先来推广一下QQ群:61618925。欢迎各位爱好编程的加入。
在外挂或者病毒中,经常需要隐藏掉自己注入的DLL,以免被发现。下面就是一个隐藏DLL的通用模块,用的时候只需要加入到相关模块中即可。
详细代码如下:
#include
{DWORD *PEB = NULL;DWORD *Ldr = NULL;DWORD *Flink = NULL;DWORD *p = NULL;DWORD *BaseAddress = NULL;DWORD *FullDllName = NULL;//定位PEB
__asm{//fs位置保存着teb//fs:[0x30]位置保存着pebmov eax,fs:[0x30]mov PEB,eax}HMODULE hMod = GetModuleHandleA(szModule);//得到LDRLdr = *((DWORD **)((unsigned char *)PEB + 0x0c));//第二条链表Flink = *((DWORD **)((unsigned char *)Ldr + 0x0c));p = Flink;do {BaseAddress = *((DWORD **)((unsigned char *)p + 0x18));FullDllName = *((DWORD **)((unsigned char *)p + 0x28));if ((DWORD*)hMod == BaseAddress){**((DWORD **)(p + 1)) = (DWORD)*((DWORD **)p);*(*((DWORD **)p) + 1) = (DWORD)*((DWORD **)(p + 1));break;}p = *((DWORD **)p);} while (Flink != p);Flink = *((DWORD **)((unsigned char *)Ldr + 0x14));p = Flink;do {BaseAddress = *((DWORD **)((unsigned char *)p + 0x10));FullDllName = *((DWORD **)((unsigned char *)p + 0x20));if (BaseAddress == (DWORD *)hMod){**((DWORD **)(p + 1)) = (DWORD)*((DWORD **)p);*(*((DWORD **)p) + 1) = (DWORD)*((DWORD **)(p + 1));break;}p = *((DWORD **)p);} while (Flink != p);Flink = *((DWORD **)((unsigned char *)Ldr + 0x1c));p = Flink;do {BaseAddress = *((DWORD **)((unsigned char *)p + 0x8));FullDllName = *((DWORD **)((unsigned char *)p + 0x18));if (BaseAddress == (DWORD *)hMod){**((DWORD **)(p + 1)) = (DWORD)*((DWORD **)p);*(*((DWORD **)p) + 1) = (DWORD)*((DWORD **)(p + 1));break;}p = *((DWORD **)p);} while (Flink != p);
}int main(int argc, char **argv)
{HideModule("kernel32.dll");HideModule("ntdll.dll");HideModule("MSVCR90.dll");HideModule("KERNELBASE.dll");getchar();return 0;
}
用我之前博客中的进程管理器查看本进程的DLL,可以发现找不到相应的DLL。
![[c++基础]STL](https://img.php1.cn/3c972/1edc8/c5a/a04ecc977fd8ed28.jpeg)
京公网安备 11010802041100号