现在的位置: 首页 > 综合 > 正文

擦除模块痕迹

2013年12月07日 ⁄ 综合 ⁄ 共 5269字 ⁄ 字号 评论关闭

对于擦除模块痕迹,我实验了两种方法,下面一一阐述:

1.修改PEB结构,用代码说话

typedef struct _PEB_LDR_DATA
 {
  ULONG               Length;
  BOOLEAN             Initialized;
  BYTE    reserved[3];
  PVOID               SsHandle;
  LIST_ENTRY          InLoadOrderModuleList;
  LIST_ENTRY          InMemoryOrderModuleList;
  LIST_ENTRY          InInitializationOrderModuleList;
 } PEB_LDR_DATA, *PPEB_LDR_DATA;

 typedef struct _UNICODE_STRING
 {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR Buffer;
 } UNICODE_STRING, *PUNICODE_STRING;

 typedef struct _LDR_MODULE {
  LIST_ENTRY InLoadOrderModuleList;
  LIST_ENTRY InMemoryOrderModuleList;
  LIST_ENTRY InInitializationOrderModuleList;
  PVOID BaseAddress;
  PVOID EntryPoint;
  ULONG SizeOfImage;
  UNICODE_STRING FullDllName;
  UNICODE_STRING BaseDllName;
  ULONG Flags;
  SHORT LoadCount;
  SHORT TlsIndex;
  LIST_ENTRY HashTableEntry;
  ULONG TimeDateStamp;
 } LDR_MODULE, *PLDR_MODULE;


 typedef struct RTL_DRIVE_LETTER_CURDIR
 {
  USHORT              Flags;
  USHORT              Length;
  ULONG               TimeStamp;
  UNICODE_STRING      DosPath;
 } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

 typedef struct _RTL_USER_PROCESS_PARAMETERS
 {
  ULONG               AllocationSize;
  ULONG               Size;
  ULONG               Flags;
  ULONG               DebugFlags;
  HANDLE              hConsole;
  ULONG               ProcessGroup;
  HANDLE              hStdInput;
  HANDLE              hStdOutput;
  HANDLE              hStdError;
  UNICODE_STRING      CurrentDirectoryName;
  HANDLE              CurrentDirectoryHandle;
  UNICODE_STRING      DllPath;
  UNICODE_STRING      ImagePathName;
  UNICODE_STRING      CommandLine;
  PWSTR               Environment;
  ULONG               dwX;
  ULONG               dwY;
  ULONG               dwXSize;
  ULONG               dwYSize;
  ULONG               dwXCountChars;
  ULONG               dwYCountChars;
  ULONG               dwFillAttribute;
  ULONG               dwFlags;
  ULONG               wShowWindow;
  UNICODE_STRING      WindowTitle;
  UNICODE_STRING      Desktop;
  UNICODE_STRING      ShellInfo;
  UNICODE_STRING      RuntimeInfo;
  RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

 typedef VOID (_stdcall *PPEBLOCKROUTINE)(PVOID);

 typedef struct _PEB_FREE_BLOCK
 {
  struct _PEB_FREE_BLOCK* Next;
  ULONG Size;
 } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;

 struct _NT_PEB 
 {
  BOOLEAN InheritedAddressSpace;
  BOOLEAN ReadImageFileExecOptions;
  BOOLEAN BeingDebugged;
  BOOLEAN Spare;
  HANDLE Mutant;
  PVOID ImageBaseAddress;
  PPEB_LDR_DATA LoaderData;
  PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
  PVOID SubSystemData;
  PVOID ProcessHeap;
  PVOID FastPebLock;
  PPEBLOCKROUTINE FastPebLockRoutine;
  PPEBLOCKROUTINE FastPebUnlockRoutine;
  ULONG EnvironmentUpdateCount;
  PVOID *KernelCallbackTable;
  PVOID EventLogSection;
  PVOID EventLog;
  PPEB_FREE_BLOCK FreeList;
  ULONG TlsExpansionCounter;
  PVOID TlsBitmap;
  ULONG TlsBitmapBits[0x2];
  PVOID ReadOnlySharedMemoryBase;
  PVOID ReadOnlySharedMemoryHeap;
  PVOID *ReadOnlyStaticServerData;
  PVOID AnsiCodePageData;
  PVOID OemCodePageData;
  PVOID UnicodeCaseTableData;
  ULONG NumberOfProcessors;
  ULONG NtGlobalFlag;
  BYTE Spare2[0x4];
  LARGE_INTEGER CriticalSectionTimeout;
  ULONG HeapSegmentReserve;
  ULONG HeapSegmentCommit;
  ULONG HeapDeCommitTotalFreeThreshold;
  ULONG HeapDeCommitFreeBlockThreshold;
  ULONG NumberOfHeaps;
  ULONG MaximumNumberOfHeaps;
  PVOID **ProcessHeaps;
  PVOID GdiSharedHandleTable;
  PVOID ProcessStarterHelper;
  PVOID GdiDCAttributeList;
  PVOID LoaderLock;
  ULONG OSMajorVersion;
  ULONG OSMinorVersion;
  ULONG OSBuildNumber;
  ULONG OSPlatformId;
  ULONG ImageSubSystem;
  ULONG ImageSubSystemMajorVersion;
  ULONG ImageSubSystemMinorVersion;
  ULONG GdiHandleBuffer[0x22];
  ULONG PostProcessInitRoutine;
  ULONG TlsExpansionBitmap;
  BYTE TlsExpansionBitmapBits[0x80];
  ULONG SessionId;
 };

 typedef struct _CLIENT_ID
 {
  HANDLE UniqueProcess;
  HANDLE UniqueThread;
 } CLIENT_ID, *PCLIENT_ID;

 typedef struct _GDI_TEB_BATCH
 {
  ULONG Offset;
  ULONG HDC;
  ULONG Buffer[0x136];
 } GDI_TEB_BATCH, *PGDI_TEB_BATCH;

 struct _NT_TEB
 {
  NT_TIB Tib;                         /* 00h */
  PVOID EnvironmentPointer;           /* 1Ch */
  CLIENT_ID Cid;                      /* 20h */
  PVOID ActiveRpcInfo;                /* 28h */
  PVOID ThreadLocalStoragePointer;    /* 2Ch */
  _NT_PEB *Peb;                       /* 30h */
  ULONG LastErrorValue;               /* 34h */
  ULONG CountOfOwnedCriticalSections; /* 38h */
  PVOID CsrClientThread;              /* 3Ch */
  void* Win32ThreadInfo;    /* 40h */
  ULONG Win32ClientInfo[0x1F];        /* 44h */
  PVOID WOW32Reserved;                /* C0h */
  LCID CurrentLocale;                 /* C4h */
  ULONG FpSoftwareStatusRegister;     /* C8h */
  PVOID SystemReserved1[0x36];        /* CCh */
  PVOID Spare1;                       /* 1A4h */
  LONG ExceptionCode;                 /* 1A8h */
  UCHAR SpareBytes1[0x28];            /* 1ACh */
  PVOID SystemReserved2[0xA];         /* 1D4h */
  GDI_TEB_BATCH GdiTebBatch;          /* 1FCh */
  ULONG gdiRgn;                       /* 6DCh */
  ULONG gdiPen;                       /* 6E0h */
  ULONG gdiBrush;                     /* 6E4h */
返回
【上篇】
【下篇】

作者:

抱歉!评论已关闭.

返回首页

Copyright © 2013-2018 学步园  保留所有权利.
软文销售 QQ客服:2265327166 点击这里给我发消息(其他合作也可洽谈)