ULONG_PTR ImportEntryModule(ULONG_PTR Start) { ULONG_PTR Current; std::map<ULONG_PTR, int> ModuleBaseMap; ULONG_PTR BaseAddr = 0; int max = 0; for (Current = Start; *(PULONG_PTR)Current != 0; Current += SIZE_IMPORT_ENTRY) { if (!IsBadReadMemory((PVOID)Current, SIZE_IMPORT_ENTRY) && !IsBadReadMemory((PVOID)*(PULONG_PTR)Current, SIZE_IMPORT_ENTRY)) { DbgMsg("[+] "HEX_FORMAT"\n", *(PULONG_PTR)Current); if (MyRtlPcToFileHeader(*(PULONG_PTR)Current, &BaseAddr) == TRUE) { ModuleBaseMap[BaseAddr] += 1; } } } for (std::map<ULONG_PTR, int>::iterator it = ModuleBaseMap.begin(); it != ModuleBaseMap.end(); ++it) { if (it->second > max) max = it->second; BaseAddr = it->first; } if (CheckIfTwiceFreq(ModuleBaseMap, max) == TRUE) { DbgMsg("[-] ImportEntryModule - NEED TO FIX MANUALLY\n"); ExitProcess(42); } return BaseAddr; }
VOID FillPeInfo(VOID) { pinfo.ModuleBase = (ULONG_PTR)GetModuleHandleA(NULL); pinfo.ModuleSize = (DWORD)ParsePE(pinfo.ModuleBase, SIZE_OF_IMAGE); pinfo.ModuleNbSections = (DWORD)ParsePE(pinfo.ModuleBase, NB_SECTIONS); pinfo.ModuleSections = (ULONG_PTR)ParsePE(pinfo.ModuleBase, PE_SECTIONS); pinfo.EntryPoint = (DWORD)ParsePE(pinfo.ModuleBase, ENTRY_POINT); MyRtlPcToFileHeader((ULONG_PTR)&pinfo, &pinfo.ModuleInjectedBase); pinfo.ModuleInjectedSize = (DWORD)ParsePE(pinfo.ModuleInjectedBase, SIZE_OF_IMAGE); PrintPeInfo(); }
VOID HideIt(VOID) { ULONG_PTR BaseOfImage = 0x00; PPEB_LDR_DATA PedLdrData = NULL; PPEB Peb = NULL; if (MyRtlPcToFileHeader((ULONG_PTR)&HideIt, &BaseOfImage) == FALSE) { DbgMsg("[-] MyRtlPcToFileHeader failed\n"); } Peb = GetPeb(); PedLdrData = Peb->Ldr; HideFromInLoadOrderModuleList(&PedLdrData->InLoadOrderLinks, BaseOfImage); HideFromInMemoryOrderModuleList(&PedLdrData->InMemoryOrderLinks, BaseOfImage); HideFromInInitializationOrderModuleList(&PedLdrData->InInitializationOrderLinks, BaseOfImage); }