Fonger · September 6, 2024 15:43
diff --git a/HideModule.cpp b/HideModule.cpp
 #include "stdafx.h"
 #include "HideModule.h"

 std::vector<UNLINKED_MODULE> UnlinkedModules;

 void RelinkModuleToPEB(HMODULE hModule)
 {
 	std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));

 	if (it == UnlinkedModules.end())
 	{
 		//DBGOUT(TEXT("Module Not Unlinked Yet!"));
 		return;
 	}
 	UNLINKED_MODULE m = *it;
 	RELINK(m.Entry->InLoadOrderModuleList, m.RealInLoadOrderLinks);
 	RELINK(m.Entry->InInitializationOrderModuleList, m.RealInInitializationOrderLinks);
 	RELINK(m.Entry->InMemoryOrderModuleList, m.RealInMemoryOrderLinks);
 	UnlinkedModules.erase(it);
 }

 void UnlinkModuleFromPEB(HMODULE hModule)
 {
 	std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));
 	if (it != UnlinkedModules.end())
 	{
 		//DBGOUT(TEXT("Module Already Unlinked!"));
 		return;
 	}

 #ifdef _WIN64
 	PPEB pPEB = (PPEB)__readgsqword(0x60);
 #else
 	PPEB pPEB = (PPEB)__readfsdword(0x30);
 #endif
 	PLIST_ENTRY CurrentEntry = pPEB->Ldr->InLoadOrderModuleList.Flink;
 	PLDR_MODULE Current = NULL;
 	while (CurrentEntry != &pPEB->Ldr->InLoadOrderModuleList && CurrentEntry != NULL)
 	{
 		Current = CONTAINING_RECORD(CurrentEntry, LDR_MODULE, InLoadOrderModuleList);
 		if (Current->BaseAddress == hModule)
 		{
 			UNLINKED_MODULE CurrentModule = { 0 };
 			CurrentModule.hModule = hModule;
 			CurrentModule.RealInLoadOrderLinks = Current->InLoadOrderModuleList.Blink->Flink;
 			CurrentModule.RealInInitializationOrderLinks = Current->InInitializationOrderModuleList.Blink->Flink;
 			CurrentModule.RealInMemoryOrderLinks = Current->InMemoryOrderModuleList.Blink->Flink;
 			CurrentModule.Entry = Current;
 			UnlinkedModules.push_back(CurrentModule);

 			UNLINK(Current->InLoadOrderModuleList);
 			UNLINK(Current->InInitializationOrderModuleList);
 			UNLINK(Current->InMemoryOrderModuleList);

 			break;
 		}

 		CurrentEntry = CurrentEntry->Flink;
 	}
 }


 void RemovePeHeader(HANDLE GetModuleBase)
 {
 	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)GetModuleBase;
 	PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + (DWORD)pDosHeader->e_lfanew);

 	if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
 		return;

 	if (pNTHeader->FileHeader.SizeOfOptionalHeader)
 	{
 		DWORD Protect;
 		WORD Size = pNTHeader->FileHeader.SizeOfOptionalHeader;
 		VirtualProtect((void*)GetModuleBase, Size, PAGE_EXECUTE_READWRITE, &Protect);
 		SecureZeroMemory((void*)GetModuleBase, Size);
 		VirtualProtect((void*)GetModuleBase, Size, Protect, &Protect);
 	}
 }
diff --git a/HideModule.h b/HideModule.h
 #pragma once
 #include <vector>
 #include <algorithm>

 typedef struct _UNICODE_STRING {
 	USHORT Length;
 	USHORT MaximumLength;
 	PWCH   Buffer;
 } UNICODE_STRING;
 typedef UNICODE_STRING *PUNICODE_STRING;

 typedef struct _PEB_LDR_DATA {
 	ULONG      Length;
 	BOOLEAN    Initialized;
 	PVOID      SsHandle;
 	LIST_ENTRY InLoadOrderModuleList;
 	LIST_ENTRY InMemoryOrderModuleList;
 	LIST_ENTRY InInitializationOrderModuleList;
 } PEB_LDR_DATA, *PPEB_LDR_DATA;


 typedef struct _PEB {
 #ifdef _WIN64
 	UINT8 _PADDING_[24];
 #else
 	UINT8 _PADDING_[12];
 #endif
 	PEB_LDR_DATA* Ldr;
 } PEB, *PPEB;
 typedef struct _LDR_MODULE
 {
 	LIST_ENTRY      InLoadOrderModuleList;
 	LIST_ENTRY      InMemoryOrderModuleList;
 	LIST_ENTRY      InInitializationOrderModuleList;
 	PVOID           BaseAddress;
 	PVOID           EntryPoint;
 	ULONG           SizeOfImage;
 	UNICODE_STRING  FullDllName;
 	UNICODE_STRING  BaseDllName;
 	ULONG           Flags;
 	SHORT           LoadCount;
 	SHORT           TlsIndex;
 	LIST_ENTRY      HashTableEntry;
 	ULONG           TimeDateStamp;
 } LDR_MODULE, *PLDR_MODULE;

 typedef struct _UNLINKED_MODULE
 {
 	HMODULE hModule;
 	PLIST_ENTRY RealInLoadOrderLinks;
 	PLIST_ENTRY RealInMemoryOrderLinks;
 	PLIST_ENTRY RealInInitializationOrderLinks;
 	PLDR_MODULE Entry; // =PLDR_DATA_TABLE_ENTRY
 } UNLINKED_MODULE;

 #define UNLINK(x)					\
 	(x).Flink->Blink = (x).Blink;	\
 	(x).Blink->Flink = (x).Flink;

 #define RELINK(x, real)			\
 	(x).Flink->Blink = (real);	\
 	(x).Blink->Flink = (real);	\
 	(real)->Blink = (x).Blink;	\
 	(real)->Flink = (x).Flink;

 struct FindModuleHandle
 {
 	HMODULE m_hModule;
 	FindModuleHandle(HMODULE hModule) : m_hModule(hModule)
 	{
 	}
 	bool operator() (UNLINKED_MODULE const &Module) const
 	{
 		return (Module.hModule == m_hModule);
 	}
 };

 void UnlinkModuleFromPEB(HMODULE hModule);
 void RelinkModuleToPEB(HMODULE hModule);
 void RemovePeHeader(HANDLE GetModuleBase);
	#include "stdafx.h"
	#include "HideModule.h"

	std::vector<UNLINKED_MODULE> UnlinkedModules;

	void RelinkModuleToPEB(HMODULE hModule)
	{
	std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));

	if (it == UnlinkedModules.end())
	{
	//DBGOUT(TEXT("Module Not Unlinked Yet!"));
	return;
	}
	UNLINKED_MODULE m = *it;
	RELINK(m.Entry->InLoadOrderModuleList, m.RealInLoadOrderLinks);
	RELINK(m.Entry->InInitializationOrderModuleList, m.RealInInitializationOrderLinks);
	RELINK(m.Entry->InMemoryOrderModuleList, m.RealInMemoryOrderLinks);
	UnlinkedModules.erase(it);
	}

	void UnlinkModuleFromPEB(HMODULE hModule)
	{
	std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));
	if (it != UnlinkedModules.end())
	{
	//DBGOUT(TEXT("Module Already Unlinked!"));
	return;
	}

	#ifdef _WIN64
	PPEB pPEB = (PPEB)__readgsqword(0x60);
	#else
	PPEB pPEB = (PPEB)__readfsdword(0x30);
	#endif
	PLIST_ENTRY CurrentEntry = pPEB->Ldr->InLoadOrderModuleList.Flink;
	PLDR_MODULE Current = NULL;
	while (CurrentEntry != &pPEB->Ldr->InLoadOrderModuleList && CurrentEntry != NULL)
	{
	Current = CONTAINING_RECORD(CurrentEntry, LDR_MODULE, InLoadOrderModuleList);
	if (Current->BaseAddress == hModule)
	{
	UNLINKED_MODULE CurrentModule = { 0 };
	CurrentModule.hModule = hModule;
	CurrentModule.RealInLoadOrderLinks = Current->InLoadOrderModuleList.Blink->Flink;
	CurrentModule.RealInInitializationOrderLinks = Current->InInitializationOrderModuleList.Blink->Flink;
	CurrentModule.RealInMemoryOrderLinks = Current->InMemoryOrderModuleList.Blink->Flink;
	CurrentModule.Entry = Current;
	UnlinkedModules.push_back(CurrentModule);

	UNLINK(Current->InLoadOrderModuleList);
	UNLINK(Current->InInitializationOrderModuleList);
	UNLINK(Current->InMemoryOrderModuleList);

	break;
	}

	CurrentEntry = CurrentEntry->Flink;
	}
	}


	void RemovePeHeader(HANDLE GetModuleBase)
	{
	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)GetModuleBase;
	PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + (DWORD)pDosHeader->e_lfanew);

	if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
	return;

	if (pNTHeader->FileHeader.SizeOfOptionalHeader)
	{
	DWORD Protect;
	WORD Size = pNTHeader->FileHeader.SizeOfOptionalHeader;
	VirtualProtect((void*)GetModuleBase, Size, PAGE_EXECUTE_READWRITE, &Protect);
	SecureZeroMemory((void*)GetModuleBase, Size);
	VirtualProtect((void*)GetModuleBase, Size, Protect, &Protect);
	}
	}
	#pragma once
	#include <vector>
	#include <algorithm>

	typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWCH Buffer;
	} UNICODE_STRING;
	typedef UNICODE_STRING *PUNICODE_STRING;

	typedef struct _PEB_LDR_DATA {
	ULONG Length;
	BOOLEAN Initialized;
	PVOID SsHandle;
	LIST_ENTRY InLoadOrderModuleList;
	LIST_ENTRY InMemoryOrderModuleList;
	LIST_ENTRY InInitializationOrderModuleList;
	} PEB_LDR_DATA, *PPEB_LDR_DATA;


	typedef struct _PEB {
	#ifdef _WIN64
	UINT8 _PADDING_[24];
	#else
	UINT8 _PADDING_[12];
	#endif
	PEB_LDR_DATA* Ldr;
	} PEB, *PPEB;
	typedef struct _LDR_MODULE
	{
	LIST_ENTRY InLoadOrderModuleList;
	LIST_ENTRY InMemoryOrderModuleList;
	LIST_ENTRY InInitializationOrderModuleList;
	PVOID BaseAddress;
	PVOID EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
	ULONG Flags;
	SHORT LoadCount;
	SHORT TlsIndex;
	LIST_ENTRY HashTableEntry;
	ULONG TimeDateStamp;
	} LDR_MODULE, *PLDR_MODULE;

	typedef struct _UNLINKED_MODULE
	{
	HMODULE hModule;
	PLIST_ENTRY RealInLoadOrderLinks;
	PLIST_ENTRY RealInMemoryOrderLinks;
	PLIST_ENTRY RealInInitializationOrderLinks;
	PLDR_MODULE Entry; // =PLDR_DATA_TABLE_ENTRY
	} UNLINKED_MODULE;

	#define UNLINK(x) \
	(x).Flink->Blink = (x).Blink; \
	(x).Blink->Flink = (x).Flink;

	#define RELINK(x, real) \
	(x).Flink->Blink = (real); \
	(x).Blink->Flink = (real); \
	(real)->Blink = (x).Blink; \
	(real)->Flink = (x).Flink;

	struct FindModuleHandle
	{
	HMODULE m_hModule;
	FindModuleHandle(HMODULE hModule) : m_hModule(hModule)
	{
	}
	bool operator() (UNLINKED_MODULE const &Module) const
	{
	return (Module.hModule == m_hModule);
	}
	};

	void UnlinkModuleFromPEB(HMODULE hModule);
	void RelinkModuleToPEB(HMODULE hModule);
	void RemovePeHeader(HANDLE GetModuleBase);