I took Darawk's CloakDLL and modified it a tiny bit here and there to work with Windows 7 and to be usable as it's own injected DLL.
// This modification is based on Darawk's CloakDll instrumentation with
// some tweaks from me to get it working on Windows 7 and through the
// use of my own DLL - nitrogrlie
// CloakDll - by Darawk
// Featured @ www.RealmGX.com & www.Darawk.com
//
// The purpose of CloakDll is to allow the user to hide any loaded
// module from the windows API. It works by accessing the modules
// list stored in the PEB, and subsequently unlinking the module
// in question from all 4 of the doubly-linked lists that it's a
// node of. It then zeroes out the structure and the path/file
// name of the module in memory. So that even if the memory where
// the data about this module used to reside is scanned there will
// still be no conclusive evidence of it's existence. At present
// there is only one weakness that I have found in this method.
// I'll describe how it may still be possible to discover at least
// that a module has been hidden, after a brief introduction to how
// the GetModuleHandle function works.
//
// *The following information is not documented by Microsoft. This
// information consists of my findings while reverse-engineering
// these functions and some of them may be incorrect and/or
// subject to change at any time(and is almost definitely different
// in different versions of windows, and maybe even in different
// service packs). I've tried to make my code as version independant
// as possible but certain parts of it may not work on older versions
// of windows. I've tested it on XP SP2 and there i'll guarantee
// that it works, but on any other versions of windows, it's anyone's
// guess.*
//
// GetModuleHandle eventually calls GetModuleHandleExW, which in
// turn accesses the native API function GetDllHandle, which calls
// GetDllHandleEx. And it's not until here, that we actually see
// anything even begin to look up information about loaded modules.
// Whenever GetModuleHandle is called, it saves the address of the
// last ModuleInfoNode structure that it found in a global variable
// inside of ntdll. This global variable is the first thing
// checked on all subsequent calls to GetModuleHandle. If the
// handle being requested is not the one that was requested the last
// time GetDllHandleEx calls the LdrpCheckForLoadedDll function.
// LdrpCheckForLoadedDll begins by converting the first letter of the
// module name being requested to uppercase, decrementing it by 1 and
// AND'ing it with 0x1F. This effectively creates a 0-based index
// beginning with the letter 'A'. The purpose of this is so that
// the module can first be looked up in a hash table. The hash table
// consists entirely of LIST_ENTRY structures. One for each letter
// 'A' through 'Z'. The LIST_ENTRY structure points to the first
// and last modules loaded that begin with the letter assigned to
// that entry in the hash table. The Flink member being the first
// loaded beginning with that letter, and the Blink member being the
// last. The code scans through this list until it finds the module
// that it's looking for. On the off-chance that it doesn't find it
// there, or if the boolean argument UseLdrpHashTable is set to false
// it will begin going through one of the other three lists. If, at
// this point it still doesn't find it, it will admit defeat and return
// 0 for the module handle.
//
// Weakness: The global variable inside ntdll that caches the pointer
// to the last module looked up could be used to at least detect the
// fact that a module has been hidden. The LdrUnloadDll() function
// will set this value to 0 when it unloads a module, so if the cache
// variable points to an empty structure, the only logical conclusion
// would be a hidden module somewhere in the process. This could be
// resolved by using the static address of this variable and simply
// zeroing it out. However, this would make the code specific to only
// one version of windows. You could also scan the address space of
// ntdll for any occurences of the base address(aka module handle)
// of the module you're hiding. However, this would be slow and it
// would clutter up the CloakDll_stub function, because it'd have to
// all be done manually. And i'd have to either use a static base
// address for ntdll...which would probably work on most versions
// of windows, however I really don't like using static addresses.
// Or i'd have to manually locate it by writing my own unicode
// string comparison code, to lookup ntdll in the list by it's name.
// Realistically though anyone trying to detect this way would run
// into the same problem. That their code would not be version
// independant. So, it's unlikely to see any largescale deployment
// of such a technique. However, anyone who would like to solve
// this problem themselves is perfectly free, and encouraged to do
// so.
#include <windows.h>
#include <winnt.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <stdio.h>
#pragma comment(lib, "shlwapi.lib")
#define UPPERCASE(x) if((x) >= 'a' && (x) <= 'z') (x) -= 'a' - 'A'
#define UNLINK(x) (x).Blink->Flink = (x).Flink; \
(x).Flink->Blink = (x).Blink;
#pragma pack(push, 1)
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _ModuleInfoNode
{
LIST_ENTRY LoadOrder;
LIST_ENTRY InitOrder;
LIST_ENTRY MemoryOrder;
HMODULE baseAddress; // Base address AKA module handle
unsigned long entryPoint;
unsigned int size; // Size of the modules image
UNICODE_STRING fullPath;
UNICODE_STRING name;
unsigned long flags;
unsigned short LoadCount;
unsigned short TlsIndex;
LIST_ENTRY HashTable; // A linked list of any other modules that have the same first letter
unsigned long timestamp;
} ModuleInfoNode, *pModuleInfoNode;
typedef struct _ProcessModuleInfo
{
unsigned int size; // Size of a ModuleInfo node?
unsigned int initialized;
HANDLE SsHandle;
LIST_ENTRY LoadOrder;
LIST_ENTRY InitOrder;
LIST_ENTRY MemoryOrder;
} ProcessModuleInfo, *pProcessModuleInfo;
#pragma pack(pop)
// Forward prototypes
void CloakDll( HMODULE hMod );
bool CloakModule( ModuleInfoNode * module );
// Globals
HMODULE hDLL = 0;
// Define the DLL's main function
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) {
// Get rid of compiler warnings since we do not use this parameter
UNREFERENCED_PARAMETER(lpReserved);
switch( ulReason ) {
// If we are attaching to a process
case DLL_PROCESS_ATTACH:
//MessageBox(0, "DLL Locked and Loaded.", "DLL Injection Works!", 0);
hDLL = hModule;
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return (TRUE);
}
extern "C" __declspec(dllexport) void Initialize() {
DWORD ThreadID;
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&CloakDll, GetModuleHandle("GDI32.dll"), 0, &ThreadID);
}
void CloakDll(HMODULE hMod) {
ProcessModuleInfo *pmInfo;
ModuleInfoNode *module;
_asm {
mov eax, fs:[18h] // TEB
mov eax, [eax + 30h] // PEB
mov eax, [eax + 0Ch] // PROCESS_MODULE_INFO
mov pmInfo, eax
}
ModuleInfoNode* origModule = 0, *tohideModule = 0;
module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
while( module->baseAddress ) {
if( module->baseAddress == hMod ) {
tohideModule = module;
}
else if ( module->baseAddress == hDLL ) {
origModule = module;
}
module = (ModuleInfoNode *)(module->LoadOrder.Flink);
}
// Cloak the modules, if we found them, call return true/false but I don't check
// not sure why you would necessarily want to
CloakModule( origModule );
CloakModule( tohideModule );
// Check our work by printing all the modules for the PE we are injected
FILE * file;
file = fopen("C:\\Users\\Public\\Cloak.txt", "w");
module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
while(module->baseAddress) {
fprintf(file, "Module: %S\n", module->fullPath.Buffer);
fflush(file);
module = (ModuleInfoNode *)(module->LoadOrder.Flink);
}
// Close our file handles
fflush(file);
fclose(file);
// Exit our thread and free our DLL
if( hDLL ) {
__asm {
push -2
push 0
push hDLL
mov eax, TerminateThread
push eax
mov eax, FreeLibrary
jmp eax
}
}
}
bool CloakModule( ModuleInfoNode * module ) {
// Quick error checking in-case some module wasn't found
if( module->baseAddress ) {
// Remove the module entry from the list here
///////////////////////////////////////////////////
// Unlink from the load order list
UNLINK(module->LoadOrder);
// Unlink from the init order list
UNLINK(module->InitOrder);
// Unlink from the memory order list
UNLINK(module->MemoryOrder);
// Unlink from the hash table
UNLINK(module->HashTable);
// This code will pretty much always be optimized into a rep stosb/stosd pair
// so it shouldn't cause problems for relocation.
// Zero out the module name
DWORD oldProt;
VirtualProtect(module->fullPath.Buffer, module->fullPath.Length, PAGE_READWRITE, &oldProt);
memset(module->fullPath.Buffer, 0, module->fullPath.Length);
VirtualProtect(module->fullPath.Buffer, module->fullPath.Length, oldProt, &oldProt);
// Zero out the memory of this module's node
VirtualProtect(module, sizeof(ModuleInfoNode), PAGE_READWRITE, &oldProt);
memset(module, 0, sizeof(ModuleInfoNode));
VirtualProtect(module, sizeof(ModuleInfoNode), oldProt, &oldProt);
return true;
}
return false;
}
Login 
Register
FAQ
Search
