[Share]Module hiding

[Astral Witch]

for all you game hackers that want to hide your injected dlls (or executable modules).

[PHP]
void HideModule(HMODULE module)
{
PEB* peb;
LDR_MODULE* ldr;

peb = (PEB*)__readfsdword(0x30);

ldr = (LDR_MODULE*)peb->Ldr->InLoadOrderModuleList.Flink;

while( ldr->BaseAddress != 0 )
{
if( ldr->BaseAddress == module )
{
if(ldr->InLoadOrderModuleList.Blink != 0)
(ldr->InLoadOrderModuleList.Blink)->Flink = ldr->InLoadOrderModuleList.Flink;
if(ldr->InLoadOrderModuleList.Blink != 0)
(ldr->InLoadOrderModuleList.Flink)->Blink = ldr->InLoadOrderModuleList.Blink;

if(ldr->InInitializationOrderModuleList.Blink != 0)
(ldr->InInitializationOrderModuleList.Blink)->Flink = ldr->InInitializationOrderModuleList.Flink;
if(ldr->InInitializationOrderModuleList.Flink != 0)
(ldr->InInitializationOrderModuleList.Flink)->Blink = ldr->InInitializationOrderModuleList.Blink;

if(ldr->InMemoryOrderModuleList.Flink != 0)
(ldr->InMemoryOrderModuleList.Blink)->Flink = ldr->InMemoryOrderModuleList.Flink;
if(ldr->InMemoryOrderModuleList.Flink != 0)
(ldr->InMemoryOrderModuleList.Flink)->Blink = ldr->InMemoryOrderModuleList.Blink;
}
ldr = (LDR_MODULE*)ldr->InLoadOrderModuleList.Flink;
}

}
[/PHP]

youll need the structures ofc

LDR_MODULE
[PHP]
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;


}LDR_MODULE, *PLDR_MODULE;
[/PHP]

PEB_LDR_DATA
[PHP]
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;

}PEB_LDR_DATA, *PPEB_LDR_DATA;
[/PHP]

PEB
[PHP]
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;

}PEB, *PPEB;
[/PHP]

the structures arnt full, i took what i needed for this

ex of use:
[PHP]
int main()
{
HideModule(GetModuleHandle("ntdll.dll"));

MODULEENTRY32* pEntry;

pEntry->dwSize = sizeof( MODULEENTRY32 );
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL);

Module32First(snapshot,pEntry);
do {
cout << pEntry->szModule << endl;
}while(Module32Next(snapshot,pEntry));

cin.get();
return 0;
}
[/PHP]

ntdll does not show whilst all other modules are listed

[why06]

Yes I think I heard something about Hiding code by manipulating the Process Environment Block or PEB. In anycase I never looked into it, but Im gonna take ur word its correct. One more thing though.

I found one mistake I think

Code:

if(ldr->InLoadOrderModuleList.Blink != 0)
                (ldr->InLoadOrderModuleList.Blink)->Flink = ldr->InLoadOrderModuleList.Flink;    
if(ldr->InLoadOrderModuleList.Blink != 0)
                (ldr->InLoadOrderModuleList.Flink)->Blink = ldr->InLoadOrderModuleList.Blink;

Should be

Code:

if(ldr->InLoadOrderModuleList.Blink != 0)
                (ldr->InLoadOrderModuleList.Blink)->Flink = ldr->InLoadOrderModuleList.Flink;    
if(ldr->InLoadOrderModuleList.Flink != 0)
                (ldr->InLoadOrderModuleList.Flink)->Blink = ldr->InLoadOrderModuleList.Blink;

Thanks for the share.

[Hell_Demon]

manual mapping > this =p

good share tho

[Astral Witch]

oh, sorry about that why, i guess i missed that. ;P