15,471
社区成员
发帖
与我相关
我的任务
分享
int main(int argc, char* argv[])
{
BOOL EnableDebugPrivilege() ;
HMODULE hm = ::LoadLibrary( L"dll3.dll");
PPEB pPEB;
char str[200];
TCHAR strr1[200];
PPEB_LDR_DATA pLdr;
PLIST_ENTRY pListEntry;
PLDR_MODULE pModule;
char DllName[300];
RMTDATA stRmtData = {0};
_asm{
push eax
mov eax,fs:[30h]
mov pPEB, eax
pop eax
}
pLdr = pPEB->LoaderData;
pListEntry = pLdr->InLoadOrderModuleList.Flink;
HANDLE hcid;
if (pLdr->InMemoryOrderModuleList.Flink)
{
pListEntry = pLdr->InMemoryOrderModuleList.Flink;
while(pListEntry != &pLdr->InMemoryOrderModuleList)
{
pModule = (PLDR_MODULE)(pListEntry - 1);
WideCharToMultiByte(CP_ACP, 0, pModule->FullDllName.Buffer, pModule->FullDllName.Length, DllName, 300, NULL, FALSE);
printf("模块名 :%s\n", DllName);
sprintf(str, "BaseAddress: 0x%08X sizeofImage: 0x%08X", pModule->BaseAddress, pModule->SizeOfImage);
printf("地址 :%s\n", str);
if(strcmp(DllName, "C:\\WINDOWS\\system32\\msvcrt.dll") == 0)
{
hcid = OpenProcess(PROCESS_ALL_ACCESS|PROCESS_VM_WRITE | PROCESS_VM_OPERATION , TRUE, GetCurrentProcessId());
if(hcid != NULL){
int tme = 97;
DWORD dwNumberOfBytesRead;
VirtualProtect(pModule->BaseAddress,pModule->FullDllName.Length,PAGE_READWRITE,&dwNumberOfBytesRead);
if(!WriteProcessMemory(hcid, pModule->BaseAddress , "C:\\eWINDOWS\\sysem32\\ffwww.dll", 1, &dwNumberOfBytesRead))
{
printf("%d\n", GetLastError());
}else
{
WideCharToMultiByte(CP_ACP, 0, pModule->FullDllName.Buffer, pModule->FullDllName.Length, DllName, 300, NULL, FALSE);
printf("更改后的路径 :%s\n", DllName);
WideCharToMultiByte(CP_ACP, 0, pModule->BaseDllName.Buffer, pModule->BaseDllName.Length, DllName, 300, NULL, FALSE);
printf("更改后的名称:%s\n", DllName);
}
if(!WriteProcessMemory(hcid, pModule->BaseAddress , &stRmtData, pModule->FullDllName.Length, 0))
{
printf("%d\n", GetLastError());
}
}
::CloseHandle(hcid);
}
pListEntry = pListEntry->Flink;
}
}
printf("%s\n\n", "--");
printf("************************** :%s\n", "***");
printf("%s\n\n", "--");
_asm{
push eax
mov eax,fs:[30h]
mov pPEB, eax
pop eax
}
pLdr = pPEB->LoaderData;
pListEntry = pLdr->InLoadOrderModuleList.Flink;
if (pLdr->InMemoryOrderModuleList.Flink)
{
pListEntry = pLdr->InMemoryOrderModuleList.Flink;
while(pListEntry != &pLdr->InMemoryOrderModuleList)
{
pModule = (PLDR_MODULE)(pListEntry - 1);
WideCharToMultiByte(CP_ACP, 0, pModule->FullDllName.Buffer, pModule->FullDllName.Length, DllName, 300, NULL, FALSE);
printf("模块名 :%s\n", DllName);
WideCharToMultiByte(CP_ACP, 0, pModule->BaseDllName.Buffer, pModule->BaseDllName.Length, DllName, 300, NULL, FALSE);
printf("模块名 :%s\n", DllName);
sprintf(str, "BaseAddress: 0x%08X sizeofImage: 0x%08X", pModule->BaseAddress, pModule->SizeOfImage);
printf("地址 :%s\n", str);
pListEntry = pListEntry->Flink;
}
}
::FreeLibrary(hm);
system("pause");
return 0;
}
if(NtQueryInformationProcess(ProcessHandle, /*(PROCESSINFOCLASS)*/0,&PBI,sizeof(PROCESS_BASIC_INFORMATION),0))return;
LPVOID pm = (LPVOID)LocalAlloc(LPTR, 4096);
CloakModule( hProcess,pm);
PLDR_MODULE pModule = (PLDR_MODULE)pm;
/*省略*/
LocalFree(pm);
void CloakModule(HANDLE ProcessHandle,void*BaseAddress)
{void*TargetAddr;PEB Peb;PEB_LDR_DATA Ldr;LDR_MODULE Dll;PROCESS_BASIC_INFORMATION PBI;
if(NtQueryInformationProcess(ProcessHandle,0,&PBI,sizeof(PROCESS_BASIC_INFORMATION),0))return;
if(NtReadVirtualMemory(ProcessHandle,PBI.PebBaseAddress,&Peb,sizeof(PEB),0))return;
if(NtReadVirtualMemory(ProcessHandle,Peb.Ldr,&Ldr,sizeof(PEB_LDR_DATA),0))return;
TargetAddr=(void*)Ldr.InLoadOrderModuleList.Flink;
do
{
if(NtReadVirtualMemory(ProcessHandle,TargetAddr,&Dll,sizeof(LDR_MODULE),0))return;
TargetAddr=(void*)Dll.InLoadOrderModuleList.Flink;
if(TargetAddr==&Peb.Ldr->InLoadOrderModuleList)return;
}
while(Dll.BaseAddress!=BaseAddress);
NtWriteVirtualMemory(ProcessHandle,(void*)((ULONG_PTR)Dll.InLoadOrderModuleList.Flink+sizeof(void*)),&Dll.InLoadOrderModuleList.Blink,sizeof(void*),0);
NtWriteVirtualMemory(ProcessHandle,(void*)(Dll.InLoadOrderModuleList.Blink),&Dll.InLoadOrderModuleList.Flink,sizeof(void*),0);
NtWriteVirtualMemory(ProcessHandle,(void*)((ULONG_PTR)Dll.InInitializationOrderModuleList.Flink+sizeof(void*)),&Dll.InInitializationOrderModuleList.Blink,sizeof(void*),0);
NtWriteVirtualMemory(ProcessHandle,(void*)(Dll.InInitializationOrderModuleList.Blink),&Dll.InInitializationOrderModuleList.Flink,sizeof(void*),0);
NtWriteVirtualMemory(ProcessHandle,(void*)((ULONG_PTR)Dll.InMemoryOrderModuleList.Flink+sizeof(void*)),&Dll.InMemoryOrderModuleList.Blink,sizeof(void*),0);
NtWriteVirtualMemory(ProcessHandle,(void*)(Dll.InMemoryOrderModuleList.Blink),&Dll.InMemoryOrderModuleList.Flink,sizeof(void*),0);
NtWriteVirtualMemory(ProcessHandle,(void*)((ULONG_PTR)Dll.HashTableEntry.Flink+sizeof(void*)),&Dll.HashTableEntry.Blink,sizeof(void*),0);
NtWriteVirtualMemory(ProcessHandle,(void*)(Dll.HashTableEntry.Blink),&Dll.HashTableEntry.Flink,sizeof(void*),0);
}
NtQueryInformationProcess(hProcess, 0, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL );
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION , FALSE, 6004/*其他进程的Pid*/);
NtQueryInformationProcess(hProcess, 0, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL );
pPEB = pbi.PebBaseAddress;