抹模块和抹路径

2019-04-14 19:37发布生成海报

站内文章 / 模拟电子

11617 0


#define PAGE_SIZE	0x1000


typedef  NTSTATUS
(NTAPI *pfnNtQueryInformationProcess)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
typedef enum _PROCESSINFOCLASS {
	ProcessBasicInformation,
	ProcessQuotaLimits,
	ProcessIoCounters,
	ProcessVmCounters,
	ProcessTimes,
	ProcessBasePriority,
	ProcessRaisePriority,
	ProcessDebugPort,
	ProcessExceptionPort,
	ProcessAccessToken,
	ProcessLdtInformation,
	ProcessLdtSize,
	ProcessDefaultHardErrorMode,
	ProcessIoPortHandlers,          // Note: this is kernel mode only
	ProcessPooledUsageAndLimits,
	ProcessWorkingSetWatch,
	ProcessUserModeIOPL,
	ProcessEnableAlignmentFaultFixup,
	ProcessPriorityClass,
	ProcessWx86Information,
	ProcessHandleCount,
	ProcessAffinityMask,
	ProcessPriorityBoost,
	ProcessDeviceMap,
	ProcessSessionInformation,
	ProcessForegroundInformation,
	ProcessWow64Information,
	ProcessImageFileName,
	ProcessLUIDDeviceMapsEnabled,
	ProcessBreakOnTermination,
	ProcessDebugObjectHandle,
	ProcessDebugFlags,
	ProcessHandleTracing,
	ProcessIoPriority,
	ProcessExecuteFlags,
	ProcessResourceManagement,
	ProcessCookie,
	ProcessImageInformation,
	MaxProcessInfoClass             // MaxProcessInfoClass should always be the last enum
} PROCESSINFOCLASS;


typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWCH   Buffer;
} UNICODE_STRING;

typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;

typedef struct _CURDIR {
	UNICODE_STRING DosPath;
	HANDLE Handle;
} CURDIR, *PCURDIR;


typedef struct _RTL_USER_PROCESS_PARAMETERS
{
	ULONG MaximumLength;
	ULONG Length;

	ULONG Flags;
	ULONG DebugFlags;

	HANDLE ConsoleHandle;
	ULONG  ConsoleFlags;
	HANDLE StandardInput;
	HANDLE StandardOutput;
	HANDLE StandardError;

	CURDIR CurrentDirectory;        // ProcessParameters
	UNICODE_STRING DllPath;         // ProcessParameters
	UNICODE_STRING ImagePathName;   // ProcessParameters
	UNICODE_STRING CommandLine;     // ProcessParameters
	PVOID Environment;              // NtAllocateVirtualMemory

	ULONG StartingX;
	ULONG StartingY;
	ULONG CountX;
	ULONG CountY;
	ULONG CountCharsX;
	ULONG CountCharsY;
	ULONG FillAttribute;

	ULONG WindowFlags;
	ULONG ShowWindowFlags;
	UNICODE_STRING WindowTitle;     // ProcessParameters
	UNICODE_STRING DesktopInfo;     // ProcessParameters
	UNICODE_STRING ShellInfo;       // ProcessParameters
	UNICODE_STRING RuntimeData;     // ProcessParameters
	
	//RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;


typedef struct _LDR_MODULE {
	LIST_ENTRY InLoadOrderModuleList;
	LIST_ENTRY InMemoryOrderModuleList;
	LIST_ENTRY InInitializationOrderModuleList;
	PVOID BaseAddress;
	PVOID EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
	ULONG Flags;
	SHORT LoadCount;
	SHORT TlsIndex;
	LIST_ENTRY HashTableEntry;
	ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;

typedef struct _PEB_LDR_DATA
{
	ULONG               Length;
	BOOLEAN             Initialized;
	BYTE        reserved[3];
	PVOID               SsHandle;
	LIST_ENTRY          InLoadOrderModuleList;
	LIST_ENTRY          InMemoryOrderModuleList;
	LIST_ENTRY          InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;



typedef struct _PEB
{
	UCHAR  InheritedAddressSpace;
	UCHAR  ReadImageFileExecOptions;
	UCHAR	BeingDebugged;
	UCHAR	SpareBool;
	PVOID	Mutant;
	PVOID	ImageBaseAddress;
	PPEB_LDR_DATA LoaderData;
	PRTL_USER_PROCESS_PARAMETERS	ProcessParameters;
}PEB, *PPEB;


typedef LONG_PTR KPRIORITY;

typedef struct _PROCESS_BASIC_INFORMATION {
	PVOID ExitStatus;
	PPEB PebBaseAddress;
	ULONG_PTR AffinityMask;
	KPRIORITY BasePriority;
	ULONG_PTR UniqueProcessId;
	ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

#include 
#include 
#include 
#include "Header.h"

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

//移除链表
BOOLEAN RemoveEntryList(PLIST_ENTRY Entry)
{

	PLIST_ENTRY Blink = NULL;
	PLIST_ENTRY Flink = NULL;

	if (Entry->Blink && Entry->Flink)
	{
		Flink = Entry->Flink;
		Blink = Entry->Blink;
		Blink->Flink = Flink;
		Flink->Blink = Blink;
	}
	return (BOOLEAN)(Flink == Blink);
}

//获取当前进程PEB
PPEB GetCurrentProcessPeb(void)
{
	HMODULE hMod;
	NTSTATUS status;
	DWORD dwRetnLen = 0;
	static PPEB pPeb = NULL;
	PROCESS_BASIC_INFORMATION Info = {0};
	static pfnNtQueryInformationProcess pQueryInformationProcess=NULL;

	if (pPeb)
	{
		return pPeb;
	}
	
	do 
	{
		hMod = GetModuleHandle(_T("ntdll.dll"));
		if (hMod == NULL)break;

		if (pQueryInformationProcess==NULL)
		{
			pQueryInformationProcess = (pfnNtQueryInformationProcess)::GetProcAddress(hMod, "NtQueryInformationProcess");
		}
		if (pQueryInformationProcess == NULL)break;

		ULONG ProcessInformationLength = sizeof(Info);
		status = pQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, &Info, ProcessInformationLength, &dwRetnLen);
		if (!NT_SUCCESS(status))break;

		pPeb = Info.PebBaseAddress;

	} while (FALSE);

	return pPeb;
}


//抹模块
BOOL ObliterateModuele(HANDLE hModule)
{
	DWORD  flNewProtect = PAGE_EXECUTE_READWRITE;
	DWORD flOldProtect = 0;
	PPEB pPeb = NULL;

	//抹掉进程路径 pPeb->LoaderData
	do
	{

		//获取当前进程PEB
		pPeb = GetCurrentProcessPeb();
		if (pPeb == NULL)break;

		
		PPEB_LDR_DATA pLdrData = pPeb->LoaderData;
		PLDR_MODULE  ListHead = (PLDR_MODULE)(&(pLdrData->InLoadOrderModuleList));
		PLDR_MODULE pFirstLdrModule = (PLDR_MODULE)pLdrData->InLoadOrderModuleList.Flink;
		PLDR_MODULE pLdrModule = pFirstLdrModule;

		while (pLdrModule != ListHead)
		{
			//判断是否是我们要屏蔽的模块
			if (pLdrModule->BaseAddress == hModule)
			{

				RemoveEntryList(&pLdrModule->InLoadOrderModuleList);
				//pLdrModule->InLoadOrderModuleList.Flink->Blink = pLdrModule->InLoadOrderModuleList.Blink;
				//pLdrModule->InLoadOrderModuleList.Blink->Flink = pLdrModule->InLoadOrderModuleList.Flink;

				RemoveEntryList(&pLdrModule->InMemoryOrderModuleList);
				//pLdrModule->InMemoryOrderModuleList.Flink->Blink = pLdrModule->InMemoryOrderModuleList.Blink;
				//pLdrModule->InMemoryOrderModuleList.Blink->Flink = pLdrModule->InMemoryOrderModuleList.Flink;


				RemoveEntryList(&pLdrModule->InInitializationOrderModuleList);
				//pLdrModule->InInitializationOrderModuleList.Flink->Blink = pLdrModule->InInitializationOrderModuleList.Blink;
				//pLdrModule->InInitializationOrderModuleList.Blink->Flink = pLdrModule->InInitializationOrderModuleList.Flink;

				if (VirtualProtect(pLdrModule->BaseAddress, PAGE_SIZE, flNewProtect, &flOldProtect))
				{
					ZeroMemory(pLdrModule->BaseAddress, PAGE_SIZE);
					VirtualProtect(pLdrModule->BaseAddress, PAGE_SIZE, flOldProtect, &flOldProtect);
				}

				pLdrModule->EntryPoint = 0;
				pLdrModule->SizeOfImage = 0;
				pLdrModule->BaseAddress = 0;

				break;

			}
			//移动到链表的下一个
			pLdrModule = (PLDR_MODULE)pLdrModule->InLoadOrderModuleList.Flink;
		}

	} while (FALSE);

	return TRUE;
}

//抹路径
BOOL  ObliterateProcessImagePath(wchar_t* wszFileImagePath)
{

	PPEB pPeb = NULL;
	int Length;

	if (IsBadReadPtr(wszFileImagePath, 1) != 0)return FALSE;
	Length = wcslen(wszFileImagePath)*sizeof(wchar_t);
	wchar_t* pNewFileImagePath = new wchar_t[Length / sizeof(wchar_t) + sizeof(DWORD)];
	if (pNewFileImagePath == NULL)return FALSE;
	ZeroMemory(pNewFileImagePath, Length + sizeof(DWORD));
	CopyMemory(pNewFileImagePath, wszFileImagePath, Length);


	//抹掉进程路径 Peb->ProcessParameters
	do 
	{
		//获取当前进程PEB
		pPeb=GetCurrentProcessPeb();
		if (pPeb == NULL)break;
	
		//镜像路径
		if (pPeb->ProcessParameters->ImagePathName.Buffer)
		{
			pPeb->ProcessParameters->ImagePathName.Buffer = pNewFileImagePath;
			pPeb->ProcessParameters->ImagePathName.Length = pPeb->ProcessParameters->ImagePathName.MaximumLength = Length;
		}

		//Title
		if (pPeb->ProcessParameters->WindowTitle.Buffer)
		{
			pPeb->ProcessParameters->WindowTitle.Buffer=pNewFileImagePath;
			pPeb->ProcessParameters->WindowTitle.Length = pPeb->ProcessParameters->WindowTitle.MaximumLength = Length;
		}
		

		//命令行
		if (pPeb->ProcessParameters->CommandLine.Buffer)
		{
			pPeb->ProcessParameters->CommandLine.Buffer= pNewFileImagePath;
			pPeb->ProcessParameters->CommandLine.Length = pPeb->ProcessParameters->CommandLine.MaximumLength = Length;
		}


	} while (FALSE);


	//抹掉进程路径 pPeb->LoaderData
	do 
	{
		if (pPeb == NULL)break;

		PPEB_LDR_DATA pLdrData = pPeb->LoaderData;
		PLDR_MODULE  ListHead = (PLDR_MODULE)(&(pLdrData->InLoadOrderModuleList));
		PLDR_MODULE pFirstLdrModule = (PLDR_MODULE)pLdrData->InLoadOrderModuleList.Flink;
		PLDR_MODULE pLdrModule = pFirstLdrModule;
		HANDLE hModule = GetModuleHandle(NULL);

		while (pLdrModule != ListHead)
		{
			//判断是否是我们要屏蔽的模块
			if (pLdrModule->BaseAddress == hModule)
			{

				if (pLdrModule->BaseDllName.Buffer)
				{
					pLdrModule->BaseDllName.Buffer=pNewFileImagePath;
					pLdrModule->BaseDllName.Length = pLdrModule->BaseDllName.MaximumLength = Length;
				}

				if (pLdrModule->FullDllName.Buffer)
				{
					pLdrModule->FullDllName.Buffer= pNewFileImagePath;
					pLdrModule->FullDllName.Length = pLdrModule->FullDllName.MaximumLength = Length;
				}
				break;

			}
			//移动到链表的下一个
			pLdrModule = (PLDR_MODULE)pLdrModule->InLoadOrderModuleList.Flink;
		}

	} while (FALSE);
	
	return TRUE;
}

int main(void)
{

	ObliterateProcessImagePath(L"C:\Windows\explorer.exe");

	HANDLE hModule = GetModuleHandle(NULL);
	ObliterateModuele(hModule);

	hModule = GetModuleHandle(TEXT("ntdll.dll"));
	ObliterateModuele(hModule);

	hModule = GetModuleHandle(TEXT("kernel32.dll"));
	ObliterateModuele(hModule);

	getchar();
	getchar();
	return 0;
}

Ta的文章更多 >>

抹模块和抹路径
0 个评论

抹模块和抹路径

Ta的文章 更多 >>

热门文章

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

Ta的文章更多 >>