PEB.h
typedef struct {
DWORD InLoadNext;
DWORD InLoadPrev;
DWORD InMemNext;
DWORD InMemPrev;
DWORD InInitNext;
DWORD InInitPrev;
DWORD ImageBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
} PEB_LIST_ENTRY, *PPEB_LIST_ENTRY;
PEB_LIST_ENTRY *GetPEBAdd()
{
DWORD Loaded_Head;
DWORD **pPEB;
DWORD *Ldr;
__asm {
MOV EAX,30h
MOV EAX,DWORD PTR FS:[EAX]
ADD EAX, 08h
MOV SS:[pPEB], EAX
}
Ldr = *(pPEB + 1);
Loaded_Head = *(Ldr + 3);
return (PEB_LIST_ENTRY *)Loaded_Head;
}
// Elimina il modulo hMod
void HidePEB(HMODULE hMod)
{
PEB_LIST_ENTRY *Depends_List, *List_Head;
PEB_LIST_ENTRY *prev, *next;
Depends_List = List_Head = GetPEBAdd();
do {
// Ha trovato il modulo
if (Depends_List->ImageBase == (DWORD)hMod) {
prev = (PEB_LIST_ENTRY *) Depends_List->InLoadPrev;
next = (PEB_LIST_ENTRY *) Depends_List->InLoadNext;
if (prev)
prev->InLoadNext = (DWORD)next;
if (next)
next->InLoadPrev = (DWORD)prev;
prev = (PEB_LIST_ENTRY *) (Depends_List->InMemPrev - 8);
next = (PEB_LIST_ENTRY *) (Depends_List->InMemNext - 8);
if (Depends_List->InMemPrev) {
if (Depends_List->InMemNext)
prev->InMemNext = ((DWORD)next) + 8;
else
prev->InMemNext = NULL;
}
if (Depends_List->InMemNext) {
if (Depends_List->InMemPrev)
next->InMemPrev = ((DWORD)prev) + 8;
else
next->InMemPrev = NULL;
}
prev = (PEB_LIST_ENTRY *) (Depends_List->InInitPrev - 16);
next = (PEB_LIST_ENTRY *) (Depends_List->InInitNext - 16);
if (Depends_List->InInitPrev) {
if (Depends_List->InInitNext)
prev->InInitNext = ((DWORD)next) + 16;
else
prev->InInitNext = NULL;
}
if (Depends_List->InInitNext) {
if (Depends_List->InInitPrev)
next->InInitPrev = ((DWORD)prev) + 16;
else
next->InInitPrev = NULL;
}
break;
}
Depends_List = (PEB_LIST_ENTRY *)Depends_List->InLoadNext;
} while(List_Head != Depends_List);
}