这是一段隐藏dll的代码。
#include<windows.h> typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING,*PUNICODE_STRING; typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; SHORT LoadCount; SHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp; } LDR_MODULE, *PLDR_MODULE; void HideDll2() { HMODULE hMod = ::GetModuleHandle("123.dll"); PLIST_ENTRY Head,Cur; PPEB_LDR_DATA ldr; PLDR_MODULE ldm; __asm { mov eax , fs:[0x30] mov ecx , [eax + 0x0c] //Ldr mov ldr , ecx } Head = &(ldr->InLoadOrderModuleList); Cur = Head->Flink; do { ldm = CONTAINING_RECORD( Cur, LDR_MODULE, InLoadOrderModuleList); //printf("EntryPoint [0x%X]/n",ldm->BaseAddress); if( hMod == ldm->BaseAddress) { ldm->InLoadOrderModuleList.Blink->Flink = ldm->InLoadOrderModuleList.Flink; ldm->InLoadOrderModuleList.Flink->Blink = ldm->InLoadOrderModuleList.Blink; ldm->InInitializationOrderModuleList.Blink->Flink = ldm->InInitializationOrderModuleList.Flink; ldm->InInitializationOrderModuleList.Flink->Blink = ldm->InInitializationOrderModuleList.Blink; ldm->InMemoryOrderModuleList.Blink->Flink = ldm->InMemoryOrderModuleList.Flink; ldm->InMemoryOrderModuleList.Flink->Blink = ldm->InMemoryOrderModuleList.Blink; break; } Cur= Cur->Flink; }while(Head != Cur); }
