Dll隐藏

0x00 原理简述

• 利用fs寄存器，找到TEB的地址->PEB的地址。PEB的0xC偏移处为一个指向PEB_LDR_DATA结构体的指针Ldr，PEB_LDR_DATA的0xC的偏移处为一个指向LIST_ENTRY结构体的指针InLoadOrderModuleList，这是一个按加载顺序构成的双向模块链表。同时LIST_ENTRY的父结构体为LDR_DATA_TABLE_ENTRY，该结构体里有俩有用信息->0x18 DLLBase(模块基址), ->0x2c BaseDllName(指向UNICODE_STRING结构体 模块名字为unicode类型）.我们只需要获得当前进程想要隐藏的模块基址，再分别把它在InLoadOrderModuleList链，InMemoryOrderModuleList链，InInitializationOrderModuleList链中的模块节点摘掉，便可以隐藏dll。

0x01 代码实现

1, 定义UNICODE_STRING ， PEB_LDR_DATA ，LDR_DATA_TABLE_ENTRY结构体

typedef struct UNICODE_STRING
{
    USHORT _ength;
    USHORT MaximumLength;
    PWSTR Buffer;
}UNICODE_STRING,*PUNICODE_STRING;

typedef struct PEB_LDR_DATA{
    ULONG Length;
    BOOLEAN initialized;
    PVOID SsHandle;
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;

}PEB_LDR_DATA,*PPEB_LDR_DATA;

typedef struct LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
    void* BaseAddress;
    void* EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    SHORT LoadCount;
    SHORT TlsIndex;
    HANDLE SectionHandle;
    ULONG CheckSum;
    ULONG TimeDateStamp;
}LDR_MODULE,*PLDR_MODULE;

2,获取要隐藏模块基址，内联汇编，找到指向InLoadOrderModuleList头的指针pBeg，pPLD指向下一个模块。

HMODULE hMod=::GetModuleHandle(szModuleName);
LDR_MODULE *pPLD=NULL,*pBeg=NULL;    
__asm{

    mov eax,fs:[0x30]
        mov eax,[eax+0x0c]
        add eax,0x0c
        mov pBeg,eax
        mov eax,[eax]
        mov pPLD,eax 
}

3, 遍历，找到对应模块基址，3条链，摘链操作。

do
{
    if(hMod==pPLD->BaseAddress)
    {
        pPLD->InLoadOrderModuleList.Blink->Flink =
            pPLD->InLoadOrderModuleList.Flink;
        pPLD->InLoadOrderModuleList.Flink->Blink =
            pPLD->InLoadOrderModuleList.Blink;
        pPLD->InInitializationOrderModuleList.Blink->Flink =
            pPLD->InInitializationOrderModuleList.Flink;
        pPLD->InInitializationOrderModuleList.Flink->Blink =
            pPLD->InInitializationOrderModuleList.Blink;
        pPLD->InMemoryOrderModuleList.Blink->Flink =
            pPLD->InMemoryOrderModuleList.Flink;
        pPLD->InMemoryOrderModuleList.Flink->Blink =
            pPLD->InMemoryOrderModuleList.Blink;
        break;
    }
    pPLD=(LDR_MODULE*)pPLD->InLoadOrderModuleList.Flink;
}
while(pBeg!=pPLD);

0x02 完整代码

#include<stdio.h>
#include<windows.h>

typedef struct UNICODE_STRING
{
    USHORT _ength;
    USHORT MaximumLength;
    PWSTR Buffer;
}UNICODE_STRING,*PUNICODE_STRING;

typedef struct PEB_LDR_DATA{
    ULONG Length;
    BOOLEAN initialized;
    PVOID SsHandle;
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;

}PEB_LDR_DATA,*PPEB_LDR_DATA;

typedef struct LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
    void* BaseAddress;
    void* EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    SHORT LoadCount;
    SHORT TlsIndex;
    HANDLE SectionHandle;
    ULONG CheckSum;
    ULONG TimeDateStamp;
}LDR_MODULE,*PLDR_MODULE;

void HideModule(char *szModuleName)
{
    HMODULE hMod=::GetModuleHandle(szModuleName);
    LDR_MODULE *pPLD=NULL,*pBeg=NULL;    
    __asm{

        mov eax,fs:[0x30]
            mov eax,[eax+0x0c]
            add eax,0x0c
            mov pBeg,eax
            mov eax,[eax]
            mov pPLD,eax 
    }

    do
    {
        if(hMod==pPLD->BaseAddress)
        {
            pPLD->InLoadOrderModuleList.Blink->Flink =
                pPLD->InLoadOrderModuleList.Flink;
            pPLD->InLoadOrderModuleList.Flink->Blink =
                pPLD->InLoadOrderModuleList.Blink;
            pPLD->InInitializationOrderModuleList.Blink->Flink =
                pPLD->InInitializationOrderModuleList.Flink;
            pPLD->InInitializationOrderModuleList.Flink->Blink =
                pPLD->InInitializationOrderModuleList.Blink;
            pPLD->InMemoryOrderModuleList.Blink->Flink =
                pPLD->InMemoryOrderModuleList.Flink;
            pPLD->InMemoryOrderModuleList.Flink->Blink =
                pPLD->InMemoryOrderModuleList.Blink;
            break;
        }
        pPLD=(LDR_MODULE*)pPLD->InLoadOrderModuleList.Flink;
    }
    while(pBeg!=pPLD);

}

int main()
{
    HideModule("kernel32.dll");
    getchar();
    return 0;
}

0x03 运行结果

• 测试环境：win10 x64

• 测试工具：火绒剑

• 本次实验隐藏的是内核模块 kernel32.dll

• 运行程序后 发现找不到kernel32.dll这个模块