您的位置：首页 > 编程语言 > Delphi

delphi LDR断链隐藏DLL

2020-03-01 04:21 639 查看

unit UHideModule;

interface
uses
windows;
type
UNICODE_STRING = packed record
Len:Cardinal;
Max:Cardinal;
Buffer:PWideChar
end;
PLIST_ENTRY = ^LIST_ENTRY;
LIST_ENTRY = Packed record
FLink:PLIST_ENTRY;
BLink:PLIST_ENTRY;
end;

PPEB_LDR_DATA =^PEB_LDR_DATA;
PEB_LDR_DATA = packed record
Len:Cardinal;
Initialized:Bool;
SsHandle:PPointer;
InLoadOrderModuleList:LIST_ENTRY;
InMemoryOrderModuleList:LIST_ENTRY;
InInitializationOrderModuleList:LIST_ENTRY;
end;

PLDR_MODULE = ^LDR_MODULE;
LDR_MODULE = packed Record
InLoadOrderModuleList:LIST_ENTRY;
InMemoryOrderModuleList:LIST_ENTRY;
InInitializationOrderModuleList:LIST_ENTRY;
BaseAddress:Cardinal;
EntryPoint:Cardinal;
SizeOfImage:Cardinal;
FullDllName:UNICODE_STRING;
BaseDllName:UNICODE_STRING;
Flags:Cardinal;
LoadCount:Word;
TlsIndex:Word;
SectionHandle:Cardinal;
CheckSum:Cardinal;
TimeDateStamp:Cardinal;
End;

Procedure HideModule(hModule:Cardinal);

implementation

Procedure HideModule(hModule:Cardinal);
var
Head,Cur:PLIST_ENTRY;
ldr:PPEB_LDR_DATA;
ldm:PLDR_MODULE;
Lp:PChar;
begin
asm
mov eax , fs:[$30]
mov ecx , [eax + $0c] //Ldr
mov ldr , ecx
end;
Head:= @ldr.InLoadOrderModuleList;
Cur := Head.Flink;
repeat
ldm := @Cur.FLink;
if ldm.BaseAddress =hModule then
begin
ldm.InLoadOrderModuleList.BLink.FLink:= ldm.InLoadOrderModuleList.FLink;
ldm.InLoadOrderModuleList.FLink.BLink :=ldm.InLoadOrderModuleList.BLink;

ldm.InInitializationOrderModuleList.BLink.FLink:=ldm.InInitializationOrderModuleList.FLink;
ldm.InInitializationOrderModuleList.FLink.BLink:=ldm.InInitializationOrderModuleList.BLink;

ldm.InMemoryOrderModuleList.BLink.FLink:=ldm.InMemoryOrderModuleList.FLink;
ldm.InMemoryOrderModuleList.FLink.BLink:=ldm.InMemoryOrderModuleList.BLink;

break;
end;
Cur:=Cur.FLink;
until (Head = Cur);
end;
end.

点赞
收藏
分享
文章举报

Shirley068 发布了0 篇原创文章 · 获赞 0 · 访问量 1706 私信关注

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航

delphi LDR断链 隐藏DLL

delphi LDR断链隐藏DLL