unit UHideModule;
interface
uses
windows;
type
UNICODE_STRING = packed record
Len:Cardinal;
Max:Cardinal;
Buffer:PWideChar
end;
PLIST_ENTRY = ^LIST_ENTRY;
LIST_ENTRY = Packed record
FLink:PLIST_ENTRY;
BLink:PLIST_ENTRY;
end;
PPEB_LDR_DATA =^PEB_LDR_DATA;
PEB_LDR_DATA = packed record
Len:Cardinal;
Initialized:Bool;
SsHandle:PPointer;
InLoadOrderModuleList:LIST_ENTRY;
InMemoryOrderModuleList:LIST_ENTRY;
InInitializationOrderModuleList:LIST_ENTRY;
end;
PLDR_MODULE = ^LDR_MODULE;
LDR_MODULE = packed Record
InLoadOrderModuleList:LIST_ENTRY;
InMemoryOrderModuleList:LIST_ENTRY;
InInitializationOrderModuleList:LIST_ENTRY;
BaseAddress:Cardinal;
EntryPoint:Cardinal;
SizeOfImage:Cardinal;
FullDllName:UNICODE_STRING;
BaseDllName:UNICODE_STRING;
Flags:Cardinal;
LoadCount:Word;
TlsIndex:Word;
SectionHandle:Cardinal;
CheckSum:Cardinal;
TimeDateStamp:Cardinal;
End;
Procedure HideModule(hModule:Cardinal);
implementation
Procedure HideModule(hModule:Cardinal);
var
Head,Cur:PLIST_ENTRY;
ldr:PPEB_LDR_DATA;
ldm:PLDR_MODULE;
Lp:PChar;
begin
asm
mov eax , fs:[$30]
mov ecx , [eax + $0c] //Ldr
mov ldr , ecx
end;
Head:= @ldr.InLoadOrderModuleList;
Cur := Head.Flink;
repeat
ldm := @Cur.FLink;
if ldm.BaseAddress =hModule then
begin
ldm.InLoadOrderModuleList.BLink.FLink:= ldm.InLoadOrderModuleList.FLink;
ldm.InLoadOrderModuleList.FLink.BLink :=ldm.InLoadOrderModuleList.BLink;
ldm.InInitializationOrderModuleList.BLink.FLink:=ldm.InInitializationOrderModuleList.FLink;
ldm.InInitializationOrderModuleList.FLink.BLink:=ldm.InInitializationOrderModuleList.BLink;
ldm.InMemoryOrderModuleList.BLink.FLink:=ldm.InMemoryOrderModuleList.FLink;
ldm.InMemoryOrderModuleList.FLink.BLink:=ldm.InMemoryOrderModuleList.BLink;
break;
end;
Cur:=Cur.FLink;
until (Head = Cur);
end;
end.
delphi LDR断链 隐藏DLL
最新推荐文章于 2023-11-08 18:05:53 发布