首页
论坛
专栏
课程

[系统底层] [原创]进程中dll模块的隐藏

2008-2-20 17:28 93981

[系统底层] [原创]进程中dll模块的隐藏

2008-2-20 17:28
93981
进程中dll模块的隐藏

cc682/NetRoc
http://netroc682.spaces.live.com/
        为了避免自己的某个dll模块被别人检测出来,有时候希望在自己加载一个dll之后,或者将dll注入到他人进程之后避免被检查出来。这就需要想办法抹掉这个dll的模块信息,使得Toolhelp、psapi等枚举模块的API无法枚举它。
        我们可以先简单看看Windows枚举进程内模块的办法吧:
        首先是BOOL EnumProcessModules( HANDLE hProcess, HMODULE* lphModule, DWORD cb, LPDWORD lpcbNeeded);
        EnumProcessModules实际调用EnumProcessModulesInternal进行枚举。下面是vista下psapi的代码片断:
.text:514024B8                 push    ebx
.text:514024B9                 push    18h
.text:514024BB                 lea     eax, [ebp+stProcessBasicInfo]
.text:514024BE                 push    eax
.text:514024BF                 push    ebx        ;ebx=0
.text:514024C0                 push    [ebp+hProcess]
.text:514024C3                 call    ds:__imp__NtQueryInformationProcess@20 ; NtQueryInformationProcess(x,x,x,x,x)
.text:514024C9                 cmp     eax, ebx
.text:514024CB                 jge     short loc_514024E0
        调用NtQueryInformationProcess获得ProcessBasicInformation,在PROCESS_BASIC_INFORMATION结构中取得PEB地址。然后读取指定进程PEB中的数据
text:514024E0 loc_514024E0:                           ; CODE XREF: EnumProcessModulesInternal(x,x,x,x,x)+24 j
.text:514024E0                 mov     eax, [ebp+stProcessBasicInfo.PebBaseAddress]
.text:514024E3                 cmp     eax, ebx
.text:514024E5                 jnz     short loc_514024EE
.text:514024E7                 push    8000000Dh
.text:514024EC                 jmp     short loc_514024CE
.text:514024EE ; ---------------------------------------------------------------------------
.text:514024EE
.text:514024EE loc_514024EE:                           ; CODE XREF: EnumProcessModulesInternal(x,x,x,x,x)+3E j
.text:514024EE                 push    ebx             ; lpNumberOfBytesRead
.text:514024EF                 push    4               ; nSize
.text:514024F1                 lea     ecx, [ebp+Ldr]
.text:514024F4                 push    ecx             ; lpBuffer
.text:514024F5                 add     eax, 0Ch
.text:514024F8                 push    eax             ; lpBaseAddress
.text:514024F9                 push    [ebp+hProcess]  ; hProcess
.text:514024FC                 mov     edi, ds:__imp__ReadProcessMemory@20 ; ReadProcessMemory(x,x,x,x,x)
.text:51402502                 call    edi ; ReadProcessMemory(x,x,x,x,x) ; ReadProcessMemory(x,x,x,x,x)
这里读取的是PEB地址+0C处的四个字节。
通过WinDbg我们可以看看nt!_PEB的结构
0: kd> dt nt!_PEB
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
   +0x003 SpareBool        : UChar
   +0x004 Mutant           : Ptr32 Void
   +0x008 ImageBaseAddress : Ptr32 Void
   +0x00c Ldr              : Ptr32 _PEB_LDR_DATA
   +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
……
+0C处是一个_PEB_LDR_DATA结构指针,里面包含了和LDR相关的一些数据,进程的模块链表就保存在Ldr中。下面是_PEB_LDR_DATA的结构:
0: kd> dt nt!_PEB_LDR_DATA
   +0x000 Length           : Uint4B
   +0x004 Initialized      : UChar
   +0x008 SsHandle         : Ptr32 Void
   +0x00c InLoadOrderModuleList : _LIST_ENTRY
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY
   +0x024 EntryInProgress  : Ptr32 Void
其中,InLoadOrderModuleList、InMemoryOrderModuleList、InInitializationOrderModuleList就是进程当前已加载模块的链表,只是按照不同的方式排序。EnumProcessModules是通过InMemoryOrderModuleList链表枚举的,而根据Win2k代码,ToolHelp32函数是通过InLoadOrderModuleList枚举。这三个_LIST_ENTRY都是在一个RTL_PROCESS_MODULE_INFORMATION结构中的成员。这个结构在2k代码中有引用,不过没有确切的定义,下面是ReactOS中的定义,不过看起来我的vista PSAPI中使用的结构已经有所变化了,这里只作参考。
//
// Loader Data Table Entry
//
typedef struct _LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT TlsIndex;
    union
    {
        LIST_ENTRY HashLinks;
        PVOID SectionPointer;
    };
    ULONG CheckSum;
    union
    {
        ULONG TimeDateStamp;
        PVOID LoadedImports;
    };
    PVOID EntryPointActivationContext;
    PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
到这里,隐藏模块的方法就已经明了了:通过PEB取得Ldr数据,拿到三个模块链表,并将要隐藏的模块断链即可。下面是主要代码实现:
BOOL HideMyself()
{
        HMODULE hMod = GetModuleHandle( _T( "ntdll.dll"));
        HMODULE hModMyself = GetModuleHandle( _T("dll.dll"));
        pfnNtQueryInformationProcess p = (pfnNtQueryInformationProcess)::GetProcAddress( hMod, "NtQueryInformationProcess");

        PROCESS_BASIC_INFORMATION stInfo = {0};
        DWORD dwRetnLen = 0;
        DWORD dw = p( GetCurrentProcess(), 0, &stInfo, sizeof(stInfo), &dwRetnLen);

        PPEB pPeb = stInfo.PebBaseAddress;
        PLIST_ENTRY ListHead, Current;
        PLDR_DATA_TABLE_ENTRY pstEntry = NULL;

        ListHead = &( stInfo.PebBaseAddress->Ldr->InLoadOrderModuleList);
        Current = ListHead->Flink;
        while ( Current != ListHead)
        {
                pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
                //DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint);
                if ( pstEntry->DllBase == hModMyself)
                {
                        pstEntry->InLoadOrderLinks.Flink->Blink = pstEntry->InLoadOrderLinks.Blink;
                        pstEntry->InLoadOrderLinks.Blink->Flink = pstEntry->InLoadOrderLinks.Flink;
                        DebugOut( _T( "Hide injected dll."));
                        break;
                }
                Current = pstEntry->InLoadOrderLinks.Flink;
        }

        ListHead = &( stInfo.PebBaseAddress->Ldr->InMemoryOrderModuleList);
        Current = ListHead->Flink;
        while ( Current != ListHead)
        {
                pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InMemoryOrderModuleList);
                DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint);
                if ( pstEntry->DllBase == hModMyself)
                {
                        pstEntry->InMemoryOrderModuleList.Flink->Blink = pstEntry->InMemoryOrderModuleList.Blink;
                        pstEntry->InMemoryOrderModuleList.Blink->Flink = pstEntry->InMemoryOrderModuleList.Flink;
                        DebugOut( _T( "Hide injected dll."));
                        break;
                }
                Current = pstEntry->InMemoryOrderModuleList.Flink;
        }
        DebugOutW( L"\r\n");

        ListHead = &( stInfo.PebBaseAddress->Ldr->InInitializationOrderModuleList);
        Current = ListHead->Flink;
        while ( Current != ListHead)
        {
                pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InInitializationOrderModuleList);
                DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint);
                if ( pstEntry->DllBase == hModMyself)
                {
                        pstEntry->InInitializationOrderModuleList.Flink->Blink = pstEntry->InInitializationOrderModuleList.Blink;
                        pstEntry->InInitializationOrderModuleList.Blink->Flink = pstEntry->InInitializationOrderModuleList.Flink;
                        DebugOut( _T( "Hide injected dll."));
                        break;
                }
                Current = pstEntry->InInitializationOrderModuleList.Flink;
        }
        //DebugOut( _T("Out HideMyself\r\n"));
        return TRUE;
}
        这样处理之后,通过常规的枚举进程方式已经枚举不到隐藏模块,ProcessExplorer也无法枚举。但是,通过枚举进程内存空间等非常规方法,仍然是可以找到的。关于PSAPI和Toolhelp函数枚举模块的原理,可以逆向Windows代码,或者查找网上的代码看看就明白了。

[公告]安全服务和外包项目请将项目需求发到看雪企服平台:https://qifu.kanxue.com

最新回复 (71)
wyfe 2008-2-20 18:53
2
0
这么好的帖没人顶,没天理了。
zhtjia 2008-2-20 19:15
3
0
好帖,顶一个
安摧 2 2008-2-20 19:20
4
0
不错,收藏!!!
lz辛苦哩
Yukit 2008-2-20 19:46
5
0
楼主辛苦了,学习ing
aki 2 2008-2-20 20:01
6
0
dll文件a里面抹掉自己。exe文件b载入a文件,loadlibrary返回的结果是错误的。。。
combojiang 26 2008-2-20 22:06
7
0
先占座,再慢慢欣赏
hnwujunabc 2008-2-20 22:11
8
0
顶顶顶顶顶顶
goodcode 2 2008-2-21 00:01
9
0
顶一下 不错
forgot 26 2008-2-21 00:20
10
0
HideModuleFromPEB proc hInstDLL:DWORD
        assume  fs:nothing
        mov     esi,hInstDLL
        xor     eax,eax
        mov     eax,fs:[eax].TEB.Peb
        mov     eax,[eax].PEB.Ldr
        lea     eax,[eax].PEB_LDR_DATA.InLoadOrderModuleList
        @@:
        mov     eax,[eax].LDR_MODULE.InLoadOrderModuleList.Flink
        cmp     esi,[eax].LDR_MODULE.BaseAddress
        jnz     @B
        mov     esi,[eax].LIST_ENTRY.Flink
        mov     ebx,[eax].LIST_ENTRY.Blink
        mov     [ebx].LIST_ENTRY.Flink,esi
        mov     esi,[eax].LIST_ENTRY.Blink
        mov     ebx,[eax].LIST_ENTRY.Flink
        mov     [ebx].LIST_ENTRY.Blink,esi
        lea     eax,[eax].LDR_MODULE.InMemoryOrderModuleList
        mov     esi,[eax].LIST_ENTRY.Flink
        mov     ebx,[eax].LIST_ENTRY.Blink
        mov     [ebx].LIST_ENTRY.Flink,esi
        mov     esi,[eax].LIST_ENTRY.Blink
        mov     ebx,[eax].LIST_ENTRY.Flink
        mov     [ebx].LIST_ENTRY.Blink,esi
        ret
HideModuleFromPEB endp
Bughoho 8 2008-2-21 01:12
11
0
我也来段 占内存用的,其中testdll是隐式连接。

        void *PEB = NULL;
        void *Ldr = NULL;
        _LIST_ENTRY *Flink = NULL;
        _LIST_ENTRY *p = NULL;
        BYTE        *BaseAddress = NULL;
        BYTE        *FullDllName = NULL;
        __asm
        {
                mov eax,fs:[0x30]
                mov PEB,eax
        }
        Ldr = *( ( void ** )( ( unsigned char * )PEB+0x0c ) );
        Flink = (_LIST_ENTRY*)*( ( void ** )( ( unsigned char * )Ldr+ 0x0c ) );
        p = Flink;
        do
        {
                BaseAddress = *( ( BYTE ** )( ( unsigned char * )p+ 0x18 ) );
                FullDllName = *( ( BYTE ** )( ( unsigned char * )p+ 0x28 ) );
                LPSTR strFullDllName;
                UnicodeToAnsi((LPCOLESTR)FullDllName,&strFullDllName);
                if( strFullDllName )
                {
                        if( strstr(strFullDllName,"testdll") )
                        {
                                *(LPDWORD)((LPBYTE)p + 0x38) = 1;
                        }
                }
                CO_SAFE_DELETE(strFullDllName);
                p = p->Flink;
        }
        while ( Flink != p );

        FreeLibrary(GetModuleHandle("testdll.dll"));

        LPVOID lpdata = VirtualAlloc((LPVOID)NULL,1024*1024*6,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
        if( lpdata != (LPVOID)0x400000 )
        {
                return FALSE;
        }
wynney 24 2008-2-21 10:01
12
0
都发代码片段,我也来一个

    while(modulo->BaseAddress != 0)
        {
       if( (ULONG_PTR)modulo->BaseAddress == DllHandle)
           {
          if(modulo->InInitializationOrderModuleList.Blink == NULL) return FALSE;

          prec = (LDR_MODULE*)(ULONG_PTR)((ULONG_PTR)modulo->InInitializationOrderModuleList.Blink - 16);
          next = (LDR_MODULE*)(ULONG_PTR)((ULONG_PTR)modulo->InInitializationOrderModuleList.Flink - 16);

          prec->InInitializationOrderModuleList.Flink = modulo->InInitializationOrderModuleList.Flink;
          next->InInitializationOrderModuleList.Blink = modulo->InInitializationOrderModuleList.Blink;  

          prec = (LDR_MODULE*)modulo->InLoadOrderModuleList.Blink;
          next = (LDR_MODULE*)modulo->InLoadOrderModuleList.Flink;

          prec->InLoadOrderModuleList.Flink = modulo->InLoadOrderModuleList.Flink;
          prec->InMemoryOrderModuleList.Flink = modulo->InMemoryOrderModuleList.Flink;

          next->InLoadOrderModuleList.Blink = modulo->InLoadOrderModuleList.Blink;
          next->InMemoryOrderModuleList.Blink = modulo->InMemoryOrderModuleList.Blink;
         
          return TRUE;
           }
          modulo = (LDR_MODULE*)modulo->InLoadOrderModuleList.Flink;
        }
海风月影 17 2008-2-21 13:27
13
0
暴力搜索内存,强行找出来
foxabu 13 2008-2-21 14:40
14
0
暴力来了, 快跑
sucsor 2008-2-21 15:19
15
0
通过VirtualQueryEx函数列举出进程内虚拟内存的段,然后根据PE结构和内存属性来定位Image文件的映像基地址,即可确认以下三项数据,    该数据是连续的,
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
在内存中搜索这个三个数据,即可定位LDR。
kingasm 2008-2-21 15:41
16
0
iceswoard还是可以找出的。
sjm 2008-6-19 20:10
17
0
(273) : error C2146: syntax error : missing ';' before identifier 'FullDllName'
(273) : error C2501: 'UNICODE_STRING' : missing storage-class or type specifiers
(273) : error C2501: 'FullDllName' : missing storage-class or type specifiers
(274) : error C2146: syntax error : missing ';' before identifier 'BaseDllName'
(274) : error C2501: 'UNICODE_STRING' : missing storage-class or type specifiers
(274) : error C2501: 'BaseDllName' : missing storage-class or type specifiers
(297) : error C2065: 'pfnNtQueryInformationProcess' : undeclared identifier

编译不通过,用那些头文件?vc6.0
xPLK 3 2008-6-19 20:56
18
0
给你个可编译的:http://hi.baidu.com/zoo_/blog/item/4b695c8737e7862fc75cc33c.html
在前面加声明:
ypedef struct _UNICODE_STRING
{
        USHORT Length;
        USHORT MaximumLength;
        PWSTR  Buffer;
} UNICODE_STRING,*PUNICODE_STRING;

typedef struct _PEB_LDR_DATA {
        ULONG                   Length;
        BOOLEAN                 Initialized;
        PVOID                   SsHandle;
        LIST_ENTRY              InLoadOrderModuleList;
        LIST_ENTRY              InMemoryOrderModuleList;
        LIST_ENTRY              InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_MODULE
{
        LIST_ENTRY          InLoadOrderModuleList;   //+0x00
        LIST_ENTRY          InMemoryOrderModuleList; //+0x08  
        LIST_ENTRY          InInitializationOrderModuleList; //+0x10
        void*               BaseAddress;  //+0x18
        void*               EntryPoint;   //+0x1c
        ULONG               SizeOfImage;
        UNICODE_STRING      FullDllName;
        UNICODE_STRING      BaseDllName;
        ULONG               Flags;
        SHORT               LoadCount;
        SHORT               TlsIndex;
        HANDLE              SectionHandle;
        ULONG               CheckSum;
        ULONG               TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
cloudliu 2008-11-8 13:29
19
0
好帖啊,学习中
QIQI 1 2008-11-8 15:45
20
0
屁用没有
shoooo 16 2008-11-8 16:04
21
0
楼主辛苦了,这个片子找了很久了
ccccjf 2008-11-12 17:46
22
0
-----------------------------------------------------------------

我按你说的,在 Microsoft Visual C++ 6.0 中编译,得到如下结果
Configuration: Cpp1 - Win32 Debug--------------------
Compiling...
Cpp1.cpp
c:\documents and settings\cjf\cpp1.cpp(3) : error C2146: syntax error : missing ';' before identifier 'Length'
c:\documents and settings\cjf\cpp1.cpp(3) : error C2501: 'USHORT' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(3) : error C2501: 'Length' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(4) : error C2146: syntax error : missing ';' before identifier 'MaximumLength'
c:\documents and settings\cjf\cpp1.cpp(4) : error C2501: 'USHORT' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(4) : error C2501: 'MaximumLength' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(5) : error C2146: syntax error : missing ';' before identifier 'Buffer'
c:\documents and settings\cjf\cpp1.cpp(5) : error C2501: 'PWSTR' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(5) : error C2501: 'Buffer' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(9) : error C2146: syntax error : missing ';' before identifier 'Length'
c:\documents and settings\cjf\cpp1.cpp(9) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(9) : error C2501: 'Length' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(10) : error C2146: syntax error : missing ';' before identifier 'Initialized'
c:\documents and settings\cjf\cpp1.cpp(10) : error C2501: 'BOOLEAN' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(10) : error C2501: 'Initialized' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(11) : error C2146: syntax error : missing ';' before identifier 'SsHandle'
c:\documents and settings\cjf\cpp1.cpp(11) : error C2501: 'PVOID' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(11) : error C2501: 'SsHandle' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(12) : error C2146: syntax error : missing ';' before identifier 'InLoadOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(12) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(12) : error C2501: 'InLoadOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(13) : error C2146: syntax error : missing ';' before identifier 'InMemoryOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(13) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(13) : error C2501: 'InMemoryOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(14) : error C2146: syntax error : missing ';' before identifier 'InInitializationOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(14) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(14) : error C2501: 'InInitializationOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(19) : error C2146: syntax error : missing ';' before identifier 'InLoadOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(19) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(19) : error C2501: 'InLoadOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(20) : error C2146: syntax error : missing ';' before identifier 'InMemoryOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(20) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(20) : error C2501: 'InMemoryOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(21) : error C2146: syntax error : missing ';' before identifier 'InInitializationOrderModuleList'
c:\documents and settings\cjf\cpp1.cpp(21) : error C2501: 'LIST_ENTRY' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(21) : error C2501: 'InInitializationOrderModuleList' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(24) : error C2146: syntax error : missing ';' before identifier 'SizeOfImage'
c:\documents and settings\cjf\cpp1.cpp(24) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(24) : error C2501: 'SizeOfImage' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(27) : error C2146: syntax error : missing ';' before identifier 'Flags'
c:\documents and settings\cjf\cpp1.cpp(27) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(27) : error C2501: 'Flags' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(28) : error C2146: syntax error : missing ';' before identifier 'LoadCount'
c:\documents and settings\cjf\cpp1.cpp(28) : error C2501: 'SHORT' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(28) : error C2501: 'LoadCount' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(29) : error C2146: syntax error : missing ';' before identifier 'TlsIndex'
c:\documents and settings\cjf\cpp1.cpp(29) : error C2501: 'SHORT' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(29) : error C2501: 'TlsIndex' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(30) : error C2146: syntax error : missing ';' before identifier 'SectionHandle'
c:\documents and settings\cjf\cpp1.cpp(30) : error C2501: 'HANDLE' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(30) : error C2501: 'SectionHandle' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(31) : error C2146: syntax error : missing ';' before identifier 'CheckSum'
c:\documents and settings\cjf\cpp1.cpp(31) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(31) : error C2501: 'CheckSum' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(32) : error C2146: syntax error : missing ';' before identifier 'TimeDateStamp'
c:\documents and settings\cjf\cpp1.cpp(32) : error C2501: 'ULONG' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(32) : error C2501: 'TimeDateStamp' : missing storage-class or type specifiers
c:\documents and settings\cjf\cpp1.cpp(36) : error C2065: 'HMODULE' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(36) : error C2146: syntax error : missing ';' before identifier 'hMod'
c:\documents and settings\cjf\cpp1.cpp(36) : error C2065: 'hMod' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(36) : error C2039: 'GetModuleHandle' : is not a member of '`global namespace''
c:\documents and settings\cjf\cpp1.cpp(36) : error C2065: 'GetModuleHandle' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(37) : error C2065: 'PLIST_ENTRY' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(37) : error C2146: syntax error : missing ';' before identifier 'Head'
c:\documents and settings\cjf\cpp1.cpp(37) : error C2065: 'Head' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(37) : error C2065: 'Cur' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(46) : error C2039: 'InLoadOrderModuleList' : is not a member of '_PEB_LDR_DATA'
        c:\documents and settings\cjf\cpp1.cpp(8) : see declaration of '_PEB_LDR_DATA'
c:\documents and settings\cjf\cpp1.cpp(47) : error C2227: left of '->Flink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(50) : error C2065: 'CONTAINING_RECORD' : undeclared identifier
c:\documents and settings\cjf\cpp1.cpp(50) : error C2275: 'LDR_MODULE' : illegal use of this type as an expression
        c:\documents and settings\cjf\cpp1.cpp(33) : see declaration of 'LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(50) : error C2440: '=' : cannot convert from 'int' to 'struct _LDR_MODULE *'
        Conversion from integral type to pointer type requires reinterpret_cast, C-style cast or function-style cast
c:\documents and settings\cjf\cpp1.cpp(52) : error C2446: '==' : no conversion from 'void *' to 'int'
        This conversion requires a reinterpret_cast, a C-style cast or function-style cast
c:\documents and settings\cjf\cpp1.cpp(52) : error C2040: '==' : 'int' differs in levels of indirection from 'void *'
c:\documents and settings\cjf\cpp1.cpp(54) : error C2039: 'InLoadOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(54) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(54) : error C2227: left of '->Flink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(55) : error C2039: 'InLoadOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(55) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(56) : error C2039: 'InLoadOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(56) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(56) : error C2227: left of '->Blink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(57) : error C2039: 'InLoadOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(57) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(58) : error C2039: 'InInitializationOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(58) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(58) : error C2227: left of '->Flink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(59) : error C2039: 'InInitializationOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(59) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(60) : error C2039: 'InInitializationOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(60) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(60) : error C2227: left of '->Blink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(61) : error C2039: 'InInitializationOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(61) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(62) : error C2039: 'InMemoryOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(62) : error C2228: left of '.Blink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(62) : error C2227: left of '->Flink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(63) : error C2039: 'InMemoryOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(63) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(64) : error C2039: 'InMemoryOrderModuleList' : is not a member of '_LDR_MODULE'
        c:\documents and settings\cjf\cpp1.cpp(18) : see declaration of '_LDR_MODULE'
c:\documents and settings\cjf\cpp1.cpp(64) : error C2228: left of '.Flink' must have class/struct/union type
c:\documents and settings\cjf\cpp1.cpp(64) : error C2227: left of '->Blink' must point to class/struct/union
c:\documents and settings\cjf\cpp1.cpp(64) : fatal error C1003: error count exceeds 100; stopping compilation
执行 cl.exe 时出错.

Cpp1.obj - 1 error(s), 0 warning(s)-------------------------------------
ccccjf 2008-11-12 17:49
23
0
这是按你说的,弄出的 .cpp 文件
typedef struct _UNICODE_STRING
{
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING,*PUNICODE_STRING;

typedef struct _PEB_LDR_DATA {
  ULONG                   Length;
  BOOLEAN                 Initialized;
  PVOID                   SsHandle;
  LIST_ENTRY              InLoadOrderModuleList;
  LIST_ENTRY              InMemoryOrderModuleList;
  LIST_ENTRY              InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_MODULE
{
  LIST_ENTRY          InLoadOrderModuleList;   //+0x00
  LIST_ENTRY          InMemoryOrderModuleList; //+0x08  
  LIST_ENTRY          InInitializationOrderModuleList; //+0x10
  void*               BaseAddress;  //+0x18
  void*               EntryPoint;   //+0x1c
  ULONG               SizeOfImage;
  UNICODE_STRING      FullDllName;
  UNICODE_STRING      BaseDllName;
  ULONG               Flags;
  SHORT               LoadCount;
  SHORT               TlsIndex;
  HANDLE              SectionHandle;
  ULONG               CheckSum;
  ULONG               TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
void HideDll()
{
    HMODULE hMod = ::GetModuleHandle("mydll.dll");
    PLIST_ENTRY Head,Cur;
    PPEB_LDR_DATA ldr;
    PLDR_MODULE ldm;
    __asm
    {
        mov eax , fs:[0x30]
        mov ecx , [eax + 0x0c] //Ldr
        mov ldr , ecx
    }
    Head = &(ldr->InLoadOrderModuleList);
    Cur = Head->Flink;
    do
    {
        ldm = CONTAINING_RECORD( Cur, LDR_MODULE, InLoadOrderModuleList);
        //printf("EntryPoint [0x%X]\n",ldm->BaseAddress);
        if( hMod == ldm->BaseAddress)
         {
            ldm->InLoadOrderModuleList.Blink->Flink =
                ldm->InLoadOrderModuleList.Flink;
            ldm->InLoadOrderModuleList.Flink->Blink =
                ldm->InLoadOrderModuleList.Blink;
            ldm->InInitializationOrderModuleList.Blink->Flink =
                ldm->InInitializationOrderModuleList.Flink;
            ldm->InInitializationOrderModuleList.Flink->Blink =
                ldm->InInitializationOrderModuleList.Blink;  
            ldm->InMemoryOrderModuleList.Blink->Flink =
                ldm->InMemoryOrderModuleList.Flink;
            ldm->InMemoryOrderModuleList.Flink->Blink =
                ldm->InMemoryOrderModuleList.Blink;  
            break;
         }
        Cur= Cur->Flink;
     }while(Head != Cur);
}
雪的思念 2008-11-19 02:51
24
0
占个位置坐着再慢慢看
twoseconds 2008-12-2 18:55
25
0
我顶,再顶,
twoseconds 2008-12-13 15:45
26
0
太牛B了。
学习学习。。
xbeggar 2008-12-21 20:12
27
0
我的方法是自己做loader,加载后破坏PE头信息
yaolibing 2008-12-21 21:27
28
0
好贴好贴顶啊
yachli 2008-12-22 17:00
29
0
说来说去,谁的最强?藏的最深?
Ginzo 2008-12-23 01:48
30
0
学习了,正好这方面的知识非常欠缺
xoojo 2008-12-23 13:26
31
0
正好这方面的知识非常欠缺!
xxyyzasabc 2009-1-14 21:42
32
0
好文章 慢慢欣赏
SafeNdis 3 2009-1-14 22:17
33
0
你的DLL隐藏只是给制定函数看的,看我的贴子没有DLL的DLL.
chhzh 2009-4-4 16:50
34
0
顶顶顶
圣新冰心 2009-5-5 21:30
35
0
同我一样的想法,我得研究新的方法了,被公布了的东西再是秘密
kelthuzad 2009-5-31 01:26
36
0
呵呵,占个座明天看
dibotiger 2010-3-13 18:13
37
0
试用了下,实现了从进程模块列表里消失的目的。但随之而来的问题好像更严重:

DLL正常工作一段时间后(大概几十秒不等),宿主进程出错崩溃退出。

初步怀疑和某个模块有冲突,一个个注掉原来的工作线程调试,只保留最后一个必须的工作线程,但还是出错。

如果DLL实现了进程里的消失,却导致进程的崩溃,好像有点得不偿失。或则是我还不知道关键问题所在?

请赐教,感谢!
sharenpk 2010-5-22 15:58
38
0
这帖子在哪呢,没搜到。。。。
xianzq 2010-5-24 10:23
39
0
个人感觉是不是只需要再次HOOK攻举进程线程模块的函数就OK了喃....
pengpzy 2010-5-25 10:03
40
0
没有DLL的DLL 在哪呀?
sinbreak 2010-6-18 11:57
41
0
路过,围观!
xiefei 2010-6-19 22:18
42
0
主辛苦了,学习ing
小桃红 2010-6-20 01:53
43
0
直接用汇编写插入的代码吧,就只直接重定位,不过麻烦,但是没DLL
名叫教主 2010-6-20 10:33
44
0
个人感觉这个不错,但是貌似还是在API上在做文章,记得以前有个模块叫做MemoryModule的C代码,该模块模拟了DLL的加载过程。
   LdrLoadLibraryXX 后改写了内核数据结构,但是MemoryModule比较懒,没改写内核,自然API就没法看到DLL模块了。该方法能躲避目前基于API的所有检测。
comemy 2010-6-20 15:53
45
0
看过飞过!!!!!!!
mudfan 2010-6-21 01:19
46
0
修改pe头呢?
kindsjay 4 2010-6-21 15:54
47
0
好东西.但好像有些函数没有贴出来,是吧?!
nogod 2010-8-11 21:25
48
0
//g_ldm->InLoadOrderModuleList.Flink->Blink = &g_ldm->InLoadOrderModuleList;
                //g_ldm->InLoadOrderModuleList.Blink->Flink = &g_ldm->InLoadOrderModuleList;

                //g_ldm->InInitializationOrderModuleList.Flink->Blink = &g_ldm->InInitializationOrderModuleList;
                //g_ldm->InInitializationOrderModuleList.Blink->Flink = &g_ldm->InInitializationOrderModuleList;

                //g_ldm->InMemoryOrderModuleList.Flink->Blink = &g_ldm->InMemoryOrderModuleList;
                //g_ldm->InMemoryOrderModuleList.Blink->Flink = &g_ldm->InMemoryOrderModuleList;

隐藏后我使用上面的代码恢复隐藏的DLL不行,请教大牛隐藏后如何恢复啊?
jokersky 1 2010-10-28 06:28
50
0
看不懂~
努力学习~
希望有一天可以看懂~
楼主辛苦~
游客
登录 | 注册 方可回帖
返回