原理 利用PE结构,将模块从链表中摘除,注意该方法只适用于R3,R0还是有办法看到的。
代码 注意:代码为64位,32位道理一样,需要稍微改改?之前的代码了忘了支不支持32位了~
HideDll.h 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 #pragma once #include <Windows.h> #define NT_SUCCESS(x) ((x) >= 0) #define ProcessBasicInformation (PROCESS_INFORMATION_CLASS)0 typedef NTSTATUS (NTAPI* PFN_NtQueryInformationProcess) ( IN HANDLE ProcessHandle, IN PROCESS_INFORMATION_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength) typedef NTSTATUS (NTAPI* PFN_NtReadVirtualMemory) ( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG NumberOfBytesToRead, OUT PULONG NumberOfBytesReaded OPTIONAL) struct _UNICODE_STRING {USHORT Length; USHORT MaximumLength; WCHAR* Buffer; }; struct _PEB_LDR_DATA {ULONG Length; UCHAR Initialized; VOID* SsHandle; struct _LIST_ENTRY InLoadOrderModuleList; struct _LIST_ENTRY InMemoryOrderModuleList; struct _LIST_ENTRY InInitializationOrderModuleList; VOID* EntryInProgress; UCHAR ShutdownInProgress; VOID* ShutdownThreadId; }; struct _PEB {UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; union {UCHAR BitField; struct {UCHAR ImageUsesLargePages : 1 ; UCHAR IsProtectedProcess : 1 ; UCHAR IsImageDynamicallyRelocated : 1 ; UCHAR SkipPatchingUser32Forwarders : 1 ; UCHAR IsPackagedProcess : 1 ; UCHAR IsAppContainer : 1 ; UCHAR IsProtectedProcessLight : 1 ; UCHAR IsLongPathAwareProcess : 1 ; }; }; UCHAR Padding0[4 ]; VOID* Mutant; VOID* ImageBaseAddress; struct _PEB_LDR_DATA * Ldr; struct _RTL_USER_PROCESS_PARAMETERS * ProcessParameters; VOID* SubSystemData; VOID* ProcessHeap; struct _RTL_CRITICAL_SECTION * FastPebLock; union _SLIST_HEADER * volatile AtlThunkSListPtr; VOID* IFEOKey; union {ULONG CrossProcessFlags; struct {ULONG ProcessInJob : 1 ; ULONG ProcessInitializing : 1 ; ULONG ProcessUsingVEH : 1 ; ULONG ProcessUsingVCH : 1 ; ULONG ProcessUsingFTH : 1 ; ULONG ProcessPreviouslyThrottled : 1 ; ULONG ProcessCurrentlyThrottled : 1 ; ULONG ProcessImagesHotPatched : 1 ; ULONG ReservedBits0 : 24 ; }; }; UCHAR Padding1[4 ]; union {VOID* KernelCallbackTable; VOID* UserSharedInfoPtr; }; ULONG SystemReserved; ULONG AtlThunkSListPtr32; VOID* ApiSetMap; ULONG TlsExpansionCounter; UCHAR Padding2[4 ]; VOID* TlsBitmap; ULONG TlsBitmapBits[2 ]; VOID* ReadOnlySharedMemoryBase; VOID* SharedData; VOID** ReadOnlyStaticServerData; VOID* AnsiCodePageData; VOID* OemCodePageData; VOID* UnicodeCaseTableData; ULONG NumberOfProcessors; ULONG NtGlobalFlag; union _LARGE_INTEGER CriticalSectionTimeout; ULONGLONG HeapSegmentReserve; ULONGLONG HeapSegmentCommit; ULONGLONG HeapDeCommitTotalFreeThreshold; ULONGLONG HeapDeCommitFreeBlockThreshold; ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; VOID** ProcessHeaps; VOID* GdiSharedHandleTable; VOID* ProcessStarterHelper; ULONG GdiDCAttributeList; UCHAR Padding3[4 ]; struct _RTL_CRITICAL_SECTION * LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; USHORT OSBuildNumber; USHORT OSCSDVersion; ULONG OSPlatformId; ULONG ImageSubsystem; ULONG ImageSubsystemMajorVersion; ULONG ImageSubsystemMinorVersion; UCHAR Padding4[4 ]; ULONGLONG ActiveProcessAffinityMask; ULONG GdiHandleBuffer[60 ]; VOID (*PostProcessInitRoutine)(); VOID* TlsExpansionBitmap; ULONG TlsExpansionBitmapBits[32 ]; ULONG SessionId; UCHAR Padding5[4 ]; union _ULARGE_INTEGER AppCompatFlags; union _ULARGE_INTEGER AppCompatFlagsUser; VOID* pShimData; VOID* AppCompatInfo; struct _UNICODE_STRING CSDVersion; struct _ACTIVATION_CONTEXT_DATA * ActivationContextData; struct _ASSEMBLY_STORAGE_MAP * ProcessAssemblyStorageMap; struct _ACTIVATION_CONTEXT_DATA * SystemDefaultActivationContextData; struct _ASSEMBLY_STORAGE_MAP * SystemAssemblyStorageMap; ULONGLONG MinimumStackCommit; VOID* SparePointers[4 ]; ULONG SpareUlongs[5 ]; VOID* WerRegistrationData; VOID* WerShipAssertPtr; VOID* pUnused; VOID* pImageHeaderHash; union {ULONG TracingFlags; struct {ULONG HeapTracingEnabled : 1 ; ULONG CritSecTracingEnabled : 1 ; ULONG LibLoaderTracingEnabled : 1 ; ULONG SpareTracingBits : 29 ; }; }; UCHAR Padding6[4 ]; ULONGLONG CsrServerReadOnlySharedMemoryBase; ULONGLONG TppWorkerpListLock; struct _LIST_ENTRY TppWorkerpList; VOID* WaitOnAddressHashTable[128 ]; VOID* TelemetryCoverageHeader; ULONG CloudFileFlags; ULONG CloudFileDiagFlags; CHAR PlaceholderCompatibilityMode; CHAR PlaceholderCompatibilityModeReserved[7 ]; struct _LEAP_SECOND_DATA * LeapSecondData; union {ULONG LeapSecondFlags; struct {ULONG SixtySecondEnabled : 1 ; ULONG Reserved : 31 ; }; }; ULONG NtGlobalFlag2; }; struct _RTL_BALANCED_NODE {union {struct _RTL_BALANCED_NODE * Children[2 ]; struct {struct _RTL_BALANCED_NODE * Left; struct _RTL_BALANCED_NODE * Right; }; }; union {struct {UCHAR Red : 1 ; UCHAR Balance : 2 ; }; ULONG ParentValue; }; }; struct _LDR_DATA_TABLE_ENTRY {struct _LIST_ENTRY InLoadOrderLinks; struct _LIST_ENTRY InMemoryOrderLinks; struct _LIST_ENTRY InInitializationOrderLinks; VOID* DllBase; VOID* EntryPoint; ULONG SizeOfImage; struct _UNICODE_STRING FullDllName; struct _UNICODE_STRING BaseDllName; union {UCHAR FlagGroup[4 ]; ULONG Flags; struct {ULONG PackagedBinary : 1 ; ULONG MarkedForRemoval : 1 ; ULONG ImageDll : 1 ; ULONG LoadNotificationsSent : 1 ; ULONG TelemetryEntryProcessed : 1 ; ULONG ProcessStaticImport : 1 ; ULONG InLegacyLists : 1 ; ULONG InIndexes : 1 ; ULONG ShimDll : 1 ; ULONG InExceptionTable : 1 ; ULONG ReservedFlags1 : 2 ; ULONG LoadInProgress : 1 ; ULONG LoadConfigProcessed : 1 ; ULONG EntryProcessed : 1 ; ULONG ProtectDelayLoad : 1 ; ULONG ReservedFlags3 : 2 ; ULONG DontCallForThreads : 1 ; ULONG ProcessAttachCalled : 1 ; ULONG ProcessAttachFailed : 1 ; ULONG CorDeferredValidate : 1 ; ULONG CorImage : 1 ; ULONG DontRelocate : 1 ; ULONG CorILOnly : 1 ; ULONG ChpeImage : 1 ; ULONG ReservedFlags5 : 2 ; ULONG Redirected : 1 ; ULONG ReservedFlags6 : 2 ; ULONG CompatDatabaseProcessed : 1 ; }; }; USHORT ObsoleteLoadCount; USHORT TlsIndex; struct _LIST_ENTRY HashLinks; ULONG TimeDateStamp; struct _ACTIVATION_CONTEXT * EntryPointActivationContext; VOID* Lock; struct _LDR_DDAG_NODE * DdagNode; struct _LIST_ENTRY NodeModuleLink; struct _LDRP_LOAD_CONTEXT * LoadContext; VOID* ParentDllBase; VOID* SwitchBackContext; struct _RTL_BALANCED_NODE BaseAddressIndexNode; struct _RTL_BALANCED_NODE MappingInfoIndexNode; ULONG OriginalBase; union _LARGE_INTEGER LoadTime; ULONG BaseNameHashValue; enum _LDR_DLL_LOAD_REASON LoadReason; ULONG ImplicitPathOptions; ULONG ReferenceCount; ULONG DependentLoadFlags; UCHAR SigningLevel; }; typedef struct _PROCESS_BASIC_INFORMATION64 {NTSTATUS ExitStatus; UINT32 Reserved0; UINT64 PebBaseAddress; UINT64 AffinityMask; UINT32 BasePriority; UINT32 Reserved1; UINT64 UniqueProcessId; UINT64 InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION64; BOOL HideModule64 (const char * szModule) ;
HideDll.cpp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 #include "HideDll.h" BOOL HideModule64 (const char * szModule) {BOOL isSuccess = FALSE; DWORD* PEB = NULL ; DWORD* Ldr = NULL ; DWORD* Flink = NULL ; DWORD* p = NULL ; DWORD* BaseAddress = NULL ; DWORD* FullDllName = NULL ; HMODULE hNtdllModule = GetModuleHandle ("ntdll.dll" ); if (hNtdllModule == NULL ) {return isSuccess;} HMODULE hCurrentModule = GetModuleHandle (szModule); if (hCurrentModule == NULL ) {return isSuccess;} PFN_NtQueryInformationProcess NtQueryInformationProcess = (PFN_NtQueryInformationProcess)GetProcAddress (hNtdllModule, "NtQueryInformationProcess" ); if (NtQueryInformationProcess == NULL ) {return isSuccess;} PFN_NtReadVirtualMemory NtReadVirtualMemory = (PFN_NtReadVirtualMemory)GetProcAddress (hNtdllModule, "NtReadVirtualMemory" ); if (NtReadVirtualMemory == NULL ) {return isSuccess;} PROCESS_BASIC_INFORMATION64 pbi = { 0 }; ULONG unReturnLength = 0 ; NTSTATUS Status = NtQueryInformationProcess (GetCurrentProcess (), ProcessBasicInformation, &pbi, (UINT32)sizeof (pbi), &unReturnLength); if (NT_SUCCESS (Status)) {_PEB* peb = (_PEB*)pbi.PebBaseAddress; if (peb == nullptr ) {return isSuccess;} PLIST_ENTRY head = &peb->Ldr->InLoadOrderModuleList; PLIST_ENTRY current = head->Flink; do {_LDR_DATA_TABLE_ENTRY* tableEntry = CONTAINING_RECORD (current, _LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (hCurrentModule == tableEntry->DllBase) {isSuccess = TRUE; tableEntry->InLoadOrderLinks.Blink->Flink = tableEntry->InLoadOrderLinks.Flink; tableEntry->InLoadOrderLinks.Flink->Blink = tableEntry->InLoadOrderLinks.Blink; tableEntry->InInitializationOrderLinks.Blink->Flink = tableEntry->InInitializationOrderLinks.Flink; tableEntry->InInitializationOrderLinks.Flink->Blink = tableEntry->InInitializationOrderLinks.Blink; tableEntry->InMemoryOrderLinks.Blink->Flink = tableEntry->InMemoryOrderLinks.Flink; tableEntry->InMemoryOrderLinks.Flink->Blink = tableEntry->InMemoryOrderLinks.Blink; break ;} current = current->Flink; } while (head != current); } return isSuccess;}
微软未公开结构体查询网站 Vergilius Project Home
NTAPI Undocumented Functions (ntinternals.net)
