首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]进程中dll模块的隐藏
发表于: 2008-2-20 17:28 102204

[原创]进程中dll模块的隐藏

NetRoc 活跃值
12
2008-2-20 17:28
102204

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 8
支持
分享
最新回复 (75)
wyfe
雪    币: 2575
活跃值: (502)
能力值: ( LV2,RANK:85 )
在线值:
发帖
回帖
粉丝
私信
2
这么好的帖没人顶,没天理了。
2008-2-20 18:53
0
zhtjia
雪    币: 248
活跃值: (42)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
好帖,顶一个
2008-2-20 19:15
0
安摧
雪    币: 247
活跃值: (10)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
私信
4
不错,收藏!!!
lz辛苦哩
2008-2-20 19:20
0
Yukit
雪    币: 209
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
楼主辛苦了,学习ing
2008-2-20 19:46
0
aki
雪    币: 223
活跃值: (70)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
6
dll文件a里面抹掉自己。exe文件b载入a文件,loadlibrary返回的结果是错误的。。。
2008-2-20 20:01
0
combojiang
雪    币: 321
活跃值: (271)
能力值: ( LV13,RANK:1050 )
在线值:
发帖
回帖
粉丝
私信
7
先占座,再慢慢欣赏
2008-2-20 22:06
0
hnwujunabc
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
顶顶顶顶顶顶
2008-2-20 22:11
0
goodcode
雪    币: 67
活跃值: (66)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
私信
9
顶一下 不错
2008-2-21 00:01
0
forgot
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
私信
10
HideModuleFromPEB proc hInstDLL:DWORD
        assume  fs:nothing
        mov     esi,hInstDLL
        xor     eax,eax
        mov     eax,fs:[eax].TEB.Peb
        mov     eax,[eax].PEB.Ldr
        lea     eax,[eax].PEB_LDR_DATA.InLoadOrderModuleList
        @@:
        mov     eax,[eax].LDR_MODULE.InLoadOrderModuleList.Flink
        cmp     esi,[eax].LDR_MODULE.BaseAddress
        jnz     @B
        mov     esi,[eax].LIST_ENTRY.Flink
        mov     ebx,[eax].LIST_ENTRY.Blink
        mov     [ebx].LIST_ENTRY.Flink,esi
        mov     esi,[eax].LIST_ENTRY.Blink
        mov     ebx,[eax].LIST_ENTRY.Flink
        mov     [ebx].LIST_ENTRY.Blink,esi
        lea     eax,[eax].LDR_MODULE.InMemoryOrderModuleList
        mov     esi,[eax].LIST_ENTRY.Flink
        mov     ebx,[eax].LIST_ENTRY.Blink
        mov     [ebx].LIST_ENTRY.Flink,esi
        mov     esi,[eax].LIST_ENTRY.Blink
        mov     ebx,[eax].LIST_ENTRY.Flink
        mov     [ebx].LIST_ENTRY.Blink,esi
        ret
HideModuleFromPEB endp
2008-2-21 00:20
0
Bughoho
雪    币: 1946
活跃值: (248)
能力值: (RANK:330 )
在线值:
发帖
回帖
粉丝
私信
11
我也来段 占内存用的,其中testdll是隐式连接。

        void *PEB = NULL;
        void *Ldr = NULL;
        _LIST_ENTRY *Flink = NULL;
        _LIST_ENTRY *p = NULL;
        BYTE        *BaseAddress = NULL;
        BYTE        *FullDllName = NULL;
        __asm
        {
                mov eax,fs:[0x30]
                mov PEB,eax
        }
        Ldr = *( ( void ** )( ( unsigned char * )PEB+0x0c ) );
        Flink = (_LIST_ENTRY*)*( ( void ** )( ( unsigned char * )Ldr+ 0x0c ) );
        p = Flink;
        do
        {
                BaseAddress = *( ( BYTE ** )( ( unsigned char * )p+ 0x18 ) );
                FullDllName = *( ( BYTE ** )( ( unsigned char * )p+ 0x28 ) );
                LPSTR strFullDllName;
                UnicodeToAnsi((LPCOLESTR)FullDllName,&strFullDllName);
                if( strFullDllName )
                {
                        if( strstr(strFullDllName,"testdll") )
                        {
                                *(LPDWORD)((LPBYTE)p + 0x38) = 1;
                        }
                }
                CO_SAFE_DELETE(strFullDllName);
                p = p->Flink;
        }
        while ( Flink != p );

        FreeLibrary(GetModuleHandle("testdll.dll"));

        LPVOID lpdata = VirtualAlloc((LPVOID)NULL,1024*1024*6,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
        if( lpdata != (LPVOID)0x400000 )
        {
                return FALSE;
        }
2008-2-21 01:12
0
wynney
雪    币: 224
活跃值: (147)
能力值: ( LV9,RANK:970 )
在线值:
发帖
回帖
粉丝
私信
12
都发代码片段,我也来一个

    while(modulo->BaseAddress != 0)
        {
       if( (ULONG_PTR)modulo->BaseAddress == DllHandle)
           {
          if(modulo->InInitializationOrderModuleList.Blink == NULL) return FALSE;

          prec = (LDR_MODULE*)(ULONG_PTR)((ULONG_PTR)modulo->InInitializationOrderModuleList.Blink - 16);
          next = (LDR_MODULE*)(ULONG_PTR)((ULONG_PTR)modulo->InInitializationOrderModuleList.Flink - 16);

          prec->InInitializationOrderModuleList.Flink = modulo->InInitializationOrderModuleList.Flink;
          next->InInitializationOrderModuleList.Blink = modulo->InInitializationOrderModuleList.Blink;  

          prec = (LDR_MODULE*)modulo->InLoadOrderModuleList.Blink;
          next = (LDR_MODULE*)modulo->InLoadOrderModuleList.Flink;

          prec->InLoadOrderModuleList.Flink = modulo->InLoadOrderModuleList.Flink;
          prec->InMemoryOrderModuleList.Flink = modulo->InMemoryOrderModuleList.Flink;

          next->InLoadOrderModuleList.Blink = modulo->InLoadOrderModuleList.Blink;
          next->InMemoryOrderModuleList.Blink = modulo->InMemoryOrderModuleList.Blink;
         
          return TRUE;
           }
          modulo = (LDR_MODULE*)modulo->InLoadOrderModuleList.Flink;
        }
2008-2-21 10:01
0
海风月影
雪    币: 7309
活跃值: (3788)
能力值: (RANK:1130 )
在线值:
发帖
回帖
粉丝
私信
13
暴力搜索内存,强行找出来
2008-2-21 13:27
0
foxabu
雪    币: 325
活跃值: (97)
能力值: ( LV13,RANK:530 )
在线值:
发帖
回帖
粉丝
私信
14
暴力来了, 快跑
2008-2-21 14:40
0
sucsor
雪    币: 207
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
15
通过VirtualQueryEx函数列举出进程内虚拟内存的段,然后根据PE结构和内存属性来定位Image文件的映像基地址,即可确认以下三项数据,    该数据是连续的,
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
在内存中搜索这个三个数据,即可定位LDR。
2008-2-21 15:19
0
kingasm
雪    币: 202
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
16
iceswoard还是可以找出的。
2008-2-21 15:41
0
sjm
雪    币: 110
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
sjm
17
(273) : error C2146: syntax error : missing ';' before identifier 'FullDllName'
(273) : error C2501: 'UNICODE_STRING' : missing storage-class or type specifiers
(273) : error C2501: 'FullDllName' : missing storage-class or type specifiers
(274) : error C2146: syntax error : missing ';' before identifier 'BaseDllName'
(274) : error C2501: 'UNICODE_STRING' : missing storage-class or type specifiers
(274) : error C2501: 'BaseDllName' : missing storage-class or type specifiers
(297) : error C2065: 'pfnNtQueryInformationProcess' : undeclared identifier

编译不通过,用那些头文件?vc6.0
2008-6-19 20:10
0
xPLK
雪    币: 375
活跃值: (12)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
18
给你个可编译的:http://hi.baidu.com/zoo_/blog/item/4b695c8737e7862fc75cc33c.html
在前面加声明:
ypedef struct _UNICODE_STRING
{
        USHORT Length;
        USHORT MaximumLength;
        PWSTR  Buffer;
} UNICODE_STRING,*PUNICODE_STRING;

typedef struct _PEB_LDR_DATA {
        ULONG                   Length;
        BOOLEAN                 Initialized;
        PVOID                   SsHandle;
        LIST_ENTRY              InLoadOrderModuleList;
        LIST_ENTRY              InMemoryOrderModuleList;
        LIST_ENTRY              InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_MODULE
{
        LIST_ENTRY          InLoadOrderModuleList;   //+0x00
        LIST_ENTRY          InMemoryOrderModuleList; //+0x08  
        LIST_ENTRY          InInitializationOrderModuleList; //+0x10
        void*               BaseAddress;  //+0x18
        void*               EntryPoint;   //+0x1c
        ULONG               SizeOfImage;
        UNICODE_STRING      FullDllName;
        UNICODE_STRING      BaseDllName;
        ULONG               Flags;
        SHORT               LoadCount;
        SHORT               TlsIndex;
        HANDLE              SectionHandle;
        ULONG               CheckSum;
        ULONG               TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
2008-6-19 20:56
0
cloudliu
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
19
好帖啊,学习中
2008-11-8 13:29
0
QIQI
雪    币: 214
活跃值: (46)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
20
屁用没有
2008-11-8 15:45
0
shoooo
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
私信
21
楼主辛苦了,这个片子找了很久了
2008-11-8 16:04
0
ccccjf
雪    币: 202
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
22
-----------------------------------------------------------------

我按你说的,在 Microsoft Visual C++ 6.0 中编译,得到如下结果
Configuration: Cpp1 - Win32 Debug--------------------
Compiling...
Cpp1.cpp
c:\documents and settings\cjf\cpp1.cpp(3) : error C2146: syntax error : missing ';' before identifier 'Length'
c:\documents and settings\cjf\cpp1.cpp(3) : error C2501: 'USHORT' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(3) : error C2501: 'Length' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(4) : error C2146: syntax error : missing ';' before identifier 'MaximumLength'
c:\documents and settings\cjf\cpp1.cpp(4) : error C2501: 'USHORT' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(4) : error C2501: 'MaximumLength' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(5) : error C2146: syntax error : missing ';' before identifier 'Buffer'
c:\documents and settings\cjf\cpp1.cpp(5) : error C2501: 'PWSTR' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(5) : error C2501: 'Buffer' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(9) : error C2146: syntax error : missing ';' before identifier 'Length'
c:\documents and settings\cjf\cpp1.cpp(9) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(9) : error C2501: 'Length' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(10) : error C2146: syntax error : missing ';' before identifier 'Initialized'
c:\documents and settings\cjf\cpp1.cpp(10) : error C2501: 'BOOLEAN' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(10) : error C2501: 'Initialized' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(11) : error C2146: syntax error : missing ';' before identifier 'SsHandle'
c:\documents and settings\cjf\cpp1.cpp(11) : error C2501: 'PVOID' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(11) : error C2501: 'SsHandle' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(12) : error C2146: syntax error : missing ';' before identifier 'InLoadOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(12) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(12) : error C2501: 'InLoadOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(13) : error C2146: syntax error : missing ';' before identifier 'InMemoryOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(13) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(13) : error C2501: 'InMemoryOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(14) : error C2146: syntax error : missing ';' before identifier 'InInitializationOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(14) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(14) : error C2501: 'InInitializationOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(19) : error C2146: syntax error : missing ';' before identifier 'InLoadOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(19) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(19) : error C2501: 'InLoadOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(20) : error C2146: syntax error : missing ';' before identifier 'InMemoryOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(20) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(20) : error C2501: 'InMemoryOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(21) : error C2146: syntax error : missing ';' before identifier 'InInitializationOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(21) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(21) : error C2501: 'InInitializationOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(24) : error C2146: syntax error : missing ';' before identifier 'SizeOfImage'
c:\documents and settings\cjf\cpp1.cpp(24) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(24) : error C2501: 'SizeOfImage' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(27) : error C2146: syntax error : missing ';' before identifier 'Flags'
c:\documents and settings\cjf\cpp1.cpp(27) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(27) : error C2501: 'Flags' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(28) : error C2146: syntax error : missing ';' before identifier 'LoadCount'
c:\documents and settings\cjf\cpp1.cpp(28) : error C2501: 'SHORT' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(28) : error C2501: 'LoadCount' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(29) : error C2146: syntax error : missing ';' before identifier 'TlsIndex'
c:\documents and settings\cjf\cpp1.cpp(29) : error C2501: 'SHORT' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(29) : error C2501: 'TlsIndex' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(30) : error C2146: syntax error : missing ';' before identifier 'SectionHandle'
c:\documents and settings\cjf\cpp1.cpp(30) : error C2501: 'HANDLE' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(30) : error C2501: 'SectionHandle' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(31) : error C2146: syntax error : missing ';' before identifier 'CheckSum'
c:\documents and settings\cjf\cpp1.cpp(31) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(31) : error C2501: 'CheckSum' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(32) : error C2146: syntax error : missing ';' before identifier 'TimeDateStamp'
c:\documents and settings\cjf\cpp1.cpp(32) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(32) : error C2501: 'TimeDateStamp' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(36) : error C2065: 'HMODULE' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(36) : error C2146: syntax error : missing ';' before identifier 'hMod'
c:\documents and settings\cjf\cpp1.cpp(36) : error C2065: 'hMod' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(36) : error C2039: 'GetModuleHandle' : is not a member of '`global namespace''
c:\documents and settings\cjf\cpp1.cpp(36) : error C2065: 'GetModuleHandle' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(37) : error C2065: 'PLIST_ENTRY' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(37) : error C2146: syntax error : missing ';' before identifier 'Head'
c:\documents and settings\cjf\cpp1.cpp(37) : error C2065: 'Head' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(37) : error C2065: 'Cur' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(46) : error C2039: 'InLoadOrderModuleList' : is not a member of '_PEB_LDR_DATA'
        c:\documents and settings\cjf\cpp1.cpp(8) : see declaration of '_PEB_LDR_DATA'
c:\documents and settings\cjf\cpp1.cpp(47) : error C2227: left of '->Flink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(50) : error C2065: 'CONTAINING_RECORD' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(50) : error C2275: 'LDR_MODULE' : illegal use of this type as an expression
        c:\documents and settings\cjf\cpp1.cpp(33) : see declaration of 'LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(50) : error C2440: '=' : cannot convert from 'int' to 'struct _LDR_MODULE *'
        Conversion from integral type to pointer type requires reinterpret_cast, C-style cast or function-style cast
c:\documents and settings\cjf\cpp1.cpp(52) : error C2446: '==' : no conversion from 'void *' to 'int'
        This conversion requires a reinterpret_cast, a C-style cast or function-style cast
c:\documents and settings\cjf\cpp1.cpp(52) : error C2040: '==' : 'int' differs in levels of indirection from 'void *'
c:\documents and settings\cjf\cpp1.cpp(54) : error C2039: 'InLoadOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(54) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(54) : error C2227: left of '->Flink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(55) : error C2039: 'InLoadOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(55) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(56) : error C2039: 'InLoadOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(56) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(56) : error C2227: left of '->Blink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(57) : error C2039: 'InLoadOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(57) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(58) : error C2039: 'InInitializationOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(58) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(58) : error C2227: left of '->Flink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(59) : error C2039: 'InInitializationOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(59) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(60) : error C2039: 'InInitializationOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(60) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(60) : error C2227: left of '->Blink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(61) : error C2039: 'InInitializationOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(61) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(62) : error C2039: 'InMemoryOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(62) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(62) : error C2227: left of '->Flink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(63) : error C2039: 'InMemoryOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(63) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(64) : error C2039: 'InMemoryOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(64) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(64) : error C2227: left of '->Blink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(64) : fatal error C1003: error count exceeds 100; stopping compilation
执行 cl.exe 时出错.

Cpp1.obj - 1 error(s), 0 warning(s)-------------------------------------
2008-11-12 17:46
0
ccccjf
雪    币: 202
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
23
这是按你说的,弄出的 .cpp 文件
typedef struct _UNICODE_STRING
{
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING,*PUNICODE_STRING;

typedef struct _PEB_LDR_DATA {
  ULONG                   Length;
  BOOLEAN                 Initialized;
  PVOID                   SsHandle;
  LIST_ENTRY              InLoadOrderModuleList;
  LIST_ENTRY              InMemoryOrderModuleList;
  LIST_ENTRY              InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_MODULE
{
  LIST_ENTRY          InLoadOrderModuleList;   //+0x00
  LIST_ENTRY          InMemoryOrderModuleList; //+0x08  
  LIST_ENTRY          InInitializationOrderModuleList; //+0x10
  void*               BaseAddress;  //+0x18
  void*               EntryPoint;   //+0x1c
  ULONG               SizeOfImage;
  UNICODE_STRING      FullDllName;
  UNICODE_STRING      BaseDllName;
  ULONG               Flags;
  SHORT               LoadCount;
  SHORT               TlsIndex;
  HANDLE              SectionHandle;
  ULONG               CheckSum;
  ULONG               TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
void HideDll()
{
    HMODULE hMod = ::GetModuleHandle("mydll.dll");
    PLIST_ENTRY Head,Cur;
    PPEB_LDR_DATA ldr;
    PLDR_MODULE ldm;
    __asm
    {
        mov eax , fs:[0x30]
        mov ecx , [eax + 0x0c] //Ldr
        mov ldr , ecx
    }
    Head = &(ldr->InLoadOrderModuleList);
    Cur = Head->Flink;
    do
    {
        ldm = CONTAINING_RECORD( Cur, LDR_MODULE, InLoadOrderModuleList);
        //printf("EntryPoint [0x%X]\n",ldm->BaseAddress);
        if( hMod == ldm->BaseAddress)
         {
            ldm->InLoadOrderModuleList.Blink->Flink =
                ldm->InLoadOrderModuleList.Flink;
            ldm->InLoadOrderModuleList.Flink->Blink =
                ldm->InLoadOrderModuleList.Blink;
            ldm->InInitializationOrderModuleList.Blink->Flink =
                ldm->InInitializationOrderModuleList.Flink;
            ldm->InInitializationOrderModuleList.Flink->Blink =
                ldm->InInitializationOrderModuleList.Blink;  
            ldm->InMemoryOrderModuleList.Blink->Flink =
                ldm->InMemoryOrderModuleList.Flink;
            ldm->InMemoryOrderModuleList.Flink->Blink =
                ldm->InMemoryOrderModuleList.Blink;  
            break;
         }
        Cur= Cur->Flink;
     }while(Head != Cur);
}
2008-11-12 17:49
0
雪的思念
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
24
占个位置坐着再慢慢看
2008-11-19 02:51
0
twoseconds
雪    币: 112
活跃值: (51)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
25
我顶,再顶,
2008-12-2 18:55
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//