【转帖】隐藏DLL模块代码
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; 隐藏DLL模块代码
; E-mail & MSN:since18a31h@hotmail.com
; by since18a31h
; http://hi.baidu.com/since18a31h
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 该代码编译后是一个Dll文件,调用Dll文件的_Test函数后,在进程空间就无
; 法找到本DLL模块了,但是实际上该DLL还在用循环的方式弹出一个MessageBox。
; 很早以前的代码,byshell就用过了,这个是直接翻译的lzx的C++代码,
; 随便翻译的,也没针对汇编做任何代码优化,编译出的DLL比较大,4.5KB,
; 经测试,运行稳定。
; 用到的API都很常用,原理很简单,就不添加注释了,凑合看吧。
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 一个普通的Dll,就不再啰嗦MakeFile的内容了
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.586
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelibuser32.lib
include kernel32.inc
includelibkernel32.lib
include Psapi.inc
includelib Psapi.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
UNLOADLIB_CALLBACKstruct
lpDllBase dd?
lpNewDllBase dd?
pAddress dd?
lParamdd?
UNLOADLIB_CALLBACKends
MODULEINFOstruct
lpBaseOfDll dd?
SizeOfImage dd?
EntryPointdd?
MODULEINFOends
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
hInstance dd?
.data
szError db'error!',0
szEcho1 db'CreateThread HideWork Failed.',0
szSucess db'用一些软件查看下,找不到这个dll吧',0
szKernel32db'Kernel32.dll',0
szntdll db'ntdll.dll',0
szVirtualAllocdb'VirtualAlloc',0
szLoadLibrary db'LoadLibraryA',0
szCreateThreaddb'CreateThread',0
szHeapDestroy db'HeapDestroy',0
szmemcpy db'memcpy',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
incLibraryCount proc hMe
local hModsSnap
local stME32:MODULEENTRY32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE, 0
.if eax == INVALID_HANDLE_VALUE
xor eax,eax
ret
.endif
mov hModsSnap,eax
invoke RtlZeroMemory,addr stME32,sizeof stME32
mov stME32.dwSize,sizeof stME32
invoke Module32First,hModsSnap,addr stME32
.if !eax
invoke CloseHandle,hModsSnap
xor eax,eax
ret
.endif
.repeat
invoke LoadLibrary,addr stME32.szModule
.if eax == hMe
invoke FreeLibrary,eax
.endif
invoke Module32Next,hModsSnap,addr stME32
.until !eax
invoke CloseHandle,hModsSnap
mov eax,TRUE
ret
incLibraryCount endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
EnumAndSetThreadState proc lParam
local hThreadSnap,hThread,myThreadId,pid
local stTE32:THREADENTRY32
invoke RtlZeroMemory,addr stTE32,sizeof stTE32
mov stTE32.dwSize,sizeof stTE32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPTHREAD,0
mov hThreadSnap,eax
invoke GetCurrentThreadId
mov myThreadId,eax
invoke GetCurrentProcessId
mov pid,eax
invoke Thread32First,hThreadSnap,addr stTE32
or eax,eax
jz _Ret
.repeat
mov eax,pid
.if eax == stTE32.th32OwnerProcessID
mov eax,myThreadId
.if eax != stTE32.th32ThreadID
invoke OpenThread,THREAD_SUSPEND_RESUME,\
FALSE,stTE32.th32ThreadID
.if eax
mov ebx,eax
.if lParam
invoke ResumeThread,ebx
.else
invoke SuspendThread,ebx
.endif
invoke CloseHandle,ebx
.endif
.endif
.endif
invoke Thread32Next,hThreadSnap,addr stTE32
.until !eax
_Ret:
invoke CloseHandle,hThreadSnap
ret
EnumAndSetThreadState endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
GotoCallBackAddr proc uses edi esi ebx, lParam
local dwThreadId,hThread
mov edi,lParam
assume edi:ptr UNLOADLIB_CALLBACK
.if [edi].pAddress
invoke CreateThread,0,0,[edi].pAddress,[edi].lParam,0,addr dwThreadId
.if eax
invoke CloseHandle,eax
.endif
.endif
invoke VirtualFree,[edi].lpNewDllBase,0,MEM_DECOMMIT
invoke VirtualFree,lParam,0,MEM_DECOMMIT
assume edi:nothing
xor eax,eax
ret
GotoCallBackAddr endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
UnLoadLibrary proc uses edi esi ebx, lParam
local stMI:MODULEINFO
local oldProtect,hDllInstance,hDll
local szDllPath:byte
local @lpVirtualAlloc,@lpLoadLibrary,@lpCreateThread,@lpmemcpy,@lpHeapDestroy
local HeapDestroy_HookCode_bak,HeapDestroy_HookCode
mov HeapDestroy_HookCode,000004C2h ;Retn 4
mov edi,lParam
assume edi:ptr UNLOADLIB_CALLBACK
push [edi].lpDllBase
pop hDllInstance
invoke GetModuleFileName,hDllInstance,addr szDllPath,\
MAX_PATH
invoke GetCurrentProcess
lea ebx,stMI
invoke GetModuleInformation,eax,hDllInstance,ebx,sizeof stMI
;给所有DLL增加使用计数(除了自身)
invoke incLibraryCount,hDllInstance
;保险起见,挂起其他线程,搞定后再恢复
invoke EnumAndSetThreadState,FALSE
invoke GetModuleHandle,addr szKernel32
.if eax
mov ebx,eax
invoke GetProcAddress,ebx,addr szVirtualAlloc
mov @lpVirtualAlloc,eax
invoke GetProcAddress,ebx,addr szLoadLibrary
mov @lpLoadLibrary,eax
invoke GetProcAddress,ebx,addr szCreateThread
mov @lpCreateThread,eax
invoke GetProcAddress,ebx,addr szHeapDestroy
mov @lpHeapDestroy,eax
invoke GetModuleHandle,addr szntdll
.if eax
mov ebx,eax
invoke GetProcAddress,ebx,addr szmemcpy
mov @lpmemcpy,eax
.else
ret
.endif
.else
ret
.endif
.if !@lpHeapDestroy || !@lpVirtualAlloc || !@lpLoadLibrary || !@lpCreateThread || !@lpmemcpy
xor eax,eax
ret
.endif
invoke VirtualProtect,@lpHeapDestroy,3,\
PAGE_EXECUTE_READWRITE,addr oldProtect
push 3
push @lpHeapDestroy
lea eax,HeapDestroy_HookCode_bak
push eax
call @lpmemcpy
push 3
lea eax,HeapDestroy_HookCode
push eax
push @lpHeapDestroy
call @lpmemcpy
invoke Sleep,100
invoke FreeLibrary,hDllInstance
push 3
lea eax,HeapDestroy_HookCode_bak
push eax
push @lpHeapDestroy
call @lpmemcpy
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT or MEM_RESERVE
push stMI.SizeOfImage
push hDllInstance
call @lpVirtualAlloc
.if !eax
lea eax,szDllPath
push eax
call @lpLoadLibrary
.if !eax
;assume edi:nothing
ret
.endif
mov hDll,eax
mov eax,[edi].pAddress
sub eax,hDllInstance
add eax,hDll
mov [edi].pAddress,eax
mov eax,offset EnumAndSetThreadState
sub eax,hDllInstance
add eax,hDll
push 0
push 0
push TRUE
push eax
push 0
push 0
call @lpCreateThread
.if [edi].pAddress
push 0
push 0
push [edi].lParam
push [edi].pAddress
push 0
push 0
call @lpCreateThread
.endif
xor eax,eax
;assume edi:nothing
ret
.endif
push stMI.SizeOfImage
push [edi].lpNewDllBase
push hDllInstance
call @lpmemcpy
invoke EnumAndSetThreadState,TRUE
push 0
push 0
push edi
push offset GotoCallBackAddr
push 0
push 0
call @lpCreateThread
xor eax,eax
assume edi:nothing
ret
UnLoadLibrary endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HideWork proc uses edi esi ebx, lParam
local stMI:MODULEINFO
local dwThreadId
mov edi,lParam
assume edi:ptr UNLOADLIB_CALLBACK
invoke GetCurrentProcess
lea ebx,stMI
invoke GetModuleInformation,eax,[edi].lpDllBase,ebx,sizeof stMI
invoke VirtualAlloc,NULL,stMI.SizeOfImage,\
MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
.if !eax
;assume edi:nothing
ret
.endif
mov [edi].lpNewDllBase,eax
invoke RtlMoveMemory,[edi].lpNewDllBase,stMI.lpBaseOfDll,stMI.SizeOfImage
mov eax,[edi].lpNewDllBase
add eax,offset UnLoadLibrary
sub eax,stMI.lpBaseOfDll
mov ebx,eax
invoke CreateThread,0,0,\
ebx,edi, CREATE_SUSPENDED,addr dwThreadId
.if !eax
invoke VirtualFree,[edi].lpNewDllBase,0,MEM_DECOMMIT
xor eax,eax
;assume edi:nothing
ret
.endif
push eax
invoke ResumeThread,eax
pop eax
invoke CloseHandle,eax
;assume edi:nothing
ret
HideWork endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HideLibrary proc hModule,pCallBackAddr,lParam
invoke VirtualAlloc,NULL,sizeof UNLOADLIB_CALLBACK,\
MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
.if !eax
ret
.endif
assume eax:ptr UNLOADLIB_CALLBACK
push hModule
pop [eax].lpDllBase
push NULL
pop [eax].lpNewDllBase
push pCallBackAddr
pop [eax].pAddress
push lParam
pop [eax].lParam
invoke CreateThread,0,0,offset HideWork,eax,0,NULL
.if !eax
invoke MessageBox,NULL,offset szEcho1,offset szError,NULL
ret
.endif
invoke CloseHandle,eax
ret
HideLibrary endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
testThreadproc uses edi esi ebx, lParam
.while TRUE
invoke MessageBox,NULL,lParam,lParam,NULL
.endw
ret
testThreadendp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Test proc
invoke HideLibrary,hInstance,offset testThread,addr szSucess
invoke Sleep,60 * 1000
ret
_Test endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DllEntryprochModule,_dwReason,_dwReserved
.if_dwReason == DLL_PROCESS_ATTACH
pushhModule
pophInstance
.endif
moveax,TRUE
ret
DllEntryEndp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
EndDllEntry 隐藏自己?
什么原理来的? 没看明白......... 这个用VB写就行了,何必用汇编呢?
我用汇编的原则是:性能极端敏感,代码极端简洁。 代码很漂亮 谢谢分享
页:
[1]