通过PEB隐藏进程中dll的模块
通过PEB隐藏进程中dll的模块
通过PEB隐藏进程中dll的模块,及一些结构定义
对通过Toolhelp枚举进程内模块的方法有效
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include masm32.inc
includelib kernel32.lib
includelib user32.lib
includelib masm32.lib
PVOID typedef DWORD
USHORT typedef WORD
PWSTR typedef DWORD
PEB_BITS RECORD \
SpareBits:30, ; bits 2-31
ExecuteOptions:2 ; bits 0-1
ULARGE_INTEGER UNION
struct
LowPart DWORD ?
HighPart DWORD ?
ends
struct u
LowPart DWORD ?
HighPart DWORD ?
ends
QuadPart QWORD ?
ULARGE_INTEGER ENDS
UNICODE_STRING STRUCT
_Length WORD ? ; len of string in bytes (not chars)
MaximumLength WORD ? ; len of Buffer in bytes (not chars)
Buffer PWSTR ? ; pointer to string
UNICODE_STRING ENDS
PEB STRUCT ; sizeof = 0230h
InheritedAddressSpace BYTE ? ; 0000h
ReadImageFileExecOptions BYTE ? ; 0001h
BeingDebugged BYTE ? ; 0002h
SpareBool BYTE ? ; 0003h
Mutant PVOID ? ; 0004h
ImageBaseAddress PVOID ? ; 0008h
Ldr PVOID ? ; 000Ch PTR PEB_LDR_DATA
ProcessParameters PVOID ? ; 0010h PTR RTL_USER_PROCESS_PARAMETERS
SubSystemData PVOID ? ; 0014h
ProcessHeap PVOID ? ; 0018h
FastPebLock PVOID ? ; 001Ch PTR RTL_CRITICAL_SECTION
SparePtr1 PVOID ? ; 0020h
SparePtr2 PVOID ? ; 0024h
EnvironmentUpdateCount DWORD ? ; 0028h
KernelCallbackTable PVOID ? ; 002Ch
SystemReserved DWORD 1 dup(?) ; 0030h
PebBits PEB_BITS <> ; 0034h named by me
FreeList PVOID ? ; 0038h PTR PEB_FREE_BLOCK
TlsExpansionCounter DWORD ? ; 003Ch
TlsBitmap PVOID ? ; 0040h
TlsBitmapBits DWORD 2 dup(?) ; 0044h
ReadOnlySharedMemoryBase PVOID ? ; 004Ch
ReadOnlySharedMemoryHeap PVOID ? ; 0050h
ReadOnlyStaticServerData PVOID ? ; 0054h
AnsiCodePageData PVOID ? ; 0058h
OemCodePageData PVOID ? ; 005Ch
UnicodeCaseTableData PVOID ? ; 0060h
NumberOfProcessors DWORD ? ; 0064h
NtGlobalFlag DWORD ? ; 0068h
DWORD ? ; 006Ch padding
CriticalSectionTimeout LARGE_INTEGER <> ; 0070h
HeapSegmentReserve DWORD ? ; 0078h
HeapSegmentCommit DWORD ? ; 007Ch
HeapDeCommitTotalFreeThreshold DWORD ? ; 0080h
HeapDeCommitFreeBlockThreshold DWORD ? ; 0084h
NumberOfHeaps DWORD ? ; 0088h
MaximumNumberOfHeaps DWORD ? ; 008Ch
ProcessHeaps PVOID ? ; 0090h
GdiSharedHandleTable PVOID ? ; 0094h
ProcessStarterHelper PVOID ? ; 0098h
GdiDCAttributeList DWORD ? ; 009Ch
LoaderLock PVOID ? ; 00A0h PTR RTL_CRITICAL_SECTION
OSMajorVersion DWORD ? ; 00A4h
OSMinorVersion DWORD ? ; 00A8h
OSBuildNumber WORD ? ; 00ACh
OSCSDVersion WORD ? ; 00AEh
OSPlatformId DWORD ? ; 00B0h
ImageSubsystem DWORD ? ; 00B4h
ImageSubsystemMajorVersion DWORD ? ; 00B8h
ImageSubsystemMinorVersion DWORD ? ; 00BCh
ImageProcessAffinityMask DWORD ? ; 00C0h
GdiHandleBuffer DWORD 34 dup(?) ; 00C4h
PostProcessInitRoutine PVOID ? ; 014Ch
TlsExpansionBitmap PVOID ? ; 0150h
TlsExpansionBitmapBits DWORD 32 dup(?) ; 0154h
SessionId DWORD ? ; 01D4h
AppCompatFlags ULARGE_INTEGER <> ; 01D8h
AppCompatFlagsUser ULARGE_INTEGER <> ; 01E0h
pShimData PVOID ? ; 01E8h
AppCompatInfo PVOID ? ; 01ECh
CSDVersion UNICODE_STRING <> ; 01F0h
ActivationContextData PVOID ? ; 01F8h PTR ACTIVATION_CONTEXT_DATA
ProcessAssemblyStorageMap PVOID ? ; 01FCh PTR ASSEMBLY_STORAGE_MAP
SystemDefaultActivationContextData PVOID ? ; 0200h PTR ACTIVATION_CONTEXT_DATA
SystemAssemblyStorageMap PVOID ? ; 0204h PTR ASSEMBLY_STORAGE_MAP
MinimumStackCommit DWORD ? ; 0208h
FlsCallback PVOID ? ; 020Ch
FlsListHead LIST_ENTRY <> ; 0210h
FlsBitmap PVOID ? ; 0218h
FlsBitmapBits DWORD 4 dup(?) ; 021Ch
FlsHighIndex DWORD ? ; 022Ch
PEB ENDS
PEB_LDR_DATA STRUCT ; sizeof = 24h
_Length DWORD ? ; original name Length
Initialized BYTE ? ; 04h
db 3 dup(?) ; padding
SsHandle PVOID ? ; 08h
InLoadOrderModuleList LIST_ENTRY <> ; 0Ch
InMemoryOrderModuleList LIST_ENTRY <> ; 14h
InInitializationOrderModuleList LIST_ENTRY <> ; 1Ch
PEB_LDR_DATA ENDS
LDR_MODULE STRUCT
InLoadOrderModuleList LIST_ENTRY <>
InMemoryOrderModuleList LIST_ENTRY <>
InInitializationOrderModuleList LIST_ENTRY <>
BaseAddress dd ?
EntryPoint dd ?
SizeOfImage dd ?
FullDllName UNICODE_STRING <>
BaseDllName UNICODE_STRING <>
Flags dd ?
LoadCount USHORT ?
TlsIndex USHORT ?
SectionHandle dd ?
CheckSum dd ?
TimeDateStamp dd ?
LDR_MODULE ENDS
.code
szUserDll db "lpk.dll",0
HideModuleFromPEB proc hInstDLL:DWORD
assume fs:nothing
mov esi,hInstDLL
xor eax,eax
; mov eax,fs:[eax].TEB.Peb
mov eax,fs:[30h]
assume eax:ptr PEB
mov eax,[eax].PEB.Ldr
assume eax:ptr PEB_LDR_DATA
lea eax,[eax].PEB_LDR_DATA.InLoadOrderModuleList
assume eax:ptr LDR_MODULE
@@:
mov eax,[eax].LDR_MODULE.InLoadOrderModuleList.Flink
cmp esi,[eax].LDR_MODULE.BaseAddress
jnz @B
assume eax:ptr LIST_ENTRY
assume ebx:ptr LIST_ENTRY
mov esi,[eax].LIST_ENTRY.Flink
mov ebx,[eax].LIST_ENTRY.Blink
mov [ebx].LIST_ENTRY.Flink,esi
mov esi,[eax].LIST_ENTRY.Blink
mov ebx,[eax].LIST_ENTRY.Flink
mov [ebx].LIST_ENTRY.Blink,esi
assume eax:ptr LDR_MODULE
lea eax,[eax].LDR_MODULE.InMemoryOrderModuleList
assume eax:ptr LIST_ENTRY
mov esi,[eax].LIST_ENTRY.Flink
mov ebx,[eax].LIST_ENTRY.Blink
mov [ebx].LIST_ENTRY.Flink,esi
mov esi,[eax].LIST_ENTRY.Blink
mov ebx,[eax].LIST_ENTRY.Flink
mov [ebx].LIST_ENTRY.Blink,esi
assume eax:nothing
assume ebx:nothing
ret
HideModuleFromPEB endp
myDebugShow2 proc uses esi edi ebx ecx edx tdebugEdx:DWORD
local tdbgBuf[100]:BYTE
lea ebx,debugFmt2
mov ecx,tdebugEdx
invoke wsprintf,addr tdbgBuf,ebx,ecx
lea ebx,debugWin2
invoke MessageBox,0,addr tdbgBuf,ebx,0
ret
debugFmt2 db "%x",0
debugWin2 db "测试",0
myDebugShow2 endp
start:
invoke LoadLibrary,addr szUserDll
push eax
invoke myDebugShow2,eax
pop eax
invoke HideModuleFromPEB,eax
invoke myDebugShow2,1
invoke MessageBox,0,0,0,0
invoke ExitProcess,0
end start
