Code:
The modules are run in user-mod and removed the inforamacoes here.
http://undocumented.ntinternals.net/UserMode/Structures/PEB_LDR_DATA.html
http://undocumented.ntinternals.net/UserMode/Structures/LDR_MODULE.html
function PEB_LDR_DATA(uLong : integer ; Initialized : Boolean ;
SsHandle : Pointer ; InLoadOrderModuleList :
Pointer; InMemoryOrderModuleList : pointer ;
InInitializationOrderModuleList : Pointer): Dword;stdcall; external 'ntdll.DLL' name 'PEB_LDR_DATA';
function PEB(InheritedAddressSpace : Boolean ; ReadImageFileExecOptions : BOOLEAN ;
BeingDebugged : Thandle ; Spare : BOOLEAN; Mutant : THandle ; ImageBaseAddress : Pointer ; LoaderData :
Pointer): boolean;stdcall; external 'ntdll.DLL' name 'PEB';
library Game;
uses
SysUtils,
Classes,
windows,
messages,
forms,
tlhelp32,
uPB in 'uPB.pas' {Form1};
{$R *.res}
function PEB_LDR_DATA(uLong : integer ; Initialized : Boolean ;
SsHandle : Pointer ; InLoadOrderModuleList :
Pointer; InMemoryOrderModuleList : pointer ;
InInitializationOrderModuleList : Pointer): Dword;stdcall; external 'ntdll.DLL' name 'PEB_LDR_DATA';
function PEB(InheritedAddressSpace : Boolean ; ReadImageFileExecOptions : BOOLEAN ;
BeingDebugged : Thandle ; Spare : BOOLEAN; Mutant : THandle ; ImageBaseAddress : Pointer ; LoaderData :
Pointer): boolean;stdcall; external 'ntdll.DLL' name 'PEB';
{typedef struct _ModuleInfoNode
{
LIST_ENTRY LoadOrder;
LIST_ENTRY InitOrder;
LIST_ENTRY MemoryOrder;
HMODULE baseAddress; // Base address AKA module handle
unsigned long entryPoint;
unsigned int size; // Size of the modules image
UNICODE_STRING fullPath;
UNICODE_STRING name;
unsigned long flags;
unsigned short LoadCount;
unsigned short TlsIndex;
LIST_ENTRY HashTable; // A linked list of any other modules that have the same first letter
unsigned long timestamp;
ModuleInfoNode, *pModuleInfoNode;
typedef struct _ProcessModuleInfo
unsigned int size; // Size of a ModuleInfo node?
unsigned int initialized;
HANDLE SsHandle;
LIST_ENTRY LoadOrder;
LIST_ENTRY InitOrder;
LIST_ENTRY MemoryOrder;
ProcessModuleInfo, *pProcessModuleInfo; }
var
Thread : dword;
Function ReadyGame() : boolean; // Idenfiticar o jogo , e o momento
// de injecao...
begin
repeat
Application.Initialize;
Application.CreateForm(TForm1, Form1);
Application.Run;
Sleep(1);
freeandnil(form1);
until 1=2;
end;
end;
Function GetPID(Proc: String): Dword;
Var
Snap: THandle;
PE: TProcessEntry32;
begin
Snap:= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
Result:= 0;
If Snap <> Invalid_Handle_Value Then
Begin
Pe.dwSize:= SizeOf(ProcessEntry32);
If Process32First(Snap,Pe) Then
Begin
Repeat
If Proc = PE.szExeFile Then
Begin
Result:= PE.th32ProcessID;
Break;
End;
Until Not Process32Next(Snap,pe);
End;
End;
End;
function GetRemoteModuleHandle(proc : DWORD ; name : PChar): HMODULE; stdcall;
var
Snap2 : THandle;
modentry : MODULEENTRY32;
begin
Snap2:= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,proc);
modentry.dwSize := sizeof(MODULEENTRY32);
tlhelp32.Module32First(snap2,modentry);
if (StrComp(modentry.szModule,name)) <> 0 then begin
Result := modentry.hmodule;
modentry.dwSize := sizeof(MODULEENTRY32);
end;
while (Module32Next(snap2,modEntry)) do begin
result := 0;
end;
end;
//Falta apenas a funcao do CLOAK , que e o mais importante....
Procedure CloakDLL(); //Faz a pausa e deixa a dll invisivel....
var
hModule : THandle;
pebLdrData : dword;
begin
//pebldrdata := PEB_LDR_DATA
asm
mov eax, fs:[30h] //get PEB ADDR
add eax, 0Ch
mov eax, [eax] //get LoaderData ADDR
//mov pebLdrData, eax
end;
end;
procedure DLLHack(reason : integer);
var
hOpen : THandle;
procId : dword;
len : LongInt;
hMod : Cardinal;
stubaddr : pointer;
dllname : string;
begin
case reason of
DLL_PROCESS_ATTACH :
begin
dllname := 'Game.dll';
procid := GetPID('Game.exe'); // captura o processo alvo
hOpen := OpenProcess(PROCESS_ALL_ACCESS,false,prociD); // abre ele e passa os paraemtros para hOpen
stubaddr := VirtualAllocEx(hOpen,nil,len,MEM_RESERVE + MEM_COMMIT,PAGE_EXECUTE_READWRITE); // Aloca na variavel
//WriteProcessMemory(hOpen,stubaddr,CloakDLL,len,nil); // I Have error HERE.
hMod := GetRemoteModuleHandle(procId,pChar(dllname));
CreateRemoteThread(hOpen,nil,0,@stubaddr,@hMod,0,Thread); // cria thread nela...
VirtualFreeex(hOpen,stubaddr,len,MEM_RELEASE); // libera....
end;
DLL_PROCESS_DETACH:
begin
if Thread <> 0 then
CloseHandle(Thread);
end;
end;
end;
begin
DisableThreadLibraryCalls(hInstance);
DLLproc := @DLLHack;
Dllproc(DLL_PROCESS_ATTACH);
end.