先来推广一下QQ群:61618925。欢迎各位爱好编程的加入。
在外挂或者病毒中,经常需要隐藏掉自己注入的DLL,以免被发现。下面就是一个隐藏DLL的通用模块,用的时候只需要加入到相关模块中即可。
详细代码如下:
#include <iostream> using namespace std; void HideModule(char *szModule)
{
DWORD *PEB = NULL;
DWORD *Ldr = NULL;
DWORD *Flink = NULL;
DWORD *p = NULL;
DWORD *BaseAddress = NULL;
DWORD *FullDllName = NULL; //定位PEB
__asm
{
//fs位置保存着teb
//fs:[0x30]位置保存着peb
mov eax,fs:[0x30]
mov PEB,eax
} HMODULE hMod = GetModuleHandleA(szModule); //得到LDR
Ldr = *((DWORD **)((unsigned char *)PEB + 0x0c));
//第二条链表
Flink = *((DWORD **)((unsigned char *)Ldr + 0x0c));
p = Flink; do
{
BaseAddress = *((DWORD **)((unsigned char *)p + 0x18));
FullDllName = *((DWORD **)((unsigned char *)p + 0x28)); if ((DWORD*)hMod == BaseAddress)
{
**((DWORD **)(p + )) = (DWORD)*((DWORD **)p);
*(*((DWORD **)p) + ) = (DWORD)*((DWORD **)(p + ));
break;
} p = *((DWORD **)p);
} while (Flink != p); Flink = *((DWORD **)((unsigned char *)Ldr + 0x14));
p = Flink;
do
{
BaseAddress = *((DWORD **)((unsigned char *)p + 0x10));
FullDllName = *((DWORD **)((unsigned char *)p + 0x20));
if (BaseAddress == (DWORD *)hMod)
{
**((DWORD **)(p + )) = (DWORD)*((DWORD **)p);
*(*((DWORD **)p) + ) = (DWORD)*((DWORD **)(p + ));
break;
}
p = *((DWORD **)p);
} while (Flink != p); Flink = *((DWORD **)((unsigned char *)Ldr + 0x1c));
p = Flink;
do
{
BaseAddress = *((DWORD **)((unsigned char *)p + 0x8));
FullDllName = *((DWORD **)((unsigned char *)p + 0x18));
if (BaseAddress == (DWORD *)hMod)
{
**((DWORD **)(p + )) = (DWORD)*((DWORD **)p);
*(*((DWORD **)p) + ) = (DWORD)*((DWORD **)(p + ));
break;
}
p = *((DWORD **)p);
} while (Flink != p);
} int main(int argc, char **argv)
{
HideModule("kernel32.dll");
HideModule("ntdll.dll");
HideModule("MSVCR90.dll");
HideModule("KERNELBASE.dll");
getchar();
return ;
}
用我之前博客中的进程管理器查看本进程的DLL,可以发现找不到相应的DLL。