Insid3Code Team: [C/C++] Hide my loaded modules

Hide my loaded modules sample.

Code snippet:
#include <windows.h>
#include <stdio.h>
#include <ntdll.h>

int iWinMain() {
#ifdef _WIN64
    PPEB_VISTA_7 pPEB = (PPEB_VISTA_7)__readgsqword(0x60);
    LPWSTR captionMsg = L"64-bit Application";
#else
    PPEB_VISTA_7 pPEB = (PPEB_VISTA_7)__readfsdword(0x30);
    LPWSTR captionMsg = L"32-bit Application";
#endif
    wchar_t mainMsg[MAX_PATH] = {0};
    PLIST_ENTRY pListEntry = pPEB->LoaderData->InLoadOrderModuleList.Flink;
    PLDR_DATA_TABLE_ENTRY_7 pModule = NULL;

    LPWSTR finishedMainMsg = L"No match found!";

    while (pListEntry != &pPEB->LoaderData->InLoadOrderModuleList && pListEntry != NULL) {

        pModule = (PLDR_DATA_TABLE_ENTRY_7)pListEntry->Flink;
        if (pModule->BaseDllName.Buffer != NULL)
            if (wcsncmp(pModule->BaseDllName.Buffer, L"kernel32.dll", 0x18) == 0) {
                _snwprintf(
                    mainMsg,
                    MAX_PATH * 2,
                    L"Job done! Found match.\nNow,"
                    L" scan my loaded Modules and try to see kernel32.dll.\n\n"
                    L"ModuleName: %ws\n[-]BaseAddress: 0x%p\n[-]EntryPoint: 0x%p\n"
                    L"[-]SizeOfImage: 0x%p\n\n[by stigma from I3CT]\nInsid3Code Team",
                    pModule->BaseDllName.Buffer,
                    pModule->BaseAddress,
                    pModule->EntryPoint,
                    pModule->SizeOfImage);

                pModule->InLoadOrderModuleList.Flink->Blink = pModule->InLoadOrderModuleList.Blink;
                pModule->InLoadOrderModuleList.Blink->Flink = pModule->InLoadOrderModuleList.Flink;

                pModule->InMemoryOrderModuleList.Flink->Blink = pModule->InMemoryOrderModuleList.Blink;
                pModule->InMemoryOrderModuleList.Blink->Flink = pModule->InMemoryOrderModuleList.Flink;

                pModule->InInitializationOrderModuleList.Flink->Blink = pModule->InInitializationOrderModuleList.Blink;
                pModule->InInitializationOrderModuleList.Blink->Flink = pModule->InInitializationOrderModuleList.Flink;

                MessageBoxW(NULL, mainMsg, captionMsg, MB_ICONINFORMATION);
                finishedMainMsg = L"Finished!";
                break;
            }

        pListEntry = pListEntry->Flink;
    }

    MessageBoxW(
        NULL,
        finishedMainMsg,
        captionMsg,
        MB_ICONINFORMATION);

    return 0;
}
Source:
http://www.mediafire.com/download/4e4mhjetc4f3ufc/HideMyLoadedModules.rar
Pages

Sunday, May 17, 2015

[C/C++] Hide my loaded modules

My Favorites
