[求助]求Delphi里同CONTAINING_RECORD的写法-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (6)
qihoocom 雪币： 635 活跃值： (101) 能力值： ( LV12，RANK：420 ) 在线值：发帖 49 回帖 1165 粉丝 23 关注私信	qihoocom 9 2 楼实际就是-field offset 看看宏实现就可以了~ 2008-12-14 02:31 0
veninson 雪币： 215 活跃值： (19) 能力值： ( LV2，RANK：10 ) 在线值：发帖 25 回帖 102 粉丝 0 关注私信	veninson 3 楼 procedure HideModuleFromPEB(dllName: string); var hMod : THandle; Head,Cur : PListEntry; ldr : PPEB_LDR_DATA; ldm : PLDR_MODULE; begin hMod := GetModuleHandle(PChar(dllName)); asm MOV EAX,FS:[$30] //得到PEB结构地址 MOV EAX,[EAX+$C] //得到PEB_LDR_DATA结构地址 MOV LDR, EAX end; Head := @ldr.InLoadOrderModuleList; Cur := Head.Flink; //运行到这里Head.Flink=0xE0000000，ldr=241EA0，应该不对吧，哪里错了啊？ repeat ldm := PLDR_MODULE(DWORD(@Cur.Flink)-DWORD(@Cur)); // ?????????? if DWORD(hMod)=DWORD(ldm.BaseAddress) then begin ldm.InLoadOrderModuleList.BLink.Flink := ldm.InLoadOrderModuleList.Flink; ldm.InLoadOrderModuleList.Flink.Blink := ldm.InLoadOrderModuleList.Blink; ldm.InInitializationOrderModuleList.BLink.Flink := ldm.InInitializationOrderModuleList.Flink; ldm.InInitializationOrderModuleList.Flink.Blink := ldm.InInitializationOrderModuleList.Blink; ldm.InMemoryOrderModuleList.BLink.Flink := ldm.InMemoryOrderModuleList.Flink; ldm.InMemoryOrderModuleList.Flink.Blink := ldm.InMemoryOrderModuleList.Blink; break; end; Cur := Cur.Flink; until Head<>Cur; end; 2008-12-14 03:02 0
achillis 雪币： 7651 活跃值： (523) 能力值： ( LV9，RANK：610 ) 在线值：发帖 32 回帖 2032 粉丝 47 关注私信	achillis 15 4 楼暴搜一下就出来了… 2008-12-14 20:52 0
ttds 雪币： 202 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 10 粉丝 0 关注私信	ttds 5 楼 ldm:=PLDR_MODULE(ULONG_PTR(Cur)-ULONG_PTR(@PLDR_MODULE(0)^.InLoadOrderModuleList)); 好像是这样，但是不知道为什么不对 2009-1-10 00:32 0
sabason 雪币： 1 活跃值： (543) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 30 粉丝 0 关注私信	sabason 6 楼错了这样来实现的 var stEntry:LDR_DATA_TABLE_ENTRY; begin pstEntry := pointer(DWORD(Current)-(DWORD(@stEntry.InLoadOrderLinks)-dword(@stEntry)));//实现DDK中的CONTAINING_RECORD宏做这个事情 2009-7-17 11:27 0
网络游侠雪币： 0 活跃值： (954) 能力值： ( LV3，RANK：30 ) 在线值：发帖 19 回帖 971 粉丝 14 关注私信	网络游侠 7 楼暴搜链表就出来了。。没什么用，贴段娱乐下 type _UNICODE_STRING = record Length: WORD{Ushort}; MaximumLength: WORD; Buffer: PWideChar; end {_UNICODE_STRING}; UNICODE_STRING = _UNICODE_STRING; PUNICODE_STRING = ^_UNICODE_STRING; //PEB中的一个结构 type _PEB_LDR_DATA = record Length: ULONG; Initialized: BOOLEAN; SsHandle: pointer;//PVOID; InLoadOrderModuleList: LIST_ENTRY; InMemoryOrderModuleList: LIST_ENTRY; InInitializationOrderModuleList: LIST_ENTRY; end {_PEB_LDR_DATA}; PEB_LDR_DATA = _PEB_LDR_DATA; PPEB_LDR_DATA = ^_PEB_LDR_DATA; //模块结构 (72) type _LDR_MODULE = record InLoadOrderModuleList: LIST_ENTRY; InMemoryOrderModuleList: LIST_ENTRY; InInitializationOrderModuleList: LIST_ENTRY; BaseAddress: pointer; EntryPoint: pointer; SizeOfImage: ULONG; FullDllName: UNICODE_STRING; BaseDllName: UNICODE_STRING; Flags: ULONG; LoadCount: SmallInt; TlsIndex: SmallInt; HashTableEntry: LIST_ENTRY; TimeDateStamp: ULONG; end {_LDR_MODULE}; LDR_MODULE = _LDR_MODULE; PLDR_MODULE = ^_LDR_MODULE; function HideDll(const dllname: PChar):HMODULE; var hMod: HMODULE; Head, Cur: PListEntry; ldr: PPEB_LDR_DATA; ldm: PLDR_MODULE; begin hMod := GetModuleHandle(dllname); if hMod <= 0 then begin exit; end; asm mov eax, fs:[30h] mov ecx, [eax + 0Ch] mov ldr, ecx end; Head := @ldr^.InLoadOrderModuleList; Cur := Head^.Flink; repeat ldm := PLDR_MODULE(Cur); ldm := PLDR_MODULE(DWORD(Cur) - DWORD(@PLDR_MODULE(0)^.InLoadOrderModuleList)); if (hMod = DWORD(ldm^.BaseAddress)) then begin ldm^.InLoadOrderModuleList.Blink^.Flink := ldm^.InLoadOrderModuleList.Flink; ldm^.InLoadOrderModuleList.Flink^.Blink := ldm^.InLoadOrderModuleList.Blink; ldm^.InInitializationOrderModuleList.Blink^.Flink := ldm^.InInitializationOrderModuleList.Flink; ldm^.InInitializationOrderModuleList.Flink^.Blink := ldm^.InInitializationOrderModuleList.Blink; ldm^.InMemoryOrderModuleList.Blink^.Flink := ldm^.InMemoryOrderModuleList.Flink; ldm^.InMemoryOrderModuleList.Flink^.Blink := ldm^.InMemoryOrderModuleList.Blink; Break; end; Cur := Cur^.Flink; until (Head = Cur); Result := hMod; end; 2009-7-17 15:10 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (6)
qihoocom 雪币： 635 活跃值： (101) 能力值： ( LV12，RANK：420 ) 在线值：发帖 49 回帖 1165 粉丝 23 关注私信	qihoocom 9 2 楼实际就是-field offset 看看宏实现就可以了~ 2008-12-14 02:31 0
veninson 雪币： 215 活跃值： (19) 能力值： ( LV2，RANK：10 ) 在线值：发帖 25 回帖 102 粉丝 0 关注私信	veninson 3 楼 procedure HideModuleFromPEB(dllName: string); var hMod : THandle; Head,Cur : PListEntry; ldr : PPEB_LDR_DATA; ldm : PLDR_MODULE; begin hMod := GetModuleHandle(PChar(dllName)); asm MOV EAX,FS:[$30] //得到PEB结构地址 MOV EAX,[EAX+$C] //得到PEB_LDR_DATA结构地址 MOV LDR, EAX end; Head := @ldr.InLoadOrderModuleList; Cur := Head.Flink; //运行到这里Head.Flink=0xE0000000，ldr=241EA0，应该不对吧，哪里错了啊？ repeat ldm := PLDR_MODULE(DWORD(@Cur.Flink)-DWORD(@Cur)); // ?????????? if DWORD(hMod)=DWORD(ldm.BaseAddress) then begin ldm.InLoadOrderModuleList.BLink.Flink := ldm.InLoadOrderModuleList.Flink; ldm.InLoadOrderModuleList.Flink.Blink := ldm.InLoadOrderModuleList.Blink; ldm.InInitializationOrderModuleList.BLink.Flink := ldm.InInitializationOrderModuleList.Flink; ldm.InInitializationOrderModuleList.Flink.Blink := ldm.InInitializationOrderModuleList.Blink; ldm.InMemoryOrderModuleList.BLink.Flink := ldm.InMemoryOrderModuleList.Flink; ldm.InMemoryOrderModuleList.Flink.Blink := ldm.InMemoryOrderModuleList.Blink; break; end; Cur := Cur.Flink; until Head<>Cur; end; 2008-12-14 03:02 0
achillis 雪币： 7651 活跃值： (523) 能力值： ( LV9，RANK：610 ) 在线值：发帖 32 回帖 2032 粉丝 47 关注私信	achillis 15 4 楼暴搜一下就出来了… 2008-12-14 20:52 0
ttds 雪币： 202 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 10 粉丝 0 关注私信	ttds 5 楼 ldm:=PLDR_MODULE(ULONG_PTR(Cur)-ULONG_PTR(@PLDR_MODULE(0)^.InLoadOrderModuleList)); 好像是这样，但是不知道为什么不对 2009-1-10 00:32 0
sabason 雪币： 1 活跃值： (543) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 30 粉丝 0 关注私信	sabason 6 楼错了这样来实现的 var stEntry:LDR_DATA_TABLE_ENTRY; begin pstEntry := pointer(DWORD(Current)-(DWORD(@stEntry.InLoadOrderLinks)-dword(@stEntry)));//实现DDK中的CONTAINING_RECORD宏做这个事情 2009-7-17 11:27 0
网络游侠雪币： 0 活跃值： (954) 能力值： ( LV3，RANK：30 ) 在线值：发帖 19 回帖 971 粉丝 14 关注私信	网络游侠 7 楼暴搜链表就出来了。。没什么用，贴段娱乐下 type _UNICODE_STRING = record Length: WORD{Ushort}; MaximumLength: WORD; Buffer: PWideChar; end {_UNICODE_STRING}; UNICODE_STRING = _UNICODE_STRING; PUNICODE_STRING = ^_UNICODE_STRING; //PEB中的一个结构 type _PEB_LDR_DATA = record Length: ULONG; Initialized: BOOLEAN; SsHandle: pointer;//PVOID; InLoadOrderModuleList: LIST_ENTRY; InMemoryOrderModuleList: LIST_ENTRY; InInitializationOrderModuleList: LIST_ENTRY; end {_PEB_LDR_DATA}; PEB_LDR_DATA = _PEB_LDR_DATA; PPEB_LDR_DATA = ^_PEB_LDR_DATA; //模块结构 (72) type _LDR_MODULE = record InLoadOrderModuleList: LIST_ENTRY; InMemoryOrderModuleList: LIST_ENTRY; InInitializationOrderModuleList: LIST_ENTRY; BaseAddress: pointer; EntryPoint: pointer; SizeOfImage: ULONG; FullDllName: UNICODE_STRING; BaseDllName: UNICODE_STRING; Flags: ULONG; LoadCount: SmallInt; TlsIndex: SmallInt; HashTableEntry: LIST_ENTRY; TimeDateStamp: ULONG; end {_LDR_MODULE}; LDR_MODULE = _LDR_MODULE; PLDR_MODULE = ^_LDR_MODULE; function HideDll(const dllname: PChar):HMODULE; var hMod: HMODULE; Head, Cur: PListEntry; ldr: PPEB_LDR_DATA; ldm: PLDR_MODULE; begin hMod := GetModuleHandle(dllname); if hMod <= 0 then begin exit; end; asm mov eax, fs:[30h] mov ecx, [eax + 0Ch] mov ldr, ecx end; Head := @ldr^.InLoadOrderModuleList; Cur := Head^.Flink; repeat ldm := PLDR_MODULE(Cur); ldm := PLDR_MODULE(DWORD(Cur) - DWORD(@PLDR_MODULE(0)^.InLoadOrderModuleList)); if (hMod = DWORD(ldm^.BaseAddress)) then begin ldm^.InLoadOrderModuleList.Blink^.Flink := ldm^.InLoadOrderModuleList.Flink; ldm^.InLoadOrderModuleList.Flink^.Blink := ldm^.InLoadOrderModuleList.Blink; ldm^.InInitializationOrderModuleList.Blink^.Flink := ldm^.InInitializationOrderModuleList.Flink; ldm^.InInitializationOrderModuleList.Flink^.Blink := ldm^.InInitializationOrderModuleList.Blink; ldm^.InMemoryOrderModuleList.Blink^.Flink := ldm^.InMemoryOrderModuleList.Flink; ldm^.InMemoryOrderModuleList.Flink^.Blink := ldm^.InMemoryOrderModuleList.Blink; Break; end; Cur := Cur^.Flink; until (Head = Cur); Result := hMod; end; 2009-7-17 15:10 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复