JimmyLefevre · August 30, 2024 20:48
diff --git a/peb_trickery.c b/peb_trickery.c

 #include <windows.h>
 #include <stdio.h>

 typedef struct ldr_data_entry
 {
  LIST_ENTRY LinkedList;
  LIST_ENTRY UnusedList;
  PVOID BaseAddress;
  PVOID Reserved2[1];
  PVOID DllBase;
  PVOID EntryPoint;
  PVOID Reserved3;
  USHORT DllNameLength;
  USHORT DllNameMaximumLength;
  PWSTR  DllNameBuffer;
 } ldr_data_entry;

 typedef struct ldr_data {
  char Padding1[0x20];
  ldr_data_entry *LoaderDataEntry;
 } ldr_data;
 
 typedef struct peb
 {
  char Padding1[0x18];
  ldr_data *LoaderData;
 } peb;

 typedef struct teb
 {
  char Padding[0x60];
  peb *PEB;
 } teb;

 typedef int function_to_load(void);
 __declspec(dllexport) int FunctionToLoad(void) {
  return 3;
 }

 static int StringsAreEqualCaseInsensitive(wchar_t *A, size_t ALength, wchar_t *B, size_t BLength) {
  int Result = (ALength == BLength);

  if(Result) {
    for(size_t Index = 0; Index < ALength; ++Index) {
      wchar_t Ac = A[Index];
      wchar_t Bc = B[Index];

      if((Ac >= 'A') && (Ac <= 'Z')) {
        Ac += 'a' - 'A';
      }
      
      if((Bc >= 'A') && (Bc <= 'Z')) {
        Bc += 'a' - 'A';
      }

      if(Ac != Bc) {
        Result = 0;

        break;
      }
    }
  }

  return Result;
 }

 #define EXE_NAME L"peb_trickery.exe"

 int main(int ArgumentCount, char **Arguments) {
  wchar_t MyName[] = EXE_NAME;

  teb *Teb = (teb *)__readgsqword(0x30);
  peb *Peb = (peb *)(Teb + 0x60);
  ldr_data_entry *Entry = Teb->PEB->LoaderData->LoaderDataEntry;

  while(Entry->DllBase) {
    if(StringsAreEqualCaseInsensitive(Entry->DllNameBuffer, Entry->DllNameLength / 2, MyName, (sizeof(MyName) - 2) / 2)) {
      ZeroMemory(Entry->DllNameBuffer, Entry->DllNameLength);

      break;
    }

    Entry = (ldr_data_entry*)(Entry->LinkedList.Flink);
  }

  HMODULE Myself = LoadLibraryW(MyName);
  if(Myself) {
    function_to_load *Loaded = (function_to_load *)GetProcAddress(Myself, "FunctionToLoad");

    if(Loaded) {
      int Result = Loaded();

      printf("%d\n", Result);
    }
  }

  return 0;
 }

	#include <windows.h>
	#include <stdio.h>

	typedef struct ldr_data_entry
	{
	LIST_ENTRY LinkedList;
	LIST_ENTRY UnusedList;
	PVOID BaseAddress;
	PVOID Reserved2[1];
	PVOID DllBase;
	PVOID EntryPoint;
	PVOID Reserved3;
	USHORT DllNameLength;
	USHORT DllNameMaximumLength;
	PWSTR DllNameBuffer;
	} ldr_data_entry;

	typedef struct ldr_data {
	char Padding1[0x20];
	ldr_data_entry *LoaderDataEntry;
	} ldr_data;

	typedef struct peb
	{
	char Padding1[0x18];
	ldr_data *LoaderData;
	} peb;

	typedef struct teb
	{
	char Padding[0x60];
	peb *PEB;
	} teb;

	typedef int function_to_load(void);
	__declspec(dllexport) int FunctionToLoad(void) {
	return 3;
	}

	static int StringsAreEqualCaseInsensitive(wchar_t A, size_t ALength, wchar_t B, size_t BLength) {
	int Result = (ALength == BLength);

	if(Result) {
	for(size_t Index = 0; Index < ALength; ++Index) {
	wchar_t Ac = A[Index];
	wchar_t Bc = B[Index];

	if((Ac >= 'A') && (Ac <= 'Z')) {
	Ac += 'a' - 'A';
	}

	if((Bc >= 'A') && (Bc <= 'Z')) {
	Bc += 'a' - 'A';
	}

	if(Ac != Bc) {
	Result = 0;

	break;
	}
	}
	}

	return Result;
	}

	#define EXE_NAME L"peb_trickery.exe"

	int main(int ArgumentCount, char **Arguments) {
	wchar_t MyName[] = EXE_NAME;

	teb Teb = (teb )__readgsqword(0x30);
	peb Peb = (peb )(Teb + 0x60);
	ldr_data_entry *Entry = Teb->PEB->LoaderData->LoaderDataEntry;

	while(Entry->DllBase) {
	if(StringsAreEqualCaseInsensitive(Entry->DllNameBuffer, Entry->DllNameLength / 2, MyName, (sizeof(MyName) - 2) / 2)) {
	ZeroMemory(Entry->DllNameBuffer, Entry->DllNameLength);

	break;
	}

	Entry = (ldr_data_entry*)(Entry->LinkedList.Flink);
	}

	HMODULE Myself = LoadLibraryW(MyName);
	if(Myself) {
	function_to_load Loaded = (function_to_load )GetProcAddress(Myself, "FunctionToLoad");

	if(Loaded) {
	int Result = Loaded();

	printf("%d\n", Result);
	}
	}

	return 0;
	}