Skip to content

Instantly share code, notes, and snippets.

@Fonger
Last active September 6, 2024 15:43
Show Gist options
  • Save Fonger/15268efb19eb328431b0de7560ddcb53 to your computer and use it in GitHub Desktop.
Save Fonger/15268efb19eb328431b0de7560ddcb53 to your computer and use it in GitHub Desktop.
Hide DLL ( 32bit and 64bit support)
#include "stdafx.h"
#include "HideModule.h"
std::vector<UNLINKED_MODULE> UnlinkedModules;
void RelinkModuleToPEB(HMODULE hModule)
{
std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));
if (it == UnlinkedModules.end())
{
//DBGOUT(TEXT("Module Not Unlinked Yet!"));
return;
}
UNLINKED_MODULE m = *it;
RELINK(m.Entry->InLoadOrderModuleList, m.RealInLoadOrderLinks);
RELINK(m.Entry->InInitializationOrderModuleList, m.RealInInitializationOrderLinks);
RELINK(m.Entry->InMemoryOrderModuleList, m.RealInMemoryOrderLinks);
UnlinkedModules.erase(it);
}
void UnlinkModuleFromPEB(HMODULE hModule)
{
std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));
if (it != UnlinkedModules.end())
{
//DBGOUT(TEXT("Module Already Unlinked!"));
return;
}
#ifdef _WIN64
PPEB pPEB = (PPEB)__readgsqword(0x60);
#else
PPEB pPEB = (PPEB)__readfsdword(0x30);
#endif
PLIST_ENTRY CurrentEntry = pPEB->Ldr->InLoadOrderModuleList.Flink;
PLDR_MODULE Current = NULL;
while (CurrentEntry != &pPEB->Ldr->InLoadOrderModuleList && CurrentEntry != NULL)
{
Current = CONTAINING_RECORD(CurrentEntry, LDR_MODULE, InLoadOrderModuleList);
if (Current->BaseAddress == hModule)
{
UNLINKED_MODULE CurrentModule = { 0 };
CurrentModule.hModule = hModule;
CurrentModule.RealInLoadOrderLinks = Current->InLoadOrderModuleList.Blink->Flink;
CurrentModule.RealInInitializationOrderLinks = Current->InInitializationOrderModuleList.Blink->Flink;
CurrentModule.RealInMemoryOrderLinks = Current->InMemoryOrderModuleList.Blink->Flink;
CurrentModule.Entry = Current;
UnlinkedModules.push_back(CurrentModule);
UNLINK(Current->InLoadOrderModuleList);
UNLINK(Current->InInitializationOrderModuleList);
UNLINK(Current->InMemoryOrderModuleList);
break;
}
CurrentEntry = CurrentEntry->Flink;
}
}
void RemovePeHeader(HANDLE GetModuleBase)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)GetModuleBase;
PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + (DWORD)pDosHeader->e_lfanew);
if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
return;
if (pNTHeader->FileHeader.SizeOfOptionalHeader)
{
DWORD Protect;
WORD Size = pNTHeader->FileHeader.SizeOfOptionalHeader;
VirtualProtect((void*)GetModuleBase, Size, PAGE_EXECUTE_READWRITE, &Protect);
SecureZeroMemory((void*)GetModuleBase, Size);
VirtualProtect((void*)GetModuleBase, Size, Protect, &Protect);
}
}
#pragma once
#include <vector>
#include <algorithm>
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWCH Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _PEB {
#ifdef _WIN64
UINT8 _PADDING_[24];
#else
UINT8 _PADDING_[12];
#endif
PEB_LDR_DATA* Ldr;
} PEB, *PPEB;
typedef struct _LDR_MODULE
{
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
typedef struct _UNLINKED_MODULE
{
HMODULE hModule;
PLIST_ENTRY RealInLoadOrderLinks;
PLIST_ENTRY RealInMemoryOrderLinks;
PLIST_ENTRY RealInInitializationOrderLinks;
PLDR_MODULE Entry; // =PLDR_DATA_TABLE_ENTRY
} UNLINKED_MODULE;
#define UNLINK(x) \
(x).Flink->Blink = (x).Blink; \
(x).Blink->Flink = (x).Flink;
#define RELINK(x, real) \
(x).Flink->Blink = (real); \
(x).Blink->Flink = (real); \
(real)->Blink = (x).Blink; \
(real)->Flink = (x).Flink;
struct FindModuleHandle
{
HMODULE m_hModule;
FindModuleHandle(HMODULE hModule) : m_hModule(hModule)
{
}
bool operator() (UNLINKED_MODULE const &Module) const
{
return (Module.hModule == m_hModule);
}
};
void UnlinkModuleFromPEB(HMODULE hModule);
void RelinkModuleToPEB(HMODULE hModule);
void RemovePeHeader(HANDLE GetModuleBase);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment