; Hiding DLL from process... It will not be listed when you use listdlls
; Hides dll by modifying PEB_LDR_DATA
; c0mrade <[email protected]>
; http://nonenone.net
.586
.model flat, stdcall
option casemap:none
hide PROTO :DWORD
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
dll db "kernel32.dll",0
.data?
handle dd ?
ldr_data dd ?
.code
start:
ASSUME FS:NOTHING
invoke GetModuleHandle, ADDR dll
mov handle, eax
mov eax, FS:[30h] ;<---- go to PEB
mov eax,[eax+0ch] ;<---- go to PEB_LDR_DATA
mov ldr_data, eax
;Of first I will go trough list for InLoadOrderModuleList
mov esi, dword ptr[eax+0ch]
;----> Now loop until we find matching handle
@loop_first:
lodsd
mov esi, eax
mov ecx, [eax+24]
cmp ecx, handle
jne @F
invoke hide, eax
jmp @1
@@:
jmp @loop_first
@1:
mov esi, ldr_data
mov esi, dword ptr[esi+14h]
@loop_second:
lodsd
mov esi, eax
mov ecx, [eax+16]
cmp ecx, handle
jne @F
invoke hide, eax
jmp @2
@@:
jmp @loop_second
@2:
mov esi, ldr_data
mov esi, dword ptr[esi+1ch]
@loop_third:
lodsd
mov esi, eax
mov ecx, [eax+8]
cmp ecx, handle
jne @F
invoke hide, eax
jmp @end
@@:
jmp @loop_third
@end:
invoke Sleep, 100000
invoke ExitProcess, NULL
hide PROC lPoint:DWORD
mov edi, lPoint
mov ebx, dword ptr[edi] ;ebx forward struct
mov ecx, dword ptr[edi+4] ;ecx backward struct
;now simple erase LIST ->>
mov [ecx], ebx
mov [ebx+4], ecx
ret
hide ENDP
end start
; with hide proc
;------------------------------------------------------------------------------
;hide.exe pid: 3708
;Command line: hide
;
; Base Size Version Path
; 0x00400000 0x4000 C:\masm32\progz\hide_dll\hide.exe
; 0x77f50000 0xa7000 5.01.2600.1106 C:\WINDOWS\System32\ntdll.dll
;
;C:\masm32\progz\hide_dll>
;without hide porc
;------------------------------------------------------------------------------
;hide.exe pid: 3708
;Command line: hide
;
; Base Size Version Path
; 0x00400000 0x4000 C:\masm32\progz\hide_dll\hide.exe
; 0x77f50000 0xa7000 5.01.2600.1106 C:\WINDOWS\System32\ntdll.dll
; 0x77e60000 0xe6000 5.01.2600.1106 C:\WINDOWS\System32\kernel32.dll
;
;C:\masm32\progz\hide_dll>
Pozdrav...