先来推广一下QQ群:61618925。欢迎各位爱好编程的加入。
在外挂或者病毒中,经常需要隐藏掉自己注入的DLL,以免被发现。下面就是一个隐藏DLL的通用模块,用的时候只需要加入到相关模块中即可。
详细代码如下:
#include <iostream> using namespace std; void HideModule(char *szModule) { DWORD *PEB = NULL; DWORD *Ldr = NULL; DWORD *Flink = NULL; DWORD *p = NULL; DWORD *BaseAddress = NULL; DWORD *FullDllName = NULL; //定位PEB __asm { //fs位置保存着teb //fs:[0x30]位置保存着peb mov eax,fs:[0x30] mov PEB,eax } HMODULE hMod = GetModuleHandleA(szModule); //得到LDR Ldr = *((DWORD **)((unsigned char *)PEB + 0x0c)); //第二条链表 Flink = *((DWORD **)((unsigned char *)Ldr + 0x0c)); p = Flink; do { BaseAddress = *((DWORD **)((unsigned char *)p + 0x18)); FullDllName = *((DWORD **)((unsigned char *)p + 0x28)); if ((DWORD*)hMod == BaseAddress) { **((DWORD **)(p + 1)) = (DWORD)*((DWORD **)p); *(*((DWORD **)p) + 1) = (DWORD)*((DWORD **)(p + 1)); break; } p = *((DWORD **)p); } while (Flink != p); Flink = *((DWORD **)((unsigned char *)Ldr + 0x14)); p = Flink; do { BaseAddress = *((DWORD **)((unsigned char *)p + 0x10)); FullDllName = *((DWORD **)((unsigned char *)p + 0x20)); if (BaseAddress == (DWORD *)hMod) { **((DWORD **)(p + 1)) = (DWORD)*((DWORD **)p); *(*((DWORD **)p) + 1) = (DWORD)*((DWORD **)(p + 1)); break; } p = *((DWORD **)p); } while (Flink != p); Flink = *((DWORD **)((unsigned char *)Ldr + 0x1c)); p = Flink; do { BaseAddress = *((DWORD **)((unsigned char *)p + 0x8)); FullDllName = *((DWORD **)((unsigned char *)p + 0x18)); if (BaseAddress == (DWORD *)hMod) { **((DWORD **)(p + 1)) = (DWORD)*((DWORD **)p); *(*((DWORD **)p) + 1) = (DWORD)*((DWORD **)(p + 1)); break; } p = *((DWORD **)p); } while (Flink != p); } int main(int argc, char **argv) { HideModule("kernel32.dll"); HideModule("ntdll.dll"); HideModule("MSVCR90.dll"); HideModule("KERNELBASE.dll"); getchar(); return 0; }
用我之前博客中的进程管理器查看本进程的DLL,可以发现找不到相应的DLL。