-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCloak.h
118 lines (100 loc) · 3.21 KB
/
Cloak.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#pragma once
#include <Windows.h>
#include <algorithm>
#include <vector>
typedef struct _PEB_LDR_DATA {
UINT8 _PADDING_[12];
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _PEB {
#ifdef _WIN64
UINT8 _PADDING_[24];
#else
UINT8 _PADDING_[12];
#endif
PEB_LDR_DATA* Ldr;
} PEB, *PPEB;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
VOID* DllBase;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct _UNLINKED_MODULE
{
HMODULE hModule;
PLIST_ENTRY RealInLoadOrderLinks;
PLIST_ENTRY RealInMemoryOrderLinks;
PLIST_ENTRY RealInInitializationOrderLinks;
PLDR_DATA_TABLE_ENTRY Entry;
} UNLINKED_MODULE;
#define UNLINK(x) \
(x).Flink->Blink = (x).Blink; \
(x).Blink->Flink = (x).Flink;
#define RELINK(x, real) \
(x).Flink->Blink = (real); \
(x).Blink->Flink = (real); \
(real)->Blink = (x).Blink; \
(real)->Flink = (x).Flink;
std::vector<UNLINKED_MODULE> UnlinkedModules;
struct FindModuleHandle
{
HMODULE m_hModule;
FindModuleHandle(HMODULE hModule) : m_hModule(hModule)
{
}
bool operator() (UNLINKED_MODULE const &Module) const
{
return (Module.hModule == m_hModule);
}
};
void RelinkModuleToPEB(HMODULE hModule)
{
std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));
if (it == UnlinkedModules.end())
{
//DBGOUT(TEXT("Module Not Unlinked Yet!"));
return;
}
RELINK((*it).Entry->InLoadOrderLinks, (*it).RealInLoadOrderLinks);
RELINK((*it).Entry->InInitializationOrderLinks, (*it).RealInInitializationOrderLinks);
RELINK((*it).Entry->InMemoryOrderLinks, (*it).RealInMemoryOrderLinks);
UnlinkedModules.erase(it);
}
void UnlinkModuleFromPEB(HMODULE hModule)
{
std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));
if (it != UnlinkedModules.end())
{
//DBGOUT(TEXT("Module Already Unlinked!"));
return;
}
#ifdef _WIN64
PPEB pPEB = (PPEB)__readgsqword(0x60);
#else
PPEB pPEB = (PPEB)__readfsdword(0x30);
#endif
PLIST_ENTRY CurrentEntry = pPEB->Ldr->InLoadOrderModuleList.Flink;
PLDR_DATA_TABLE_ENTRY Current = NULL;
while (CurrentEntry != &pPEB->Ldr->InLoadOrderModuleList && CurrentEntry != NULL)
{
Current = CONTAINING_RECORD(CurrentEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (Current->DllBase == hModule)
{
UNLINKED_MODULE CurrentModule = { 0 };
CurrentModule.hModule = hModule;
CurrentModule.RealInLoadOrderLinks = Current->InLoadOrderLinks.Blink->Flink;
CurrentModule.RealInInitializationOrderLinks = Current->InInitializationOrderLinks.Blink->Flink;
CurrentModule.RealInMemoryOrderLinks = Current->InMemoryOrderLinks.Blink->Flink;
CurrentModule.Entry = Current;
UnlinkedModules.push_back(CurrentModule);
UNLINK(Current->InLoadOrderLinks);
UNLINK(Current->InInitializationOrderLinks);
UNLINK(Current->InMemoryOrderLinks);
break;
}
CurrentEntry = CurrentEntry->Flink;
}
}