Module Hiding

[NullStub]

Since VAC scans all files in running memory, we need to some how fake it.
This is used by showing VAC that our dll was NEVER injected into process!!!
The deception is possible in ring 3 since the kernel maintains a list of
each loaded DLL for a given process inside its memory space, in userland.
Therefore a process may affect himself and overwrite parts of its memory
in order to hide one of its module. These data structures are of course
undocumented but can be recovered by using the Process Environment Block
(PEB), located at FS:0x30 inside each process. The function below returns
the address of the PEB for the current process.

PHP Code:

DWORD GetPEB()
{
    DWORD* dwPebBase = NULL;
    /* Return PEB address for current process
       address is located at FS:0x30 */
        __asm 
        {
            push eax
            mov eax, FS:[0x30]
            mov [dwPebBase], eax
            pop eax
        }
    return (DWORD)dwPebBase;
} 


The role of the PEB is to gather frequently accessed information for a
process as follows. At address FS:0x30 (or 0x7FFDF000) stands the
following members of the [PEB].

PHP Code:

/* located at 0x7FFDF000 */
typedef struct _PEB 
{
  BOOLEAN                 InheritedAddressSpace;
  BOOLEAN                 ReadImageFileExecOptions;
  BOOLEAN                 BeingDebugged;
  BOOLEAN                 Spare;
  HANDLE                  Mutant;
  PVOID                   ImageBaseAddress;
  PPEB_LDR_DATA           LoaderData;
  PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
  [...]
  ULONG                   SessionId;
} PEB, *PPEB; 


The interesting member in our case is PPEB_LDR_DATA LoaderData that
contains information filled by the loader at startup, and then when
happens a DLL load/unload.

PHP Code:

typedef struct _PEB_LDR_DATA 
{
  ULONG                   Length;
  BOOLEAN                 Initialized;
  PVOID                   SsHandle;
  LIST_ENTRY              InLoadOrderModuleList;
  LIST_ENTRY              InMemoryOrderModuleList;
  LIST_ENTRY              InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA; 


The PEB_LDR_DATA structure contains three LIST_ENTRY that are part of doubly
linked lists gathering information on loaded DLL in the current process.
InLoadOrderModuleList sorts modules in load order, InMemoryOrderModuleList
in memory order, and InInitializationOrderModuleList keeps track of their
load order since process start.

These doubly linked list contains pointers to LDR_MODULE inside the parent
structure for next and previous module.

PHP Code:

typedef struct _LDR_MODULE {

  LIST_ENTRY              InLoadOrderModuleList;
  LIST_ENTRY              InMemoryOrderModuleList;
  LIST_ENTRY              InInitializationOrderModuleList;
  PVOID                   BaseAddress;
  PVOID                   EntryPoint;
  ULONG                   SizeOfImage;
  UNICODE_STRING          FullDllName;
  UNICODE_STRING          BaseDllName;
  ULONG                   Flags;
  SHORT                   LoadCount;
  SHORT                   TlsIndex;
  LIST_ENTRY              HashTableEntry;
  ULONG                   TimeDateStamp;

} LDR_MODULE, *PLDR_MODULE; 


The following code demonstrates how to walk one of the lists and throw
a module away according to its name (szDllToStrip).

PHP Code:

/*  Walks one of the three modules double linked lists referenced by the 
PEB  (error check stripped)
ModuleListType is an internal flag to determine on which list to operate :
LOAD_ORDER_TYPE <---> InLoadOrderModuleList
MEM_ORDER_TYPE  <---> InMemoryOrderModuleList
INIT_ORDER_TYPE <---> InInitializationOrderModuleList
*/
int WalkModuleList(char ModuleListType, char *szDllToStrip)
{
    int i;    /* internal counter */
    DWORD PebBaseAddr, dwOffset=0;
    
    /* Module list head and iterating pointer */
    PLIST_ENTRY pUserModuleListHead, pUserModuleListPtr;
    
    /* PEB->PEB_LDR_DATA*/
    PPEB_LDR_DATA pLdrData;
    /* Module(s) name in UNICODE/AINSI*/
    PUNICODE_STRING pImageName;
    char szImageName[BUFMAXLEN];
    
    /* First, get Process Environment Block */    
    PebBaseAddr = GetPEB(0);

    /* Compute PEB->PEB_LDR_DATA */
    pLdrData=(PPEB_LDR_DATA)(DWORD *)(*(DWORD *)(PebBaseAddr + 
                        PEB_LDR_DATA_OFFSET)); 

    /* Init linked list head and offset in LDR_MODULE  structure */
    if(ModuleListType == LOAD_ORDER_TYPE)
    {
        /* InLoadOrderModuleList */
        pUserModuleListHead = pUserModuleListPtr = 
        (PLIST_ENTRY)(&(pLdrData->ModuleListLoadOrder));
        dwOffset = 0x0;
    } else if(ModuleListType == MEM_ORDER_TYPE)
    {
        /* InMemoryOrderModuleList */
        pUserModuleListHead = pUserModuleListPtr = 
        (PLIST_ENTRY)(&(pLdrData->ModuleListMemoryOrder));
        dwOffset = 0x08;
    } else if(ModuleListType == INIT_ORDER_TYPE)
    {
        /* InInitializationOrderModuleList */
        pUserModuleListHead = pUserModuleListPtr = 
        (PLIST_ENTRY)(&(pLdrData->ModuleListInitOrder));
        dwOffset = 0x10;
    }

    /* Now walk the selected list */    
    do
    {
        /* Jump to next LDR_MODULE structure */
        pUserModuleListPtr = pUserModuleListPtr->Flink;
        pImageName = (PUNICODE_STRING)( 
                 ((DWORD)(pUserModuleListPtr)) +
                 (LDR_DATA_PATHFILENAME_OFFSET-dwOffset));

            /* Decode unicode string to lower case on the fly */
        for(i=0; i < (pImageName->Length)/2 && i<BUFMAXLEN;i++) 
                  szImageName[i] = LOWCASE(*( (pImageName->Buffer)+(i) ));
        /* Null terminated string */
        szImageName[i] = '\0';

        /* Check if it's target DLL */
        if( strstr((char*)szImageName, szDllToStrip) != 0 )
        {
            /* Hide this dll : throw this module away (out of 
               the double linked list)
                (pUserModuleListPtr->Blink)->Flink = 
                (pUserModuleListPtr->Flink);
                   (pUserModuleListPtr->Flink)->Blink = 
                (pUserModuleListPtr->Blink);
            /* Here we may also overwrite memory to prevent 
               recovering (paranoid only ;p) */
        }
    }    while(pUserModuleListPtr->Flink != pUserModuleListHead); 

    return FUNC_SUCCESS;
} 


To process the three linked lists, the cheat calls the HideDll function
below.

PHP Code:

int HideDll(char *szDllName)
{
    return (    WalkModuleList(LOAD_ORDER_TYPE, szDllName)
            &&    WalkModuleList(MEM_ORDER_TYPE, szDllName)
            &&    WalkModuleList(INIT_ORDER_TYPE, szDllName)    );
} 


[amateur]

are you the original author of this code?

http://www.phrack.org/show.php?p=62&a=12

[sp0rky]

are you the original author of this code?

http://www.phrack.org/show.php?p=62&a=12

Of course he isn't.
Good job finding the link to the real article and author.

[De-Sire]

This one seems wrong, I can't just put my fingure on it. Maybe it's the fact that it gets called 3 times or maybe it's the fact that it has a "if else" instead of 3 if statements

[DeviatioN]

Good job, even though it's already been covered Billdoor and Tetsuo.

[ViscountPherget]

That maybe removes code 37 of C-D (unknown dll in hl.exe).

[[ELF]HelioS]

This tutorial is not even complete
You can use it to expand Tetsuo's tutorial though

[amateur]

unfortunate but true but also very usefull if it can be made to work.
/me is trying to find definition of LDR_DATA_PATHFILENAME_OFFSET,LOAD_ORDER_TYPE,MEM_ORDER_TYPE,INIT_ORDER _TYPE

[s1n1s73r]

nice

[sp0rky]

This tutorial is not even complete
You can use it to expand Tetsuo's tutorial though

Yea, especially since my way is really half assed. It does work though so

[ViscountPherget]

unfortunate but true but also very usefull if it can be made to work.
/me is trying to find definition of LDR_DATA_PATHFILENAME_OFFSET,LOAD_ORDER_TYPE,MEM_ORDER_TYPE,INIT_ORDER _TYPE

I made my own definitions maybe they're wrong:

Code:

#define LOAD_ORDER_TYPE 1    //just enumerations
#define MEM_ORDER_TYPE 2
#define INIT_ORDER_TYPE 3
//#define LOWCASE(c) ((c)>='a'&&(c)<='z')
//lowercase macro I found
#define LOWCASE(l) (isupper((unsigned char) (l)) ? \
                                  tolower((unsigned char) (l)) : (l))
#define PEB_LDR_DATA_OFFSET 0x0C    //offset to the LDR_DATA in the PEB

typedef struct _PEB {

  BOOLEAN                 InheritedAddressSpace;    //0
  BOOLEAN                 ReadImageFileExecOptions;    //1
  BOOLEAN                 BeingDebugged;    //2
  BOOLEAN                 Spare;    //3
  HANDLE                  Mutant;    //4..7
  PVOID                   ImageBaseAddress;    //8..11
  PPEB_LDR_DATA           LoaderData;    //12 == 0x0C
  ..

#define LDR_DATA_PATHFILENAME_OFFSET 0x24    //offset to the FullDllName in LDR_MODULE

typedef struct _LDR_MODULE {

  LIST_ENTRY              InLoadOrderModuleList;    //0..7
  LIST_ENTRY              InMemoryOrderModuleList;    //8..15
  LIST_ENTRY              InInitializationOrderModuleList;    //16..23
  PVOID                   BaseAddress;    //24..27
  PVOID                   EntryPoint;    //28..31
  ULONG                   SizeOfImage;    //32..35
  UNICODE_STRING          FullDllName;    //36 == 0x24
  ..

[amateur]

thanks - ill give em a go.

[amateur]

compiles but crashes :/ nm worth a try.

[Quicktime]

Sorry for the bump, but this code is actually within the book: 'Exploiting online games' on page 176. This code is taken from the rootkit NtIllusion found at rootkit.com

unfortunate but true but also very usefull if it can be made to work.
/me is trying to find definition of LDR_DATA_PATHFILENAME_OFFSET,LOAD_ORDER_TYPE,MEM_ORDER_TYPE,INIT_ORDER _TYPE

#define LOAD_ORDER_TYPE 0
#define MEM_ORDER_TYPE 1
#define INIT_ORDER TYPE 2

[monster64]

I commend your detective work. Good job on cracking a 3 year old case.