가오좀 살릴려고 폼 없애고 콘솔로 했습니다.
웹통신도 감지하는거같아서 다 빼고 핫키로 했어요.
쓰레드하이재킹 + 매뉴얼매핑 + dll 기록 제거 요 밑에 소스 첨부해드립니다.
function GetPebAddress: Pointer;
var
hNtDll: THandle;
NtQueryInfo: function(ProcessHandle: THandle; ProcessInfoClass: Integer;
ProcessInfo: Pointer; ProcessInfoLen: ULONG; RetLen: PULONG): LongInt; stdcall;
pbi: record
ExitStatus: LongInt;
PebBaseAddress: Pointer;
others: array[0..3] of NativeUInt;
end;
ReturnLength: ULONG;
begin
Result := nil;
hNtDll := GetModuleHandle('ntdll.dll');
@NtQueryInfo := GetProcAddress(hNtDll, 'NtQueryInformationProcess');
if Assigned(NtQueryInfo) then
begin
if NtQueryInfo(GetCurrentProcess, 0, @pbi, SizeOf(pbi), @ReturnLength) = 0 then
Result := pbi.PebBaseAddress;
end;
end;
procedure EraseDllFromSystem(const DllName: string);
var
Peb, Ldr: Pointer;
Head, Curr: PListEntry;
Entry: PLdrDataTableEntry;
ModuleBase: NativeUInt;
OldProtect: DWORD;
begin
ModuleBase := GetModuleHandle(PChar(DllName));
if ModuleBase = 0 then Exit;
Peb := GetPebAddress;
if Peb = nil then Exit;
Ldr := PPointer(NativeInt(Peb) + $18)^;
Head := PListEntry(NativeInt(Ldr) + $10);
Curr := Head^.Flink;
while Curr <> Head do
begin
Entry := PLdrDataTableEntry(Curr);
if (Entry^.BaseDllName.Buffer <> nil) and
SameText(Entry^.BaseDllName.Buffer, DllName) then
begin
Curr^.Blink^.Flink := Curr^.Flink;
Curr^.Flink^.Blink := Curr^.Blink;
Entry^.InMemoryOrderLinks.Blink^.Flink := Entry^.InMemoryOrderLinks.Flink;
Entry^.InMemoryOrderLinks.Flink^.Blink := Entry^.InMemoryOrderLinks.Blink;
Break;
end;
Curr := Curr^.Flink;
end;
if VirtualProtect(Pointer(ModuleBase), 4096, PAGE_EXECUTE_READWRITE, @OldProtect) then
begin
FillChar(Pointer(ModuleBase)^, 4096, 0);
VirtualProtect(Pointer(ModuleBase), 4096, OldProtect, @OldProtect);
end;
end;