Hiding DLL

**almar2023** · 09-24-2012

Been Back Coding For FPS and now its for Crossfire, But I'm Having a Big Problem and Did Search with Lot Of Effort...

OK.. I'll Get You To the point..
As Far as i know... Xtrap Scans for injected DLL..
And im having a big trouble hiding my module...
So My Question is.. How Do They Hide their Module so they can cloak From Xtrap's Scan..

Thanks...

**TrollSide** · 09-24-2012

Originally Posted by almar2023

Been Back Coding For FPS and now its for Crossfire, But I'm Having a Big Problem and Did Search with Lot Of Effort...

OK.. I'll Get You To the point..
As Far as i know... Xtrap Scans for injected DLL..
And im having a big trouble hiding my module...
So My Question is.. How Do They Hide their Module so they can cloak From Xtrap's Scan..

Thanks...

Disabling Thread Library Calls (Windows CE 5.0)

**almar2023** · 09-24-2012

Thanks for fast reply.. but still detected.. when i look at enumerated DLL.. my module is still there...

BTW im with Windows 7

Code:

void MytreadsHook()
{
	for(;;)
	{
if(GetAsyncKeyState(VK_INSERT)&1)
{
	MessageBox(0,"I'm Here","Test",MB_OK);
}
Sleep(500);
	}
}


BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) 
{
    UNREFERENCED_PARAMETER(lpReserved);
	switch( ulReason ) {
	case DLL_PROCESS_ATTACH:

		DisableThreadLibraryCalls( hModule );	
	MessageBox(0,"Injected","Test",MB_OK);
	CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)MytreadsHook, NULL, NULL, NULL);

		break;
	case DLL_THREAD_ATTACH:
		break;
	case DLL_THREAD_DETACH:
		break;
	case DLL_PROCESS_DETACH:
		break;
    }

    return (TRUE);
}

**[MPGH]Flengo** · 09-24-2012

Since you specifically mentioned "HideModule" this might help. Haven't tested it on CF & XTrap.

Code:

void HideModule( HINSTANCE hModule )
{
	DWORD dwPEB_LDR_DATA = 0;

	_asm
	{
		pushad;
		pushfd;
		mov eax, fs:[30h]					// PEB
		mov eax, [eax+0Ch]					// PEB->ProcessModuleInfo
		mov dwPEB_LDR_DATA, eax				// Save ProcessModuleInfo

InLoadOrderModuleList:
		mov esi, [eax+0Ch]					// ProcessModuleInfo->InLoadOrderModuleList[FORWARD]
		mov edx, [eax+10h]					//  ProcessModuleInfo->InLoadOrderModuleList[BACKWARD]

LoopInLoadOrderModuleList: 
		lodsd								//  Load First Module
			mov esi, eax		    			//  ESI points to Next Module
			mov ecx, [eax+18h]		    		//  LDR_MODULE->BaseAddress
		cmp ecx, hModule		    		//  Is it Our Module ?
			jne SkipA		    		    	//  If Not, Next Please (@f jumps to nearest Unamed Lable @@:)
			mov ebx, [eax]						//  [FORWARD] Module 
		mov ecx, [eax+4]    		    	//  [BACKWARD] Module
		mov [ecx], ebx						//  Previous Module's [FORWARD] Notation, Points to us, Replace it with, Module++
			mov [ebx+4], ecx					//  Next Modules, [BACKWARD] Notation, Points to us, Replace it with, Module--
			jmp InMemoryOrderModuleList			//  Hidden, so Move onto Next Set
SkipA:
		cmp edx, esi						//  Reached End of Modules ?
			jne LoopInLoadOrderModuleList		//  If Not, Re Loop

InMemoryOrderModuleList:
		mov eax, dwPEB_LDR_DATA				//  PEB->ProcessModuleInfo
			mov esi, [eax+14h]					//  ProcessModuleInfo->InMemoryOrderModuleList[START]
		mov edx, [eax+18h]					//  ProcessModuleInfo->InMemoryOrderModuleList[FINISH]

LoopInMemoryOrderModuleList: 
		lodsd
			mov esi, eax
			mov ecx, [eax+10h]
		cmp ecx, hModule
			jne SkipB
			mov ebx, [eax] 
		mov ecx, [eax+4]
		mov [ecx], ebx
			mov [ebx+4], ecx
			jmp InInitializationOrderModuleList
SkipB:
		cmp edx, esi
			jne LoopInMemoryOrderModuleList

InInitializationOrderModuleList:
		mov eax, dwPEB_LDR_DATA				     //  PEB->ProcessModuleInfo
			mov esi, [eax+1Ch]						 //  ProcessModuleInfo->InInitializationOrderModuleList[START]
		mov edx, [eax+20h]						 //  ProcessModuleInfo->InInitializationOrderModuleList[FINISH]

LoopInInitializationOrderModuleList: 
		lodsd
			mov esi, eax		
			mov ecx, [eax+08h]
		cmp ecx, hModule		
			jne SkipC
			mov ebx, [eax] 
		mov ecx, [eax+4]
		mov [ecx], ebx
			mov [ebx+4], ecx
			jmp Finished
SkipC:
		cmp edx, esi
			jne LoopInInitializationOrderModuleList

Finished:
		popfd;
		popad;
	}
}

**almar2023** · 09-25-2012

Already Tried that method and that code but still gets detected...

Thread: Hiding DLL

Thread Tools

Display

Hiding DLL

Similar Threads

[Help] Hiding DLL File In Application

hiding dll

Hide Dll Name?

DLL injection Failled