Results 1 to 8 of 8
  1. #1
    Kenshin13's Avatar
    Join Date
    May 2011
    Gender
    male
    Location
    Cloud 9
    Posts
    3,473
    Reputation
    564
    Thanks
    5,882
    My Mood
    Psychedelic

    Erase DLL PE Header

    Sometimes you want to make it impossible for people to dump a DLL in a process or want the program to not detect it.
    Well since I'm bored, I decided to make a simple way to do it.

     

    Code:
    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,[Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
    [DllImport("kernel32.dll",SetLastError = true)]
    static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte [] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
    
    private int ErasePEHeader(IntPtr hModule, string procName) // hModule = Handle to the module, procName = Process name (eg. "notepad")
    {
    	byte[] imagentheaderptr = new byte[4];
    	byte[] Stub = new byte[120];
    	byte[] Stub2 = new byte[0x108];
    	int Out = 0, Out2;
    
    	IntPtr proc = OpenProcess(0x001F0FFF, false, Process.GetProcessesByName(procName)[0].Id);
    	IntPtr IMAGE_NT_HEADER = new IntPtr((hModule.ToInt32() + 60)), out2 = IntPtr.Zero;
    	ReadProcessMemory(proc, IMAGE_NT_HEADER, imagentheaderptr, 4, out out2);
    	if ((WriteProcessMemory(proc, hModule, Stub, 120, out Out) == true) && (WriteProcessMemory(proc, hModule, Stub2, 0x100, out Out2) == true)) return Out+Out2;
    	else return 0;
    }


     

    Code:
    bool ErasePEHeader( HMODULE hModule ) // hModule = handle to DLL
    {
            if((DWORD)hModule == 0) return 0;
            DWORD IMAGE_NT_HEADER = *(int*)((DWORD)hModule + 60);
            for(int i=0; i<0x108; i++)
                    *(BYTE*)(IMAGE_NT_HEADER+i) = 0;
            for(int i=0; i<120; i++)
                    *(BYTE*)((DWORD)hModule+i) = 0;
            return 1;
    }


    Now I know there's much better ways to do this but this is the ... simplest way. It erases the IMAGE_DOS_HEADER and IMAGE_NT_HEADER with a few pointers to other structures.

    Some limitations:
    Code:
    - GetProcAddress will not work after you do this
    - DLLs can still be dumped ( But terribly disorganized making it near impossible to restore fully )

  2. The Following User Says Thank You to Kenshin13 For This Useful Post:

    [MPGH]Eithan1231 (4 Weeks Ago)

  3. #2
    COD3RIN's Avatar
    Join Date
    May 2013
    Gender
    male
    Location
    Posts
    4,942
    Reputation
    315
    Thanks
    22,163
    My Mood
    Busy
    nice releasing of source code.....for now i cannot create trainer or d3d hack my pc have a virus i need to reinstall my pc soon...


    Love you.
    ~Kenshit13
    Quote Originally Posted by cheaterman26 View Post
    COD3RIN PUT A BACKDOOR ON HIS OWN CHEAT HE HACK MY COMPUTER AND MY STEAM, DON'T TRUST THIS GUYS !

  4. #3
    Lovroman's Avatar
    Join Date
    Sep 2012
    Gender
    male
    Posts
    9,430
    Reputation
    611
    Thanks
    9,719
    My Mood
    Cheerful
    Thanks, Zach!

  5. #4
    Kenshin13[Backup]'s Avatar
    Join Date
    Feb 2013
    Gender
    male
    Posts
    63
    Reputation
    81
    Thanks
    6
    My Mood
    Amused
    Quote Originally Posted by Lovroman View Post
    Thanks, Zach!
    You're incredibly funny with all this controversy going on with the other "Zach".
    But you're welcome.

    Please feel to post any other solutions you have for making it harder to dump/detect Dlls.

  6. #5
    The Conjurer's Avatar
    Join Date
    Mar 2011
    Gender
    male
    Posts
    1,935
    Reputation
    608
    Thanks
    6,301
    My Mood
    Pensive
    How about in VB bro ?

  7. #6
    hkKenshin's Avatar
    Join Date
    Oct 2013
    Gender
    male
    Posts
    301
    Reputation
    28
    Thanks
    321
    Quote Originally Posted by The Conjurer View Post
    How about in VB bro ?
    Just use an online C# to VB converter.

  8. #7
    The Conjurer's Avatar
    Join Date
    Mar 2011
    Gender
    male
    Posts
    1,935
    Reputation
    608
    Thanks
    6,301
    My Mood
    Pensive
    Quote Originally Posted by hkKenshin View Post
    Just use an online C# to VB converter.
    What should i edit to make a checkbox out of it?
    Last edited by The Conjurer; 10-30-2013 at 04:23 PM.

  9. #8
    hkKenshin's Avatar
    Join Date
    Oct 2013
    Gender
    male
    Posts
    301
    Reputation
    28
    Thanks
    321
    Quote Originally Posted by The Conjurer View Post
    What should i edit to make a checkbox out of it?
    Just check if the checkbox is checked and call the function

Similar Threads

  1. Morphine.dll + Injec-Tor + Tutorial
    By Papaya in forum Gunz Hacks
    Replies: 21
    Last Post: 10-20-2010, 06:07 PM
  2. .dll injector
    By EleMentX in forum Gunz General
    Replies: 31
    Last Post: 07-08-2010, 11:44 AM
  3. dll for those who cant even google :P
    By jam in forum Gunz Hacks
    Replies: 5
    Last Post: 06-07-2007, 04:32 AM
  4. Urgent: Need a Header
    By Dave84311 in forum Help & Requests
    Replies: 23
    Last Post: 07-22-2006, 10:21 AM
  5. DLL injection Failled
    By aynal in forum WarRock - International Hacks
    Replies: 1
    Last Post: 01-15-2006, 10:41 PM