逆向基础-模块隐藏之断链 

// moduleHide.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//

#include <iostream>
#include "afxwin.h"
typedef struct _UNICODE_STRING
{
    USHORT Length;
    USHORT MaxInumLength;
    PWSTR  Buffer;
}UNICODE_STRING,*PUNICODE_STRING;

typedef struct _PEB_LDR_DATA
{
    ULONG Length;            //  : Uint4B
    BOOLEAN Initialized;    //  : UChar
    PVOID SsHandle;         // : Ptr32 Void
    LIST_ENTRY  InLoadOrderModuleList; //_LIST_ENTRY        	//加载的模块列表
    LIST_ENTRY  InMemoryOrderModuleList;// _LIST_ENTRY        	//加载的在内存中的模块列表
    LIST_ENTRY  InInitializationOrderModuleList;// _LIST_ENTRY	//模块初始化的顺序列表
    PVOID  EntryInProgress;// Ptr32 Void
}PEB_LDR_DATA,*PPEB_LDR_DATA;

typedef struct _LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY  InLoadOrderModuleList; //_LIST_ENTRY        	//加载的模块列表
    LIST_ENTRY  InMemoryOrderModuleList;// _LIST_ENTRY        	//加载的在内存中的模块列表
    LIST_ENTRY  InInitializationOrderModuleList;// _LIST_ENTRY	//模块初始化的顺序列表
    PVOID    DllBase;
    PVOID    EntryPoint;
    ULONG    SizeOfImage;
    UNICODE_STRING  FullDllName;
    UNICODE_STRING  BaseDllName;
    ULONG   Flags;
    ULONG   LoadCount;
    SHORT   TlsIndex;
    LIST_ENTRY  HashLinks;
    PVOID   SectionPointer;
    ULONG   CheckSum;
    ULONG   TimeDateStamp;
    PVOID   LoadedImports;
    PVOID   EntryPointActivationContext;
    PVOID   PatchInformation;
}LDR_DATA_TABLE_ENTRY,* PLDR_DATA_TABLE_ENTRY;

void HideModule(char* szModuleName)
{
    HMODULE hMod = ::GetModuleHandleA(szModuleName);
    PLIST_ENTRY head, cur;
    PPEB_LDR_DATA ldr;
    PLDR_DATA_TABLE_ENTRY ldm;
    __asm
    {
        mov  eax, Fs: [0x30]        //PEB   获取PEB基址 
        mov  eax, [eax + 0x0c]    // PEB->LDR   获取PEB_LDR_DATA结构指针
        mov ldr,eax
    }
    head = &(ldr->InLoadOrderModuleList);
    cur = head->Flink;
    do
    {
        //宏 CONTAINING_RECORD 根据结构体中的某成员的地址来推算出该结构体整体的地址
        ldm = CONTAINING_RECORD(cur,LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
        
        if (hMod == ldm->DllBase)  //查找到要隐藏的模块,实现断链
        {
            ldm->InLoadOrderModuleList.Blink->Flink = ldm->InLoadOrderModuleList.Flink;
            ldm->InLoadOrderModuleList.Flink->Blink = ldm->InLoadOrderModuleList.Blink;
            ldm->InInitializationOrderModuleList.Blink->Flink = ldm->InInitializationOrderModuleList.Flink;
            ldm->InInitializationOrderModuleList.Flink->Blink = ldm->InInitializationOrderModuleList.Blink;
            ldm->InMemoryOrderModuleList.Blink->Flink = ldm->InMemoryOrderModuleList.Flink;
            break;
        }
        cur = cur->Flink;
    } while (head!=cur);


}
int main(int argc, char* argv[])
{
     
    printf("********按任意键隐藏模块*********");
    getchar();
    char dllName[] = "user32.dll";
    HideModule(dllName);
    printf("********隐藏模块成功*********");
  

  
  

}

  

posted on 2021-04-22 17:26  左侧码工  阅读(149)  评论(0)    收藏  举报