-
-
[原创]Windows,三环通过teb遍历进程模块,模块隐藏基础001
-
发表于: 2018-4-14 10:38
-
废话我就不说了,按图索骥,通过fs[18] ---> teb ---> peb --- 最后找模块的三张在三环的链表,在这里断链,这是模块隐藏的基础。附上源码
#include <windows.h>
typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
} PEB_LDR_DATA,*PPEB_LDR_DATA;
//获得teb的地址
//fs:[18] 获得teb地址
int GetTebAddres()
{
int TebAddres=0;
__asm{
mov eax,fs:[0x18]
mov TebAddres,eax
}
return TebAddres;
}
//获得peb地址
int GetPebAddres()
{
int PebAddres=0;
int TebAddres=GetTebAddres();
PebAddres=*(int*)(TebAddres+0x30);
return PebAddres;
}
//获得 _PEB_LDR_DATA 的地址
int GetPebLdrAddres()
{
int PebAddres=GetPebAddres();
return *(int*)(PebAddres+0x00c);
}
//获得载入模块链表
void GetInLoadOrderModuleList()
{
int PebLdrAddres=GetPebLdrAddres();
PLIST_ENTRY InLoadOrderModuleList = (PLIST_ENTRY)(PebLdrAddres+0x0c);
PLIST_ENTRY CurrentModuleList = InLoadOrderModuleList;
PPEB_LDR_DATA CurrenPebLdrData=NULL;
while(TRUE)
{
printf("********************************************************\r\n");
CurrenPebLdrData= (PPEB_LDR_DATA)((int)CurrentModuleList - 0x0c);
if(CurrenPebLdrData->SsHandle!=0)
{
printf("Length %04x\r\n",CurrenPebLdrData->Length);
printf("Initialized %d\r\n",CurrenPebLdrData->Initialized);
printf("SsHandle %04x\r\n",CurrenPebLdrData->SsHandle); //模块的句柄
printf("EntryInProgress %04x\r\n",CurrenPebLdrData->EntryInProgress); //模块的加载地址
}
CurrentModuleList = CurrentModuleList->Flink;
if((int)CurrentModuleList == InLoadOrderModuleList)
{
break;
}
}
}
//获得载入内存链表
void GetInMemoryModuleList()
{
int PebLdrAddres=GetPebLdrAddres();
PLIST_ENTRY InMemoryOrderModuleList = (PLIST_ENTRY)(PebLdrAddres+0x14);
}
//获得初始化链表
void GetInInitializationModuleList()
{
int PebLdrAddres=GetPebLdrAddres();
PLIST_ENTRY InInitializationModuleList = (PLIST_ENTRY)(PebLdrAddres+0x1c);
}
int main(int argc, char* argv[])
{
int TebAddres=GetTebAddres();
int PebAddres=GetPebAddres();
GetInLoadOrderModuleList();
getchar();
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
这些是大家的学习成果,分享出来是一方面在不足之处可以获得论坛前辈们的指导,另一方面对自己也是一个纪念和鼓励。 |
|
|
|
|
|
你可以去试试。我觉得可以 |
