Module Protection & Undetection

[Jimster480]

DWORD HideMod(HMODULE mod) // Credits Jimster480, Thanks P47R1CK,Tabris,Tetsuo
{
    DWORD MBA;
    DWORD MBS;

    PTEB pTEB;
    PPEB_LDR_DATA pLDR;
    PLIST_ENTRY pM,pCM;
    PLDR_MODULE pMM;
    int M=0,L=0,I=0,temp=0;

    IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod;
    IMAGE_NT_HEADERS *NTH = NULL;
    DWORD OP;
       
    __asm
    {
        xor eax, eax;               
        mov eax, fs:[0x18];           
        mov pTEB, eax;               
    }
    pLDR = pTEB->Peb->LoaderData;

    if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return 0;
   
    NTH = ((PIMAGE_NT_HEADERS)((DWORD)(DOSH) + (DWORD)(DOSH->e_lfanew)));
   
    if(NTH->Signature != IMAGE_NT_SIGNATURE) return 0;

    MBS = NTH->OptionalHeader.SizeOfImage;
    MBA = NTH->OptionalHeader.ImageBase;



    if(!pLDR) return 1;
    for(int m=0;m<=2;m++)
    {
        if(m == 0) pM = &(pLDR->InMemoryOrderModuleList);
        if(m == 1) pM = &(pLDR->InLoadOrderModuleList);
        if(m == 2) pM = &(pLDR->InInitializationOrderModuleList);
        for(pCM = pM->Flink; pCM != pM; pCM = pCM->Flink)
        {
            if(m == 0)    pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InMemoryOrderModuleList);
            if(m == 1)  pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InLoadOrderModuleList);
            if(m == 2)  pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InInitializationOrderModuleList);

            if((DWORD)pMM->BaseAddress == MBA && (DWORD)pMM->SizeOfImage == MBS)
            {
                pCM->Blink->Flink = pCM->Flink;
                pCM->Flink->Blink = pCM->Blink;
//                OM = pMM;
            }
        }
    }

    VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, PAGE_EXECUTE_READWRITE, &OP);

    memset((LPVOID)DOSH, 0,NTH->OptionalHeader.SizeOfHeaders);
   
    VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, OP, &OP );
    return 3;   
}

 

[Moofhead]

C++ Right?

=/ Looks 99% Like it.

 

[Jimster480]

yea.

 

[Sycron]

.

 

[Jimster480]

yea.

 

[Sycron]

.

 

[Jimster480]

yea if you know where to put it it can be used to vac proof stuff like my jmpdetour base. To revac proof it just move things around in the file or add some unnecessary shit that u never call just to change the structure of the file around.

 

[Sycron]

.

 

[Jimster480]

New Version:

DWORD HideMod(HMODULE mod) // Credits Jimster480, Thanks P47R1CK,Tabris,Tetsuo
{
    PTEB pTEB;
    PPEB_LDR_DATA pLDR;
//    PLIST_ENTRY pM,pL,pI,pCL,pCM,pCI;
    PLIST_ENTRY pM,pCM;
    PLDR_MODULE /*pLM,pIM,*/pMM,pMH,pMF;
    int M=0,L=0,I=0,temp=0;

    IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod;
    IMAGE_NT_HEADERS *NTH = NULL;
    DWORD OP;
       
    __asm
    {
        xor eax, eax;               
        mov eax, fs:[0x18];           
        mov pTEB, eax;               
    }
    pLDR = pTEB->Peb->LoaderData;

    if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return 0;
    
    NTH = ((PIMAGE_NT_HEADERS)(((DWORD)DOSH) + ((DWORD)DOSH->e_lfanew)));
   
    if(NTH->Signature != IMAGE_NT_SIGNATURE) return 0;

    if(!pLDR) return 0;
    for(int m=0;m<3;m++)
    {
        if(m == 0) pM = &(pLDR->InMemoryOrderModuleList);
        else if(m == 1) pM = &(pLDR->InLoadOrderModuleList);
        else if(m == 2) pM = &(pLDR->InInitializationOrderModuleList);
        for(pCM = pM->Flink; pCM != pM; pCM = pCM->Flink)
        {
            if(m == 0)    pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InMemoryOrderModuleList);
            else if(m == 1)  pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InLoadOrderModuleList);
            else if(m == 2)  pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InInitializationOrderModuleList);
            pMH = CONTAINING_RECORD(pCM, LDR_MODULE, HashTableEntry);

            if((DWORD)pMM->BaseAddress == (DWORD)mod)
            {               
                pCM->Blink->Flink = pCM->Flink;
                pCM->Flink->Blink = pCM->Blink;
                pMF = pMM;
               
                pMM->EntryPoint = NULL;
                pMM->SizeOfImage = NULL;
                pMM->TimeDateStamp = NULL;
                memset((void*)&pMM->BaseDllName,0,sizeof(_UNICODE_STRING));
                memset((void*)&pMM->FullDllName,0,sizeof(_UNICODE_STRING));
                pMM->LoadCount = NULL;
                pMM->Flags = NULL;   
                if(m == 2)
                {
                pMM->BaseAddress = NULL;               
                }
            }
            if((DWORD)pMH->BaseAddress == (DWORD)mod)
            {               
                pCM->Blink->Flink = pCM->Flink;
                pCM->Flink->Blink = pCM->Blink;
            }
        }
    }

    VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, PAGE_EXECUTE_READWRITE, &OP);

    memset((LPVOID)DOSH, 0,NTH->OptionalHeader.SizeOfHeaders);
   
    VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, OP, &OP );

    memset((void*)pMF,0,sizeof(LDR_MODULE));
    return 3;   
}

 

[(+)]

Great work Mr.Prod .

Is there an update for Windows 7 Ultimate ? :mrgreen: Thanks .

Hangs when i try it ... ( I dont mean anything by that ... ) But maybe its just my error .

~~~~Edit~~~~~~~
Hmm, seems to be the injection method your using is a lot better than mine ...
Whats the right way to inject this mr . prod ?

//------------------------------------------------

BOOL APIENTRY DllMain(HANDLE hModule,DWORD reason,LPVOID lpReserved)
  {switch(reason){case DLL_PROCESS_ATTACH:
{
DisableThreadLibraryCalls((HMODULE)hModule);
HideMod((HMODULE)hModule);
  }
break;case DLL_PROCESS_DETACH:{
  }break;}return TRUE;}

 

[(+)]

Yipee!

I got it to work ! thanks a lot Mr. Prod !

 

[(+)]

Heres how to make a injectable module hider for some of your old cheats that dont have module hide . (ex: Furious SP)
Just include Nt_DDK.h in you project . Compile it as release and compress with upx . When its all done load ur hack and then inject this afterwards .
It will perform Jimsters module hide on any dll you want .

//=====================================================================================
#include <windows.h> //I use lots of includes...
#include <winuser.h>
#include <tlhelp32.h> 
#include <shlwapi.h> 
#include <MMsystem.h>
#include "detours.h"
#include <stdio.H>
#include <stdlib.H>
#include <math.H>
#include <conio.h> 
#include <memory.h>
#include <tchar.h> 
#include <atlbase.h> 
#include <atlstr.h> 
#include <winnt.h> 
#include <iostream>
#include <fstream>
#include <sys/stat.h>
#include"NT_DDK.h"

#pragma comment(lib, "user32.lib")
#pragma comment(lib, "winmm.lib")
#pragma comment(lib, "detours.lib")
#pragma comment(lib, "kernel32.lib") 
#pragma comment(lib, "shlwapi.lib") 
#pragma comment(lib, "psapi.lib")
DWORD HideMod(HMODULE mod);
HMODULE Mod;
using namespace std;
//=====================================================================================
BOOL WINAPI DllMain(HINSTANCE hinstModule, DWORD dwReason, LPVOID lpvReserved)
{
  if(dwReason == DLL_PROCESS_ATTACH)
  {
    DisableThreadLibraryCalls((HMODULE)hinstModule);
    Mod = LoadLibraryA((LPCSTR)"YourDllName.dll");
    HideMod(Mod);
    FreeLibrary((HMODULE)hinstModule);
  }

  return FALSE;
}
//=====================================================================================
DWORD HideMod(HMODULE mod) // Credits Jimster480, Thanks P47R1CK,Tabris,Tetsuo 
{ 
PTEB pTEB; 
PPEB_LDR_DATA pLDR; 
// PLIST_ENTRY pM,pL,pI,pCL,pCM,pCI; 
PLIST_ENTRY pM,pCM; 
PLDR_MODULE /*pLM,pIM,*/pMM,pMH,pMF; 
int M=0,L=0,I=0,temp=0; 

IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod; 
IMAGE_NT_HEADERS *NTH = NULL; 
DWORD OP; 

__asm
{ 
xor eax, eax; 
mov eax, fs:[0x18]; 
mov pTEB, eax; 
} 
pLDR = pTEB->Peb->LoaderData; 

if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return 0; 

NTH = ((PIMAGE_NT_HEADERS)(((DWORD)DOSH) + ((DWORD)DOSH->e_lfanew))); 

if(NTH->Signature != IMAGE_NT_SIGNATURE) return 0; 

if(!pLDR) return 0; 
for(int m=0;m<3;m++) 
{ 
if(m == 0) pM = &(pLDR->InMemoryOrderModuleList); 
else if(m == 1) pM = &(pLDR->InLoadOrderModuleList); 
else if(m == 2) pM = &(pLDR->InInitializationOrderModuleList); 
for(pCM = pM->Flink; pCM != pM; pCM = pCM->Flink) 
{ 
if(m == 0) pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InMemoryOrderModuleList); 
else if(m == 1) pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InLoadOrderModuleList); 
else if(m == 2) pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InInitializationOrderModuleList); 
pMH = CONTAINING_RECORD(pCM, LDR_MODULE, HashTableEntry); 

if((DWORD)pMM->BaseAddress == (DWORD)mod) 
{ 
pCM->Blink->Flink = pCM->Flink; 
pCM->Flink->Blink = pCM->Blink; 
pMF = pMM; 

pMM->EntryPoint = NULL; 
pMM->SizeOfImage = NULL; 
pMM->TimeDateStamp = NULL; 
memset((void*)&pMM->BaseDllName,0,sizeof(_UNICODE_STRING)); 
memset((void*)&pMM->FullDllName,0,sizeof(_UNICODE_STRING)); 
pMM->LoadCount = NULL; 
pMM->Flags = NULL; 
if(m == 2) 
{ 
pMM->BaseAddress = NULL; 
} 
} 
if((DWORD)pMH->BaseAddress == (DWORD)mod) 
{ 
pCM->Blink->Flink = pCM->Flink; 
pCM->Flink->Blink = pCM->Blink; 
} 
} 
} 

VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, PAGE_EXECUTE_READWRITE, &OP); 

memset((LPVOID)DOSH, 0,NTH->OptionalHeader.SizeOfHeaders); 

VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, OP, &OP ); 

memset((void*)pMF,0,sizeof(LDR_MODULE)); 
return 3; 
}
//---------------------------------------------------------------------------------------------------------------------------------

 

[Jimster480]

lol i made something just like this, i just never released it publically

 

[(+)]

I added a few things to HideMod 8)

According to what I read , after the module hide function, there still remains a pointer/buffer containing the base address of the dll inside ntdll.dll .
The added code will scan ntdll.dll for a pointer/buffer containing the base address of the dll that HideMod was applied to and zero it .

#define _WIN32_WINNT 0x0400
#pragma once
#include <windows.h>
#include <psapi.h> 
#include "NT_DDK.h"
#pragma comment(lib, "psapi.lib")

/*-------------------------------------------------------*/

DWORD HideMod(HMODULE mod) // Credits Jimster480, Thanks P47R1CK,Tabris,Tetsuo
{
    PTEB pTEB;
    PPEB_LDR_DATA pLDR;
    //    PLIST_ENTRY pM,pL,pI,pCL,pCM,pCI;
    PLIST_ENTRY pM,pCM;
    PLDR_MODULE /*pLM,pIM,*/pMM,pMH,pMF;
    int M=0,L=0,I=0,temp=0;

    IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod;
    IMAGE_NT_HEADERS *NTH = NULL;
    DWORD OP;

    HMODULE Base = LoadLibraryA("ntdll.dll");
    MEMORY_BASIC_INFORMATION meminfo;
    MODULEINFO modinfo;
    HANDLE hProc = GetCurrentProcess();
    unsigned int bytes;
    DWORD Addr = (DWORD)Base;
    DWORD Buff = NULL;
    bool Found = false;
    DWORD OldPrt = NULL;
    int i = 0;

    __asm
    {
        xor eax, eax;   
        mov eax, fs:[0x18];   
        mov pTEB, eax;   
    }
    pLDR = pTEB->Peb->LoaderData;

    if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return 0;

    NTH = ((PIMAGE_NT_HEADERS)(((DWORD)DOSH) + ((DWORD)DOSH->e_lfanew)));

    if(NTH->Signature != IMAGE_NT_SIGNATURE) return 0;

    if(!pLDR) return 0;
    for(int m=0;m<3;m++)
    {
        if(m == 0) pM = &(pLDR->InMemoryOrderModuleList);
        else if(m == 1) pM = &(pLDR->InLoadOrderModuleList);
        else if(m == 2) pM = &(pLDR->InInitializationOrderModuleList);
        for(pCM = pM->Flink; pCM != pM; pCM = pCM->Flink)
        {
            if(m == 0)    pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InMemoryOrderModuleList);
            else if(m == 1) pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InLoadOrderModuleList);
            else if(m == 2) pMM = CONTAINING_RECORD(pCM, LDR_MODULE, InInitializationOrderModuleList);
            pMH = CONTAINING_RECORD(pCM, LDR_MODULE, HashTableEntry);

            if((DWORD)pMM->BaseAddress == (DWORD)mod)
            {   
                pCM->Blink->Flink = pCM->Flink;
                pCM->Flink->Blink = pCM->Blink;
                pMF = pMM;

                pMM->EntryPoint = NULL;
                pMM->SizeOfImage = NULL;
                pMM->TimeDateStamp = NULL;
                memset((void*)&pMM->BaseDllName,0,sizeof(_UNICODE_STRING));
                memset((void*)&pMM->FullDllName,0,sizeof(_UNICODE_STRING));
                pMM->LoadCount = NULL;
                pMM->Flags = NULL;   
                if(m == 2)
                {
                    pMM->BaseAddress = NULL;   
                }
            }
            if((DWORD)pMH->BaseAddress == (DWORD)mod)
            {   
                pCM->Blink->Flink = pCM->Flink;
                pCM->Flink->Blink = pCM->Blink;
            }
        }
    }

    VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, PAGE_EXECUTE_READWRITE, &OP);
    memset((LPVOID)DOSH, 0,NTH->OptionalHeader.SizeOfHeaders);
    VirtualProtect((LPVOID)DOSH,NTH->OptionalHeader.SizeOfHeaders, OP, &OP );
    memset((void*)pMF,0,sizeof(LDR_MODULE));

    GetModuleInformation(hProc, Base, &modinfo, sizeof(MODULEINFO));

    while(Addr <= (DWORD)Base + modinfo.SizeOfImage)
    {
        if(VirtualQuery((PVOID)Addr,&meminfo,sizeof(meminfo)) == 0) break;
        for(i = 0;i < (int)meminfo.RegionSize;i++)
        {
            ReadProcessMemory(hProc,(PVOID)(Addr+i),&Buff,sizeof(DWORD),(DWORD*)&bytes);
            if (bytes != sizeof(DWORD)) break;
            if(Buff == (DWORD)mod) {Found = true; break;}
        }
        if(Found) break;
        Addr+=(int)meminfo.RegionSize;
    }

    if(!Found) return 0;

    if(Found)
    {
        VirtualProtect((PVOID)(Addr+i),sizeof(DWORD),0x40,&OldPrt);
        memset((PVOID)(Addr+i),0,sizeof(DWORD));
        VirtualProtect((PVOID)(Addr+i),sizeof(DWORD),OldPrt,&OldPrt);
    }
    return 3;   
}

/*-------------------------------------------------------*/

BOOL APIENTRY DllMain( HMODULE hModule, DWORD reason, LPVOID lpReserved)
{
    if (reason == DLL_PROCESS_ATTACH)
    {
        DisableThreadLibraryCalls(hModule);
        HideMod( hModule );
    }
    if (reason == DLL_PROCESS_DETACH)
    {
       
    }
    return TRUE;
}

/*-------------------------------------------------------*/

 

[FaTaN]

nice copypasting retard
0 skills

 

[Jimster480]

nice copypasting retard
0 skills

Who are you talking to? (+) was a great guy!

 

[FaTaN]

Who are you talking to? (+) was a great guy!

u