首页 > 其他分享 >[Rootkit] 修改 peb 隐藏 dll(断链)

[Rootkit] 修改 peb 隐藏 dll(断链)

时间:2023-07-06 10:32:43浏览次数:37  
标签:ULONG Flink ldm dll LDR Rootkit ENTRY 断链 DATA

PEB 中有一个成员 Ldr:

typedef struct _PEB
{
     UCHAR InheritedAddressSpace;
     UCHAR ReadImageFileExecOptions;
     UCHAR BeingDebugged;
     UCHAR BitField;
     ULONG ImageUsesLargePages: 1;
     ULONG IsProtectedProcess: 1;
     ULONG IsLegacyProcess: 1;
     ULONG IsImageDynamicallyRelocated: 1;
     ULONG SpareBits: 4;
     PVOID Mutant;
     PVOID ImageBaseAddress;
     PPEB_LDR_DATA Ldr;						// <----------
     PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
     PVOID SubSystemData;
     PVOID ProcessHeap;
     PRTL_CRITICAL_SECTION FastPebLock;
     PVOID AtlThunkSListPtr;
     PVOID IFEOKey;
     ULONG CrossProcessFlags;
     ULONG ProcessInJob: 1;
     ULONG ProcessInitializing: 1;
     ULONG ReservedBits0: 30;
     union
     {
          PVOID KernelCallbackTable;
          PVOID UserSharedInfoPtr;
     };
     ULONG SystemReserved[1];
     ULONG SpareUlong;
     PPEB_FREE_BLOCK FreeList;
     ULONG TlsExpansionCounter;
     PVOID TlsBitmap;
     ULONG TlsBitmapBits[2];
     PVOID ReadOnlySharedMemoryBase;
     PVOID HotpatchInformation;
     VOID * * ReadOnlyStaticServerData;
     PVOID AnsiCodePageData;
     PVOID OemCodePageData;
     PVOID UnicodeCaseTableData;
     ULONG NumberOfProcessors;
     ULONG NtGlobalFlag;
     LARGE_INTEGER CriticalSectionTimeout;
     ULONG HeapSegmentReserve;
     ULONG HeapSegmentCommit;
     ULONG HeapDeCommitTotalFreeThreshold;
     ULONG HeapDeCommitFreeBlockThreshold;
     ULONG NumberOfHeaps;
     ULONG MaximumNumberOfHeaps;
     VOID * * ProcessHeaps;
     PVOID GdiSharedHandleTable;
     PVOID ProcessStarterHelper;
     ULONG GdiDCAttributeList;
     PRTL_CRITICAL_SECTION LoaderLock;
     ULONG OSMajorVersion;
     ULONG OSMinorVersion;
     WORD OSBuildNumber;
     WORD OSCSDVersion;
     ULONG OSPlatformId;
     ULONG ImageSubsystem;
     ULONG ImageSubsystemMajorVersion;
     ULONG ImageSubsystemMinorVersion;
     ULONG ImageProcessAffinityMask;
     ULONG GdiHandleBuffer[34];
     PVOID PostProcessInitRoutine;
     PVOID TlsExpansionBitmap;
     ULONG TlsExpansionBitmapBits[32];
     ULONG SessionId;
     ULARGE_INTEGER AppCompatFlags;
     ULARGE_INTEGER AppCompatFlagsUser;
     PVOID pShimData;
     PVOID AppCompatInfo;
     UNICODE_STRING CSDVersion;
     _ACTIVATION_CONTEXT_DATA * ActivationContextData;
     _ASSEMBLY_STORAGE_MAP * ProcessAssemblyStorageMap;
     _ACTIVATION_CONTEXT_DATA * SystemDefaultActivationContextData;
     _ASSEMBLY_STORAGE_MAP * SystemAssemblyStorageMap;
     ULONG MinimumStackCommit;
     _FLS_CALLBACK_INFO * FlsCallback;
     LIST_ENTRY FlsListHead;
     PVOID FlsBitmap;
     ULONG FlsBitmapBits[4];
     ULONG FlsHighIndex;
     PVOID WerRegistrationData;
     PVOID WerShipAssertPtr;
} PEB, *PPEB;

这个 Ldr 的数据类型是 _PEB_LDR_DATA:

typedef struct _PEB_LDR_DATA
{
 ULONG Length;
 BOOLEAN Initialized; 
 PVOID SsHandle; 
 LIST_ENTRY InLoadOrderModuleList;				// <---------
 LIST_ENTRY InMemoryOrderModuleList; 
 LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA,*PPEB_LDR_DATA;

InLoadOrderModuleList 成员保存了模块信息,而模块信息的结构为 _LDR_DATA_TABLE_ENTRY。

typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID      DllBase;
PVOID      EntryPoint;
ULONG32    SizeOfImage;
UINT8      Unknow0[0x4];
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
}LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

所以 ,我们获取到了这个结构.因为是链表.可以遍历链表. 根据DllBase判断 你的模块基址跟这个模块基址是否一样.如果一样那么我们就断开链表,从而实现 dll 的隐藏。

代码参考来自:https://cloud.tencent.com/developer/article/1432475

#include <stdio.h>
#include <Windows.h>
#include <stdlib.h>

DWORD g_isHide = 0;
typedef struct _UNICODE_STRING
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _PEB_LDR_DATA {
    ULONG                   Length;
    BOOLEAN                 Initialized;
    PVOID                   SsHandle;
    LIST_ENTRY              InLoadOrderModuleList;
    LIST_ENTRY              InMemoryOrderModuleList;
    LIST_ENTRY              InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_MODULE
{
    LIST_ENTRY          InLoadOrderModuleList;   //+0x00
    LIST_ENTRY          InMemoryOrderModuleList; //+0x08  
    LIST_ENTRY          InInitializationOrderModuleList; //+0x10
    void*               BaseAddress;  //+0x18
    void*               EntryPoint;   //+0x1c
    ULONG               SizeOfImage;
    UNICODE_STRING      FullDllName;
    UNICODE_STRING      BaseDllName;
    ULONG               Flags;
    SHORT               LoadCount;
    SHORT               TlsIndex;
    HANDLE              SectionHandle;
    ULONG               CheckSum;
    ULONG               TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
void HideDll()                          //这个函数是主要的
{
    HMODULE hMod = ::GetModuleHandle("ntdll.dll");
    PLIST_ENTRY Head, Cur;
    PPEB_LDR_DATA ldr;
    PLDR_MODULE ldm;
    __asm
    {
        mov eax, fs:[0x30]                  //获取PEB结构
        mov ecx, [eax + 0x0c] //Ldr                     //获取_PEB_LDR_DATA结构
        mov ldr, ecx
    }
    Head = &(ldr->InLoadOrderModuleList);               //获取模块链表地址
    Cur = Head->Flink;                                  //获取指向的结点.
    do
    {
        ldm = CONTAINING_RECORD(Cur, LDR_MODULE, InLoadOrderModuleList); //获取 _LDR_DATA_TABLE_ENTRY结构体地址
        //printf("EntryPoint [0x%X]\n",ldm->BaseAddress);
        if (hMod == ldm->BaseAddress)                                    //判断要隐藏的DLL基址跟结构中的基址是否一样
        {
            g_isHide = 1;                                                //如果进入.则标志置为1,表示已经开始进行隐藏了.
            ldm->InLoadOrderModuleList.Blink->Flink =                    //双向链表. 断开链表
                ldm->InLoadOrderModuleList.Flink;
            ldm->InLoadOrderModuleList.Flink->Blink =
                ldm->InLoadOrderModuleList.Blink;
            ldm->InInitializationOrderModuleList.Blink->Flink =
                ldm->InInitializationOrderModuleList.Flink;
            ldm->InInitializationOrderModuleList.Flink->Blink =
                ldm->InInitializationOrderModuleList.Blink;
            ldm->InMemoryOrderModuleList.Blink->Flink =
                ldm->InMemoryOrderModuleList.Flink;
            ldm->InMemoryOrderModuleList.Flink->Blink =
                ldm->InMemoryOrderModuleList.Blink;
            break;
        }
        Cur = Cur->Flink;
    } while (Head != Cur);
}

int main()
{

    printf("按键开始隐藏\r\n");
    getchar();
    HideDll();

    if (g_isHide == 0)
    {
        printf("没有成功隐藏\r\n");
        system("pause");
        return 0;
    }

    printf("成功隐藏\r\n");
    system("pause");
    return 0;
}

标签:ULONG,Flink,ldm,dll,LDR,Rootkit,ENTRY,断链,DATA
From: https://blog.51cto.com/lyshark/6639263

相关文章

  • 关于调试gmsh源码过程中产生的gmsh.dll和gmsh.pdb文件无法匹配,进而导致无法载入pdb文
    省流版由于ALL_BUILD会将对应于gmsh.exe的调试文件gmsh.pdb附在对应于gmsh.dll的调试文件gmsh.pdb文件,进而导致gmsh.pdb无法和gmsh.dll文件进行版本匹配,进而导致无法载入,进而导致无法调试gmsh源码;解决办法:将对应于gmsh.exe的gmsh.pdb改为其他任意命名即可;或者仅仅生成gms......
  • 【转】python踩坑(FileNotFoundError: Could not find module '此处省略了一些路径win_
    1、报错(FileNotFoundError:Couldnotfindmodule'此处省略了一些路径\site-packages\scipy\.libs\libbanded5x.GL5FZ7Y77HIKQFNMZKUOMV5GID6YMX2V.gfortran-win_amd64.dll'(oroneofitsdependencies).Tryusingthefullpathwithconstructorsyntax.) 2、分析&a......
  • DLL-FILES.COM - 您的DLL问题解决方案!--九五小庞
    每个人都遇到过“无法找到****.dll文件...”的消息弹窗。各位,这个问题终于可以解决了!在这里你可以找到电脑上最常丢失或损坏的文件。自由下载,无任何费用! ......
  • C# WinForm开发,使用dnSpy-net-win32调试dll文件或.exe文件工具
     工具下载:https://download.csdn.net/download/haojuntu/87967457打开文件,加载需要调试文件 视图-》窗口-》模块断点,可以调试具体模块 找到要调试的模块,启动项目后,类似vs开发,可以一步步调试 ......
  • 驱动开发:内核远程线程实现DLL注入
    在笔者上一篇文章《内核RIP劫持实现DLL注入》介绍了通过劫持RIP指针控制程序执行流实现插入DLL的目的,本章将继续探索全新的注入方式,通过NtCreateThreadEx这个内核函数实现注入DLL的目的,需要注意的是该函数在微软系统中未被导出使用时需要首先得到该函数的入口地址,NtCreateThreadEx......
  • Dll基础
    DLL-基础Windows存在3个最重要的dll,分别如下kernel32.dll用来管理内存,进程、线程user32.dll用于处理用户界面相关的东西GDI32.dll用来绘制和显示文字使用dll有什么好处,可以参考官方说明初步使用创建动态的dll可以直接参考官方说明,或者DynamicExport1,......
  • Could not locate zlibwapi.dll. Please make sure it is in your library path
    再跑CNN程序的时候报了这个错2023-06-2321:11:52.069321:Itensorflow/core/platform/cpu_feature_guard.cc:151]ThisTensorFlowbinaryisoptimizedwithoneAPIDeepNeuralNetworkLibrary(oneDNN)tousethefollowingCPUinstructionsinperformance-criticalop......
  • 要将 shimgvw.dll 关联到图像文件的方式可以通过批处理来实现
    shimgvw.dll是一个系统文件,它为Windows提供了一个图像查看器程序。下面是如何使用shimgvw.dll打开图像的方法:打开运行对话框:按下Win+R组合键打开运行对话框。输入命令:在运行对话框中输入“rundll32.exeshimgvw.dll,ImageView_Fullscreen图片路径”,其中“图片路径”是要......
  • VS2019调用Matlab2019b生成的dll时初始化异常
    在VisualStudio中使用C++调用Matlab程序我目前在写一个用VS和Matlab混编的程序,由于之前的版本(VS2005+MATLAB2010b)太老了,现在想换用VS2019+MATLAB2019b的版本。我原本以为会很简单就能完成配置,没想到在运行时会出现下面的问题。(帧不在模块中。在加载的模块中未找到当前堆栈帧。无......
  • DisableThreadLibraryCalls与DLLMain死锁
    DisableThreadLibraryCalls与DLLMain死锁 1、首先写个简单的DLL,用来验证1234567891011121314151617181920212223242526272829303132BOOL APIENTRYDllMain( HMODULE hModule,                       ......