天马阁论坛 › 64位驱动编程 › C++更改PEB中的BaseDllName

David902 发表于 2024-3-2 09:58:07

C++更改PEB中的BaseDllName

void SetModuleBaseName(HANDLE ProcessHandle,void*BaseAddress,wchar_t*FileName,unsigned int NameLength)
{void*TargetAddr;PEB Peb;PEB_LDR_DATA Ldr;LDR_MODULE Dll;PROCESS_BASIC_INFORMATION PBI;ULONG_PTR RegionSize;
if(NtQueryInformationProcess(ProcessHandle,0,&PBI,sizeof(PROCESS_BASIC_INFORMATION),0))return;
if(NtReadVirtualMemory(ProcessHandle,PBI.PebBaseAddress,&Peb,sizeof(PEB),0))return;
if(NtReadVirtualMemory(ProcessHandle,Peb.Ldr,&Ldr,sizeof(PEB_LDR_DATA),0))return;
TargetAddr=(void*)Ldr.InLoadOrderModuleList.Flink;
while(1)
{
      if(NtReadVirtualMemory(ProcessHandle,TargetAddr,&Dll,sizeof(LDR_MODULE),0))return;
      if(Dll.BaseAddress==BaseAddress)break;
      TargetAddr=(void*)Dll.InLoadOrderModuleList.Flink;
      if(TargetAddr==&Peb.Ldr->InLoadOrderModuleList)return;
}
Dll.BaseDllName.Buffer=0;
RegionSize=NameLength;
if(NtAllocateVirtualMemory(ProcessHandle,(void**)&Dll.BaseDllName.Buffer,0,&RegionSize,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE))return;
NtWriteVirtualMemory(ProcessHandle,Dll.BaseDllName.Buffer,FileName,NameLength,0);
Dll.BaseDllName.MaximumLength=(USHORT)RegionSize;
Dll.BaseDllName.Length=(USHORT)NameLength;
NtWriteVirtualMemory(ProcessHandle,TargetAddr,&Dll,sizeof(LDR_MODULE),0);
}

void SetModuleFullName(HANDLE ProcessHandle,void*BaseAddress,wchar_t*FileName,unsigned int NameLength)
{void*TargetAddr;PEB Peb;PEB_LDR_DATA Ldr;LDR_MODULE Dll;PROCESS_BASIC_INFORMATION PBI;ULONG_PTR RegionSize;
if(NtQueryInformationProcess(ProcessHandle,0,&PBI,sizeof(PROCESS_BASIC_INFORMATION),0))return;
if(NtReadVirtualMemory(ProcessHandle,PBI.PebBaseAddress,&Peb,sizeof(PEB),0))return;
if(NtReadVirtualMemory(ProcessHandle,Peb.Ldr,&Ldr,sizeof(PEB_LDR_DATA),0))return;
TargetAddr=(void*)Ldr.InLoadOrderModuleList.Flink;
while(1)
{
      if(NtReadVirtualMemory(ProcessHandle,TargetAddr,&Dll,sizeof(LDR_MODULE),0))return;
      if(Dll.BaseAddress==BaseAddress)break;
      TargetAddr=(void*)Dll.InLoadOrderModuleList.Flink;
      if(TargetAddr==&Peb.Ldr->InLoadOrderModuleList)return;
}
Dll.FullDllName.Buffer=0;
RegionSize=NameLength;
if(NtAllocateVirtualMemory(ProcessHandle,(void**)&Dll.FullDllName.Buffer,0,&RegionSize,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE))return;
NtWriteVirtualMemory(ProcessHandle,Dll.FullDllName.Buffer,FileName,NameLength,0);
Dll.FullDllName.MaximumLength=(USHORT)RegionSize;
Dll.FullDllName.Length=(USHORT)NameLength;
NtWriteVirtualMemory(ProcessHandle,TargetAddr,&Dll,sizeof(LDR_MODULE),0);
}


HANDLE h=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,0,2024);
SetModuleBaseName(h,(void*)0x77e50000,L"asdasd",12);
SetModuleFullName(h,(void*)0x77e50000,L"c:\\windows\\explorer.exe",46);

查看完整版本: C++更改PEB中的BaseDllName