<p><font style="FONT: 10pt="10pt" =" 10pt?=" font=" MyHook.dll?<=" #0000ff? COLOR: Fixedsys; 10pt?>void </font><font style=" 10pt="10pt" FONT: font?><font style="FONT: 10pt="10pt" =" COLOR: Fixedsys; 10pt?=" 10pt?=" #000080?></font><font style="comic: " 10pt="10pt" FONT: Sans? Comic?=" COLOR: Fixedsys; 10pt? #000000?>PLIST_ENTRY Head</font><font style="><font style="FONT: 10pt="10pt" =" font="font" 10pt?=" #0000ff? COLOR: Fixedsys; 10pt?>void </font><font style=" MyHook.dll?< =" COLOR: Fixedsys; 10pt? #000000?>HideDll</font><font style=" 10pt="10pt" FONT:><font style="FONT: 10pt="10pt" =" 10pt?=" COLOR: Fixedsys; 10pt? #000000?>mov ldr </font><font style=" comic="Comic" =" COLOR: Fixedsys; 10pt? #000080?>, </font><font style=" 10pt="10pt" FONT: Sans?><font face="Verdana">void HideDll()<br/>{<br/> HMODULE hMod = ::GetModuleHandle("MyHook.dll"); <br/> PLIST_ENTRY Head,Cur;<br/> PPEB_LDR_DATA ldr;<br/> PLDR_MODULE ldm;<br/> __asm<br/> {<br/> mov eax , fs:[0x30]<br/> mov ecx , [eax + 0x0c] //Ldr<br/> mov ldr , ecx<br/> }<br/> Head = &(ldr->InLoadOrderModuleList);<br/> Cur = Head->Flink;<br/> do<br/> {<br/> ldm = CONTAINING_RECORD( Cur, LDR_MODULE, InLoadOrderModuleList);<br/> //printf("EntryPoint [0x%X]\n",ldm->BaseAddress);<br/> if( hMod == ldm->BaseAddress)<br/> {<br/> ldm->InLoadOrderModuleList.Blink->Flink =<br/> ldm->InLoadOrderModuleList.Flink;<br/> ldm->InLoadOrderModuleList.Flink->Blink =<br/> ldm->InLoadOrderModuleList.Blink; <br/> ldm->InInitializationOrderModuleList.Blink->Flink =<br/> ldm->InInitializationOrderModuleList.Flink;<br/> ldm->InInitializationOrderModuleList.Flink->Blink =<br/> ldm->InInitializationOrderModuleList.Blink; <br/> ldm->InMemoryOrderModuleList.Blink->Flink =<br/> ldm->InMemoryOrderModuleList.Flink;<br/> ldm->InMemoryOrderModuleList.Flink->Blink =<br/> ldm->InMemoryOrderModuleList.Blink; <br/> break;<br/> }<br/> Cur= Cur->Flink; <br/> }while(Head != Cur);<br/>} </font></font></font></font></font></p>
[此贴子已经被作者于2009-5-27 7:07:52编辑过] | 
发表于 2009-5-27 07:00:30