agopoe吧 关注:35,982贴子:549,280
NT_TEB* GetCurrentThreadTEB()
{
NT_TEB* pTeb = NULL;
_asm
{
mov eax, fs:[0x18]
mov pTeb, eax
}
return pTeb;
}
// 隐藏DLL,断链,抹掉PE头ImageBase
VOID DNF_DLL_Hide(HMODULE hMod)
{
NT_TEB* pTeb = GetCurrentThreadTEB();
NT_PEB* pPeb = pTeb->Peb;
PPEB_LDR_DATA pLdrData = pPeb->LoaderData;
PLDR_MODULE ListHead = (PLDR_MODULE)(&(pLdrData->InLoadOrderModuleList));//获取模块头部
PLDR_MODULE pFirstLdrModule = (PLDR_MODULE)pLdrData->InLoadOrderModuleList.Flink;
PLDR_MODULE pLdrModule = pFirstLdrModule;
while (pLdrModule != ListHead)
{
if (pLdrModule->BaseAddress == hMod)
{
pLdrModule->InLoadOrderModuleList.Flink->Blink = pLdrModule->InLoadOrderModuleList.Blink;
pLdrModule->InLoadOrderModuleList.Blink->Flink = pLdrModule->InLoadOrderModuleList.Flink;
pLdrModule->InMemoryOrderModuleList.Flink->Blink = pLdrModule->InMemoryOrderModuleList.Blink;
pLdrModule->InMemoryOrderModuleList.Blink->Flink = pLdrModule->InMemoryOrderModuleList.Flink;
pLdrModule->InInitializationOrderModuleList.Flink->Blink = pLdrModule->InInitializationOrderModuleList.Blink;
pLdrModule->InInitializationOrderModuleList.Blink->Flink = pLdrModule->InInitializationOrderModuleList.Flink;
}
pLdrModule = (PLDR_MODULE)pLdrModule->InLoadOrderModuleList.Flink;
}
//抹掉PE头信息
HMODULE hModule = hMod;
DWORD dwMemPro = NULL;
VirtualProtect((void*)hModule, 0x1000, PAGE_EXECUTE_READWRITE, &dwMemPro);
memset((void*)hModule, 0, 0x1000);//把DLL前面1000个字节全部填充为0
VirtualProtect((void*)hModule, 0x1000, dwMemPro, &dwMemPro);
}
这是由某位大神百度来的断链。
{
NT_TEB* pTeb = NULL;
_asm
{
mov eax, fs:[0x18]
mov pTeb, eax
}
return pTeb;
}
// 隐藏DLL,断链,抹掉PE头ImageBase
VOID DNF_DLL_Hide(HMODULE hMod)
{
NT_TEB* pTeb = GetCurrentThreadTEB();
NT_PEB* pPeb = pTeb->Peb;
PPEB_LDR_DATA pLdrData = pPeb->LoaderData;
PLDR_MODULE ListHead = (PLDR_MODULE)(&(pLdrData->InLoadOrderModuleList));//获取模块头部
PLDR_MODULE pFirstLdrModule = (PLDR_MODULE)pLdrData->InLoadOrderModuleList.Flink;
PLDR_MODULE pLdrModule = pFirstLdrModule;
while (pLdrModule != ListHead)
{
if (pLdrModule->BaseAddress == hMod)
{
pLdrModule->InLoadOrderModuleList.Flink->Blink = pLdrModule->InLoadOrderModuleList.Blink;
pLdrModule->InLoadOrderModuleList.Blink->Flink = pLdrModule->InLoadOrderModuleList.Flink;
pLdrModule->InMemoryOrderModuleList.Flink->Blink = pLdrModule->InMemoryOrderModuleList.Blink;
pLdrModule->InMemoryOrderModuleList.Blink->Flink = pLdrModule->InMemoryOrderModuleList.Flink;
pLdrModule->InInitializationOrderModuleList.Flink->Blink = pLdrModule->InInitializationOrderModuleList.Blink;
pLdrModule->InInitializationOrderModuleList.Blink->Flink = pLdrModule->InInitializationOrderModuleList.Flink;
}
pLdrModule = (PLDR_MODULE)pLdrModule->InLoadOrderModuleList.Flink;
}
//抹掉PE头信息
HMODULE hModule = hMod;
DWORD dwMemPro = NULL;
VirtualProtect((void*)hModule, 0x1000, PAGE_EXECUTE_READWRITE, &dwMemPro);
memset((void*)hModule, 0, 0x1000);//把DLL前面1000个字节全部填充为0
VirtualProtect((void*)hModule, 0x1000, dwMemPro, &dwMemPro);
}
这是由某位大神百度来的断链。
IP属地:广西
40楼2017-06-11 00:55
40楼2017-06-11 00:55收起回复
HMODULE hModule = GetModuleHandle(L"bx_Hide.dll");//DLL的名称
DNF_DLL_Hide(hModule)放到DLL入口函数
入口函数是:keyboardProc (PS:如果找不到,请搜这个函数即可)
DNF_DLL_Hide(hModule)放到DLL入口函数
入口函数是:keyboardProc (PS:如果找不到,请搜这个函数即可)
就有十个昵称币,如此反复即可刷上去。不谢连续十个表情 就有十个昵称币,如此反复即可刷上去。不谢
,你说你们
,为了个昵称币
,至于吗
,虽然给加经验
,但是我还是要谴责你们这种行为
,过分了啊
,太过分了
。啥?我
?我咋了扫二维码下载贴吧客户端
下载贴吧APP
看高清直播、视频!
看高清直播、视频!
贴吧热议榜
- 1美联储拒绝特朗普降息2909850
- 2中国出手反制美国关税2262464
- 3甲亢哥香港行节目效果垮掉1919232
- 4燕云十六声又一次五谷不分1355913
- 5NS2预购因老美关税推迟1149642
- 6饿殍制作人也出来为苏丹说话了1000850
- 7吧友遭Uzi老婆铁拳制裁997920
- 8老美自杀式关税把美股干崩了881452
- 9《我的世界》电影好看吗?741532
- 10韩国人请驻韩美军撑腰反被怼693357
