ntdll.dll'); LdrpFindLoadedDllByHandle:=0; if ntdll<>0 then begin LdrDisableThreadCalloutsForDll:=Cardinal(GetProcAddress(ntdll,'LdrDisableThreadCalloutsForDll')); if LdrDisableThreadCalloutsForDll>0 then begin SetLength(findAsmKey,1); findAsmKey[0]:='call'; //硬编码 curAdd:=FindAsmCode(LdrDisableThreadCalloutsForDll,0,findAsmKey); if curAdd>0 then begin LdrpFindLoadedDllByHandle:=PULONG(curAdd+1)^+5+curAdd; end; end; if LdrpFindLoadedDllByHandle>0 then begin SetLength(findAsmKey,2); findAsmKey[0]:='mov eax,'; //硬编码 findAsmKey[1]:='test eax, eax'; //硬编码 curAdd:=FindAsmCode(LdrpFindLoadedDllByHandle,0,findAsmKey); if curAdd>0 then begin Result:=PULONG(curAdd+1)^; end; end; end; end; function hide_InNode(NeedDeleteNode:Pointer):Cardinal;stdcall; var LdrpModuleBaseAddressIndex:DWORD; RtlRbRemoveNode:Pointer; begin RtlRbRemoveNode:=GetProcAddress(GetModuleHandle('ntdll.dll'),'RtlRbRemoveNode'); if RtlRbRemoveNode<>nil then begin LdrpModuleBaseAddressIndex:=GetLdrpModuleBaseAddressIndex; if LdrpModuleBaseAddressIndex>0 then begin TRtlRbRemoveNode(RtlRbRemoveNode)(Pointer(LdrpModuleBaseAddressIndex),NeedDeleteNode); end; end; end; 2014-4-26 06:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
红绡枫叶雪币： 1556 活跃值： (878) 能力值： ( LV9，RANK：320 ) 在线值：发帖 25 回帖 154 粉丝 9 关注私信	红绡枫叶 6 2 楼受教了..... 2014-4-25 20:57 0
cvcvxk 雪币： 8835 活跃值： (2404) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 234 关注私信	cvcvxk 10 3 楼还真没注意到~ 2014-4-25 22:42 0
bujin888 雪币： 193 活跃值： (26) 能力值： ( LV9，RANK：210 ) 在线值：发帖 74 回帖 365 粉丝 3 关注私信	bujin888 4 4 楼 win8 win8.1隐藏修改注意 ldm^.InLoadOrderModuleList.Blink^.Flink := ldm^.InLoadOrderModuleList.Flink; ldm^.InLoadOrderModuleList.Flink^.Blink := ldm^.InLoadOrderModuleList.Blink; ldm^.InInitializationOrderModuleList.Blink^.Flink := ldm^.InInitializationOrderModuleList.Flink; ldm^.InInitializationOrderModuleList.Flink^.Blink := ldm^.InInitializationOrderModuleList.Blink; ldm^.InMemoryOrderModuleList.Blink^.Flink := ldm^.InMemoryOrderModuleList.Flink; ldm^.InMemoryOrderModuleList.Flink^.Blink := ldm^.InMemoryOrderModuleList.Blink; //ldm^.BaseAddress:=nil; //如果设置nil loadlibrary会显示失败 if (Win32MajorVersion>=6) and (Win32MinorVersion>=2) then //win8 win8.1 begin // ldm+$68 为ldm^.BaseAddressIndexNode地址 hide_InNode(Pointer( DWORD(ldm)+$68 )); end; function GetLdrpModuleBaseAddressIndex:DWORD; var ntdll:THandle; I,curAdd:Cardinal; LdrDisableThreadCalloutsForDll, //LdrDisableThreadCalloutsForDll win8 win8.1都存在 LdrpFindLoadedDllByHandle:Cardinal; findAsmKey:TarrasmCodeKey; begin Result:=0; ntdll:=GetModuleHandle('ntdll.dll'); LdrpFindLoadedDllByHandle:=0; if ntdll<>0 then begin LdrDisableThreadCalloutsForDll:=Cardinal(GetProcAddress(ntdll,'LdrDisableThreadCalloutsForDll')); if LdrDisableThreadCalloutsForDll>0 then begin SetLength(findAsmKey,1); findAsmKey[0]:='call'; //硬编码 curAdd:=FindAsmCode(LdrDisableThreadCalloutsForDll,0,findAsmKey); if curAdd>0 then begin LdrpFindLoadedDllByHandle:=PULONG(curAdd+1)^+5+curAdd; end; end; if LdrpFindLoadedDllByHandle>0 then begin SetLength(findAsmKey,2); findAsmKey[0]:='mov eax,'; //硬编码 findAsmKey[1]:='test eax, eax'; //硬编码 curAdd:=FindAsmCode(LdrpFindLoadedDllByHandle,0,findAsmKey); if curAdd>0 then begin Result:=PULONG(curAdd+1)^; end; end; end; end; function hide_InNode(NeedDeleteNode:Pointer):Cardinal;stdcall; var LdrpModuleBaseAddressIndex:DWORD; RtlRbRemoveNode:Pointer; begin RtlRbRemoveNode:=GetProcAddress(GetModuleHandle('ntdll.dll'),'RtlRbRemoveNode'); if RtlRbRemoveNode<>nil then begin LdrpModuleBaseAddressIndex:=GetLdrpModuleBaseAddressIndex; if LdrpModuleBaseAddressIndex>0 then begin TRtlRbRemoveNode(RtlRbRemoveNode)(Pointer(LdrpModuleBaseAddressIndex),NeedDeleteNode); end; end; end; 2014-4-26 06:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[注意]Win8中 另类链表检测 DLL

[注意]Win8中另类链表检测 DLL