;2015/1/7
;作用:简单的断去链表的方法 实用  也可以达到隐藏的效果 成功返回1失败返回0 
;失败原因:例如内存分配不成功等等 一般是在过程中出错
;esp+8传入 DLL的句柄
dll_CopycatAndHide proc   dllhandle:dword 
LOCAL SizeOfImage,lpBackMem,oldprotect,AddressOfEntryPoint,g_lpNewImage
pushad
mov eax,dword ptr [dllhandle]
mov eax,dword ptr [eax+IMAGE_DOS_HEADER.e_lfanew]
add eax,dword ptr [dllhandle]
lea eax,dword ptr [eax+IMAGE_NT_HEADERS.OptionalHeader]
mov ebx,dword ptr [eax+IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint];入口点
mov dword ptr [AddressOfEntryPoint],ebx;保存入口点
mov eax,dword ptr [eax+IMAGE_OPTIONAL_HEADER.SizeOfImage]
mov dword ptr [SizeOfImage],eax;保存SizeOfImage
invoke VirtualAlloc,0,eax,MEM_COMMIT or MEM_RESERVE ,PAGE_EXECUTE_READWRITE
mov dword ptr [lpBackMem],eax;保存内存开始地址
test eax,eax
je retf1;查看是否申请内存成功 失败就返回
invoke VirtualProtect,dllhandle,SizeOfImage,PAGE_EXECUTE_READWRITE,addr oldprotect
;下面开始复制DLL代码过去
mov esi,dword ptr [dllhandle];源开始地址
mov edi,dword ptr [lpBackMem];目标开始地址
mov ecx ,dword ptr [SizeOfImage];代码大小
cld;标志位正向
rep movsb;开始一个字节一个字节复制
invoke RtlZeroMemory,lpBackMem,200
mov eax,dword ptr[ AddressOfEntryPoint]
add eax,dword ptr [dllhandle];入口点位置
mov byte ptr [eax],0c3h ;ret
invoke FreeLibrary,dllhandle;释放
invoke VirtualAlloc,dllhandle,SizeOfImage,MEM_COMMIT or MEM_RESERVE ,PAGE_EXECUTE_READWRITE
mov dword ptr [g_lpNewImage],eax
cmp eax,dword ptr[dllhandle]
jnz retf1
mov esi,dword ptr [lpBackMem];源开始地址
mov edi,dword ptr [g_lpNewImage];目标开始地址
mov ecx ,dword ptr [SizeOfImage];代码大小
cld;标志位正向
rep movsb;开始一个字节一个字节复制
invoke VirtualFree,lpBackMem,0,MEM_RELEASE;释放
jmp retf2
retf1:
popad
mov eax,0 ;执行之间出错
ret 4
retf2:
popad
mov eax,1;执行成功

ret 4

dll_CopycatAndHide endp

下面是C++版的  我就是参考这份代码的
VOID LockAllModules()
{
  HANDLE hSnapshot = CreateToolhelp32Snapshot(  
    TH32CS_SNAPMODULE, GetCurrentProcessId()); 

  if (hSnapshot != INVALID_HANDLE_VALUE) { 

    MODULEENTRY32 me = {sizeof(me)};  
    BOOL fOk = Module32First(hSnapshot, &me);  
    for (fOk = Module32Next(hSnapshot, &me); fOk; fOk = Module32Next(hSnapshot, &me)){ //跳过第一个;
      LoadLibrary(me.szModule);
    }
  }
}

BOOL CopycatAndHide(HMODULE hDll)
{
  IMAGE_DOS_HEADER * pDosHeader;
  IMAGE_NT_HEADERS * pNtHeader;
  IMAGE_OPTIONAL_HEADER * pOptionalHeader;
  LPVOID lpBackMem = 0;
  DWORD dwOldProtect;
  DWORD dwCount = 30;

  pDosHeader = (IMAGE_DOS_HEADER *)hDll;
  pNtHeader = (IMAGE_NT_HEADERS *)(pDosHeader->e_lfanew + (DWORD)hDll);
  pOptionalHeader = (IMAGE_OPTIONAL_HEADER *)&pNtHeader->OptionalHeader;

  LockAllModules();

  lpBackMem = VirtualAlloc(0 ,pOptionalHeader->SizeOfImage ,MEM_COMMIT|MEM_RESERVE ,PAGE_EXECUTE_READWRITE);
  if(!lpBackMem)
    return FALSE;
  if(!VirtualProtect((LPVOID)hDll ,pOptionalHeader->SizeOfImage ,PAGE_EXECUTE_READWRITE ,&dwOldProtect))
    return FALSE;

  g_dwImageSize = pOptionalHeader->SizeOfImage;
  memcpy(lpBackMem ,(LPVOID)hDll ,g_dwImageSize );
  memset(lpBackMem , 0 ,0x200);
  *((PBYTE)hDll + pOptionalHeader->AddressOfEntryPoint) = (BYTE)0xc3;

  //  DWORD dwRet =0;
  do{
    dwCount --;
  }while(FreeLibrary(hDll) && dwCount);

  g_lpNewImage = VirtualAlloc((LPVOID)hDll ,g_dwImageSize ,MEM_COMMIT|MEM_RESERVE ,PAGE_EXECUTE_READWRITE);
  if(g_lpNewImage != (LPVOID)hDll)
    return FALSE;

  memcpy(g_lpNewImage , lpBackMem , g_dwImageSize);
  VirtualFree(lpBackMem , 0, MEM_RELEASE);

  return TRUE  ;
}

效果都是一样可以达到断链的

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据