C++:
DWORD HideMod(HMODULE mod) // Credits Jimster480, Thanks P47R1CK,Tabris,Tetsuo
{
DWORD MBA;
DWORD MBS;
PTEB pTEB;
PPEB_LDR_DATA pLDR;
PLIST_ENTRY pM,pCM;
PLDR_MODULE pMM;
int M=0,L=0,I=0,temp=0;
IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod;
IMAGE_NT_HEADERS *NTH = NULL;
DWORD OP;
__asm
{
xor eax, eax;
mov eax, fs:[0x18];
mov pTEB, eax;
}
pLDR = pTEB->Peb->LoaderData;
if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return 0;
NTH = ((PIMAGE_NT_HEADERS)((DWORD)(DOSH) + (DWORD)(DOSH->e_lfanew)));
if(NTH->Signature != IMAGE_NT_SIGNATURE) return 0;
MBS = NTH->OptionalHeader.SizeOfImage;
MBA = NTH->OptionalHeader.ImageBase;
if(!pLDR) return 1;
for(int m=0;m<=2;m++)
{
if(m == 0) pM = &(pLDR->InMemoryOrderModuleList);
if(m == 1) pM = &(pLDR->InLoadOrderModuleList);
if(m == 2) pM = &(pLDR->InInitializationOrderModuleList);
for(pCM = pM->Flink; pCM != pM; pCM = pCM->Flink)
{
if(m == 0) pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InMemoryOrderModuleList);
if(m == 1) pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InLoadOrderModuleList);
if(m == 2) pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InInitializationOrderModuleList);
if((DWORD)pMM->BaseAddress == MBA && (DWORD)pMM->SizeOfImage == MBS)
{
pCM->Blink->Flink = pCM->Flink;
pCM->Flink->Blink = pCM->Blink;
// OM = pMM;
}
}
}
VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, PAGE_EXECUTE_READWRITE, &OP);
memset((LPVOID)DOSH, 0,NTH->OptionalHeader.SizeOfHeaders);
VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, OP, &OP );
return 3;
}
Last edited by a moderator: