Results 1 to 2 of 2
  1. #1
    Kenshin13's Avatar
    Join Date
    May 2011
    Gender
    male
    Location
    Cloud 9
    Posts
    3,473
    Reputation
    564
    Thanks
    5,881
    My Mood
    Psychedelic

    Erase DLL PE Header

    Sometimes you want to make it impossible for people to dump a DLL in a process or want the program to not detect it.
    Well since I'm bored, I decided to make a simple way to do it.

     

    Code:
    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,[Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
    [DllImport("kernel32.dll",SetLastError = true)]
    static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte [] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
    
    private int ErasePEHeader(IntPtr hModule, string procName) // hModule = Handle to the module, procName = Process name (eg. "notepad")
    {
    	byte[] imagentheaderptr = new byte[4];
    	byte[] Stub = new byte[120];
    	byte[] Stub2 = new byte[0x108];
    	int Out = 0, Out2;
    
    	IntPtr proc = OpenProcess(0x001F0FFF, false, Process.GetProcessesByName(procName)[0].Id);
    	IntPtr IMAGE_NT_HEADER = new IntPtr((hModule.ToInt32() + 60)), out2 = IntPtr.Zero;
    	ReadProcessMemory(proc, IMAGE_NT_HEADER, imagentheaderptr, 4, out out2);
    	if ((WriteProcessMemory(proc, hModule, Stub, 120, out Out) == true) && (WriteProcessMemory(proc, hModule, Stub2, 0x100, out Out2) == true)) return Out+Out2;
    	else return 0;
    }


     

    Code:
    bool ErasePEHeader( HMODULE hModule ) // hModule = handle to DLL
    {
            if((DWORD)hModule == 0) return 0;
            DWORD IMAGE_NT_HEADER = *(int*)((DWORD)hModule + 60);
            for(int i=0; i<0x108; i++)
                    *(BYTE*)(IMAGE_NT_HEADER+i) = 0;
            for(int i=0; i<120; i++)
                    *(BYTE*)((DWORD)hModule+i) = 0;
            return 1;
    }


    Now I know there's much better ways to do this but this is the ... simplest way. It erases the IMAGE_DOS_HEADER and IMAGE_NT_HEADER with a few pointers to other structures.

    Some limitations:
    Code:
    - GetProcAddress will not work after you do this
    - DLLs can still be dumped ( But terribly disorganized making it near impossible to restore fully )

  2. #2
    Mayion's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Location
    Bed
    Posts
    12,566
    Reputation
    2810
    Thanks
    7,446
    My Mood
    Twisted
    Good Job Mr Kenshin


     


    Editor - N/A
    Donator - 30 August 2013
    Battlefield Minion - 26 October 2013
    Blackshot Minion - 14 January 2014/16 September 2014
    Minecraft Minion - 7 February 2014/16 September 2014
    WarRock Minion - 23 February 2014
    League of Legends Minion - 21 March 2014

    Minion+ - 15 May 2014
    Other Semi-Popular First Person Shooter Minion - 8 August 2014
    CrossFire Minion - 23 October 2014
    Programming Section Minion - 13 November 2014
    Marketplace Minion - 7 December 2014

    Official Middleman - 7 December 2014 - 27 June 2015
    Moderator - 29 December 2014
    Project Blackout Minion - 10 January 2015
    News Force Interviewer - January 2015
    Steam Games Minion - 21 March 2015
    Dragon Nest Minion - 31 March 2015
    Publicist - April 2015 - 21 September 2015
    Global Moderator - 25 August 2015
    Super User - 13 August 2016

    Here ends the legend of me; may I rest in peace.



Similar Threads

  1. [Source Code] Erase DLL PE Header
    By Kenshin13 in forum Call of Duty Black Ops 2 Coding, Programming & Source Code
    Replies: 7
    Last Post: 10-30-2013, 04:36 PM
  2. .dll injector
    By EleMentX in forum Gunz General
    Replies: 31
    Last Post: 07-08-2010, 11:44 AM
  3. dll for those who cant even google :P
    By jam in forum Gunz Hacks
    Replies: 5
    Last Post: 06-07-2007, 04:32 AM
  4. Urgent: Need a Header
    By Dave84311 in forum Help & Requests
    Replies: 23
    Last Post: 07-22-2006, 10:21 AM
  5. DLL injection Failled
    By aynal in forum WarRock - International Hacks
    Replies: 1
    Last Post: 01-15-2006, 10:41 PM