Shulou(Shulou.com)06/03 Report--

This article is to share with you how to use C++R3 layer chain breakage to achieve module hiding function. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

I. the implementation principle of module hiding

The implementation idea of ordinary API lookup module: it finds a two-way linked list by querying PEB (Process Environment Block process environment block) and TEB (Thread Environment Block process environment block) in R3, and finds all modules by traversing a member (string) in the two-way linked list.

Module hiding implementation idea: in the R3 layer of module hiding, what we need to do is to break the chain list and remove a module from the two-way linked list, so that it will not be searched when the traditional API is called.

2. Detailed introduction of structural members

TEB structure-memory address is fs: [0].

Use Windbg's "dt _ TEB" command to view the TEB structure

Kd > dt _ TEB ntdlls: TEB + 0x000 NtTib: _ NT_TIB + 0x01c EnvironmentPointer: Ptr32 Void + 0x020 ClientId: _ CLIENT_ID + 0x028 ActiveRpcHandle: Ptr32 Void + 0x02c ThreadLocalStoragePointer: Ptr32 Void + 0x030 ProcessEnvironmentBlock: Ptr32 _ PEB + 0x034 LastErrorValue: Uint4B

1. Attribute introduction

1. 1) _ NT_TIB: two key attributes, the top of the stack and the stack size.

Http://www.nirsoft.net/kernel_struct/vista/NT_TIB.html

1. 2) _ CLIENT_ID: stores the process ID and the current main thread ID.

Https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsts/a11e7129-685b-4535-8d37-21d4596ac057?redirectedfrom=MSDN

1. 3) _ PEB: process environment block, remember that it is at the TEB offset 0x30.

two。 View the structure through olldbg

Open any process, find fs: [0] in the register window, and check its memory address.

2.2) in the memory window, use the command "db 5E7000" to jump to the memory and display it using the address format (long-address).

PEB structure-- fs: [0x30]

Use the Windbg directive dt _ PEB to view the PEB structure, focusing on the last process loading the information table.

Kd > dt _ UChar + 0x001 ReadImageFileExecOptions: UChar + 0x002 BeingDebugged: UChar + 0x003 BitField: UChar + 0x003 ImageUsesLargePages: Pos 0,1 Bit + 0x003 IsProtectedProcess: Pos 1,1 Bit + 0x003 IsLegacyProcess: Pos 2,1 Bit + 0x003 IsImageDynamicallyRelocated: Pos 3,1 Bit + 0x003 SkipPatchingUser32Forwarders: Pos 4,1 Bit + 0x003 SpareBits: Pos 5,3 Bits + 0x004 Mutant: Ptr32 Void + 0x008 ImageBaseAddress: Ptr32 Void + 0x00c Ldr: Ptr32 _ PEB_LDR_DATA / PEB_LOADER_DATA process load Information Table

1. View the structure of the _ PEB_LDR_DATA process load information table

Focus on the pointer at 0x00c, which points to the structure _ PEB_LDR_DATA, where 0x00c, 0x014, and 0x01c represent the sequence of module loading / the order in memory after loading / the order of module initialization, respectively.

Kd > dt _ PEB_LDR_DATA ntdllloaded Pebbles LDRblocks data + 0x000 Length: Uint4B + 0x004 Initialized: UChar + 0x008 SsHandle: Ptr32 Void + 0x00c InLoadOrderModuleList: _ LIST_ENTRY / / Module loading order + 0x014 InMemoryOrderModuleList: _ LIST_ENTRY / / sequence in memory after loading + 0x01c InInitializationOrderModuleList: _ LIST_ENTRY / / order of module initialization + 0x024 EntryInProgress: Ptr32 Void + 0x028 ShutdownInProgress: UChar + 0x02c ShutdownThreadId: Ptr32 Void

2.2) understand the order of its three members, which points to the first three members in the _ LDR_DATA_TABLE_ENTRY element, while _ LDR_DATA_TABLE_ENTRY stores elements about module information (such as module names, etc.)

Kd > dt _ LDR_DATA_TABLE_ENTRY ntdllqualified LDRDATANGATACENTRY + 0x000 InLoadOrderLinks: _ LIST_ENTRY + 0x008 InMemoryOrderLinks: _ LIST_ENTRY + 0x010 InInitializationOrderLinks: _ LIST_ENTRY + 0x018 DllBase: Ptr32 Void / / module base address + 0x01c EntryPoint: Ptr32 Void / / entry function (valid for exe modules) + 0x020 SizeOfImage: Uint4B / / module size + 0x024 FullDllName: _ UNICODE_STRING / / complete Module name (with path) + 0x02c BaseDllName: _ UNICODE_STRING / / Module name + 0x034 Flags: Uint4B

two。 Use olldbg to find the name of the module that loaded the module first (TEB- > PEB- > InLoadOrderModuleList-> BaseDllName)

2.1) before the TEB content, find the location of PEB fs: [0x30].

2. 2) An InLoadOrderModuleList member was found at its 0x00c, pointing to a _ LDR_DATA_TABLE_ENTRY structure.

Jump to the _ LDR_DATA_TABLE_ENTRY structure, starting with 0x0c, there are three _ LIST_ENTRY structures in turn, and the two-way linked list stores two addresses.

Select the first entry, and you can view the string name at its offset 0x02c (UNICODE structure occupies four words).

2.5) you can traverse the contents of the previous module and the contents of the next module by starting with the _ LIST_ENTRY structure.

Third, use C++ broken chain to realize module hiding.

If you understand the above analysis, the source code is very easy to understand.

/ / Hidden module .cpp: this file contains the "main" function. Program execution will begin and end here. / / # include "pch.h" # include # include / * the structure 1. _ LDR_DATA_TABLE_ENTRY linked list points to data 2. _ PEB_LDR_DATA represents the data table pointed to at its PEB0x. _ LIST_ENTRY pointer points to the linked list * / typedef struct _ LSA_UNICODE_STRING {USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, * PUNICODE_STRING;typedef struct _ PEB_LDR_DATA {DWORD Length; / / + 0x00 bool Initialized; / / + 0x04 PVOID SsHandle / / + 0x08 LIST_ENTRY InLoadOrderModuleList; / + 0x0c LIST_ENTRY InMemoryOrderModuleList; / / + 0x14 LIST_ENTRY InInitializationOrderModuleList;// + 0x1c} PEB_LDR_DATA, * PPEB_LDR_DATA; / / + 0x24typedef struct _ LDR_MODULE {LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; void* BaseAddress; void* EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; SHORT LoadCount; SHORT TlsIndex; HANDLE SectionHandle; ULONG CheckSum; ULONG TimeDateSt} LDR_MODULE, * PLDR_MODULE / / the so-called module handle, that is, the entry address of the module void hide_module (char* szDllName) {HMODULE hMod = GetModuleHandleA (szDllName); PLIST_ENTRY Head, Cur; PPEB_LDR_DATA ldr; PLDR_MODULE ldm; _ asm {mov eax, fs: [0x30] mov ecx, [eax + 0x0c] / / Ldr mov ldr, ecx} Head = & (ldr- > InLoadOrderModuleList); Cur = Head- > Flink; do {ldm = CONTAINING_RECORD (Cur, LDR_MODULE, InLoadOrderModuleList) If (hMod = = ldm- > BaseAddress) {/ / three linked lists are broken at the same time ldm- > InLoadOrderModuleList.Blink- > Flink = ldm- > InLoadOrderModuleList.Flink; ldm- > InLoadOrderModuleList.Flink- > Blink = ldm- > InLoadOrderModuleList.Blink; / / ldm- > InInitializationOrderModuleList.Blink- > Flink = ldm- > InInitializationOrderModuleList.Flink; ldm- > InInitializationOrderModuleList.Flink- > Blink = ldm- > InInitializationOrderModuleList.Blink; / / ldm- > InMemoryOrderModuleList.Blink- > Flink = ldm- > InMemoryOrderModuleList.Flink; ldm- > InMemoryOrderModuleList.Flink- > Blink = ldm- > InMemoryOrderModuleList.Blink; break;} Cur = Cur- > Flink } while (Head! = Cur);} int main () {/ / get module handle printf ("* hide module *" by pressing any key); getchar (); hide_module ((char*) "kernel32.dll"); printf ("* hide module complete *"); getchar (); getchar ();}

Thank you for reading! On "how to use C++R3 layer chain break to achieve module hiding function" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, you can share it out for more people to see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.