进程模块枚举与隐藏
来源:互联网 发布:java nodejs 比较 编辑:程序博客网 时间:2024/04/29 15:37
这附图是我见过关于利用PEB查看模块信息最准确的一幅。
获取TEB
lkd> !tebTEB at 7ffdd000 ExceptionList: 00c2976c StackBase: 00c30000 StackLimit: 00c23000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdd000 EnvironmentPointer: 00000000 ClientId: 00000238 . 000003b8 RpcHandle: 00000000 Tls Storage: 00000000 PEB Address: 7ffdf000 *** LastErrorValue: 0 LastStatusValue: c0000139 Count Owned Locks: 0 HardErrorMode: 0
查看PEB
lkd> dt _peb 7ffdf000nt!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0 '' +0x003 SpareBool : 0 '' +0x004 Mutant : 0xffffffff Void +0x008 ImageBaseAddress : 0x01000000 Void +0x00c Ldr : 0x00191e90 _PEB_LDR_DATA *** +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : (null) +0x018 ProcessHeap : 0x00090000 Void +0x01c FastPebLock : 0x7c99d600 _RTL_CRITICAL_SECTION +0x020 FastPebLockRoutine : 0x7c921000 Void +0x024 FastPebUnlockRoutine : 0x7c9210e0 Void +0x028 EnvironmentUpdateCount : 1 +0x02c KernelCallbackTable : 0x77d12970 Void +0x030 SystemReserved : [1] 0 +0x034 AtlThunkSListPtr32 : 0 +0x038 FreeList : (null) +0x03c TlsExpansionCounter : 0 +0x040 TlsBitmap : 0x7c99d5c0 Void +0x044 TlsBitmapBits : [2] 0x3ffffff
查看ldr(类似头结点)
lkd> dt _peb_ldr_data 191e90 -r1nt!_PEB_LDR_DATA +0x000 Length : 0x28 +0x004 Initialized : 0x1 '' +0x008 SsHandle : (null) +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x191ec0 - 0x194120 ] +0x000 Flink : 0x00191ec0 _LIST_ENTRY [ 0x191f18 - 0x191e9c ] +0x004 Blink : 0x00194120 _LIST_ENTRY [ 0x191e9c - 0x194030 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x191ec8 - 0x194128 ] +0x000 Flink : 0x00191ec8 _LIST_ENTRY [ 0x191f20 - 0x191ea4 ] *** +0x004 Blink : 0x00194128 _LIST_ENTRY [ 0x191ea4 - 0x194038 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x191f28 - 0x194130 ] +0x000 Flink : 0x00191f28 _LIST_ENTRY [ 0x191fd0 - 0x191eac ] +0x004 Blink : 0x00194130 _LIST_ENTRY [ 0x191eac - 0x194040 ] +0x024 EntryInProgress : (null)
查看模块结点
lkd> dt _ldr_data_table_entry 191ec8 -r1nt!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x191f20 - 0x191ea4 ] +0x000 Flink : 0x00191f20 _LIST_ENTRY [ 0x191fc8 - 0x191ec8 ] +0x004 Blink : 0x00191ea4 _LIST_ENTRY [ 0x191ec8 - 0x194248 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x000 Flink : (null) +0x004 Blink : (null) +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x1000000 - 0x1058c77 ] +0x000 Flink : 0x01000000 _LIST_ENTRY [ 0x905a4d - 0x3 ] +0x004 Blink : 0x01058c77 _LIST_ENTRY [ 0x896e8 - 0xfdc3e900 ] +0x018 DllBase : 0x00097000 Void +0x01c EntryPoint : 0x007c007a Void +0x020 SizeOfImage : 0x2060c +0x024 FullDllName : _UNICODE_STRING "windbg.exe" +0x000 Length : 0x14 +0x002 MaximumLength : 0x16 +0x004 Buffer : 0x00020672 "windbg.exe" +0x02c BaseDllName : _UNICODE_STRING "--- memory read error at address 0x0000ffff ---" +0x000 Length : 0x5000 +0x002 MaximumLength : 0 +0x004 Buffer : 0x0000ffff "--- memory read error at address 0x0000ffff ---" +0x034 Flags : 0x192fcc +0x038 LoadCount : 0xb310 +0x03a TlsIndex : 0x7c99 +0x03c HashLinks : _LIST_ENTRY [ 0x4b6734c3 - 0x0 ] +0x000 Flink : 0x4b6734c3 _LIST_ENTRY +0x004 Blink : (null) +0x03c SectionPointer : 0x4b6734c3 Void +0x040 CheckSum : 0 +0x044 TimeDateStamp : 0 +0x044 LoadedImports : (null) +0x048 EntryPointActivationContext : 0x000b000b Void +0x04c PatchInformation : 0x00080158 Void
demo
#include <stdio.h>#include <windows.h>DWORD* __cdecl getPEB (){ __asm{ mov eax,fs:[0x30] }}void EnumModule(){DWORD *PEB = NULL, *ldr = NULL, *Flink =NULL, *p = NULL, *BaseAddr= NULL, *FULLDllName= NULL; PEB = getPEB(); ldr =(DWORD*) (*(DWORD *) (PEB+0x3)); Flink=*(DWORD**)((unsigned char *)ldr+0x14); p = Flink; //header p=*((DWORD **)p); while (p !=Flink) //end when p-> first { BaseAddr = *( (DWORD **) ( (unsigned char *) p+0x18-0x8)); FULLDllName= *((DWORD **)( (unsigned char *) p+0x28-0x8)); if (BaseAddr == NULL) { break; } printf("ImageBase=%08x \t\t ModuleName= %S \r\n",BaseAddr,FULLDllName); p=*((DWORD **)p); }}BOOL deleteNode(DWORD * node){ **( (DWORD **)(node + 1) ) = (DWORD*)(*node); //*(*(*node)+1)=node+1; *(*(DWORD **)node +1) =*(*(DWORD **)node +1); return TRUE;}void HideModule(const char * ModuleName){ DWORD* ldr,flink,p,peb,baseaddr; HMODULE hMod=GetModuleHandle(ModuleName); peb = getPEB(); ldr= *(DWORD **)((unsigned char *)peb+0xc); flink = *(DWORD**)((unsigned char*)ldr+0xc); p = flink; do { baseaddr = (DWORD *) (*(DWORD*)((unsigned char *)p + 0x18 )); if (baseaddr ==(DWORD *) hMod) { deleteNode(p); break; } // p=(DWORD*) (*p); p =*((DWORD **)p); } while (p !=flink); //flink =(DWORD *)((unsigned char *)*ldr +0x14); flink = *(DWORD**)((unsigned char *)ldr +0x14); p = flink; do { // baseaddr =(DWORD *)(*((DWORD*)((unsigned char *)p+0x20))); baseaddr =*(DWORD **)((unsigned char *)p +0x10); if (baseaddr == (DWORD*) hMod) { deleteNode(p); break; } p =*(DWORD **)p; } while (p !=flink); //flink = (DWORD*) ((unsigned char *) *ldr +0x1c); flink = *(DWORD**)((unsigned char *)ldr +0x1c); p = flink; do { baseaddr=(DWORD *) *(DWORD*)((unsigned char *)p+0x8); if (baseaddr == (DWORD*) hMod) { deleteNode(p); break; } p=*(DWORD **)p; } while ( p !=flink);}int main(){ EnumModule(); HideModule("kernel32.dll"); EnumModule(); return 0;}
0 0
- 进程模块枚举与隐藏
- VC++枚举进程与模块
- VC++实现枚举进程与模块
- VC++实现枚举进程与模块
- VC++实现枚举进程与模块
- VB 枚举隐藏进程
- 枚举进程模块
- C# 枚举进程模块
- 枚举进程中的模块
- 枚举进程模块
- 使用ZwQueryVirtualMemory枚举进程模块
- 用ZwQueryVirtualMemory枚举进程模块
- 用ZwQueryVirtualMemory枚举进程模块
- 用ZwQueryVirtualMemory枚举进程模块
- 用ZwQueryVirtualMemory枚举进程模块
- 利用peb枚举当前进程加载模块
- Delphi 枚举系统进程以及模块文件名
- 枚举进程加载的所有的模块
- python实现大整数相乘---格子乘法
- HDU_1002
- 算法导论笔记:32字符串匹配算法
- jQuery自定义选择符
- hdu 2066 一个人的旅行
- 进程模块枚举与隐藏
- Windows不能在本地计算机启动Apache2
- Reactor模型
- UIbutton的三个不同内边距含义
- wust D we love design
- SQL那些事儿(一)
- 福州大学校赛G FZU FOJ Escape 两次BFS 或者一次BFS
- ECMAScript5新增array方法
- C++ 虚函数表解析