https://streamable.com/lg000v

가오좀 살릴려고 폼 없애고 콘솔로 했습니다.

웹통신도 감지하는거같아서 다 빼고 핫키로 했어요.

쓰레드하이재킹 + 매뉴얼매핑 + dll 기록 제거 요 밑에 소스 첨부해드립니다.

function GetPebAddress: Pointer;
var
 hNtDll: THandle;
 NtQueryInfo: function(ProcessHandle: THandle; ProcessInfoClass: Integer;
              ProcessInfo: Pointer; ProcessInfoLen: ULONG; RetLen: PULONG): LongInt; stdcall;
 pbi: record
   ExitStatus: LongInt;
   PebBaseAddress: Pointer;
   others: array[0..3] of NativeUInt;
 end;
 ReturnLength: ULONG;
begin
 Result := nil;
 hNtDll := GetModuleHandle('ntdll.dll');
 @NtQueryInfo := GetProcAddress(hNtDll, 'NtQueryInformationProcess');
 if Assigned(NtQueryInfo) then
 begin
   if NtQueryInfo(GetCurrentProcess, 0, @pbi, SizeOf(pbi), @ReturnLength) = 0 then
     Result := pbi.PebBaseAddress;
 end;
end;

procedure EraseDllFromSystem(const DllName: string);
var
 Peb, Ldr: Pointer;
 Head, Curr: PListEntry;
 Entry: PLdrDataTableEntry;
 ModuleBase: NativeUInt;
 OldProtect: DWORD;
begin
 ModuleBase := GetModuleHandle(PChar(DllName));
 if ModuleBase = 0 then Exit;

 Peb := GetPebAddress;
 if Peb = nil then Exit;

 Ldr := PPointer(NativeInt(Peb) + $18)^;
 Head := PListEntry(NativeInt(Ldr) + $10);
 Curr := Head^.Flink;

 while Curr <> Head do
 begin
   Entry := PLdrDataTableEntry(Curr);
   if (Entry^.BaseDllName.Buffer <> nil) and
      SameText(Entry^.BaseDllName.Buffer, DllName) then
   begin

     Curr^.Blink^.Flink := Curr^.Flink;
     Curr^.Flink^.Blink := Curr^.Blink;

     Entry^.InMemoryOrderLinks.Blink^.Flink := Entry^.InMemoryOrderLinks.Flink;
     Entry^.InMemoryOrderLinks.Flink^.Blink := Entry^.InMemoryOrderLinks.Blink;

     Break;
   end;
   Curr := Curr^.Flink;
 end;

 if VirtualProtect(Pointer(ModuleBase), 4096, PAGE_EXECUTE_READWRITE, @OldProtect) then
 begin
   FillChar(Pointer(ModuleBase)^, 4096, 0);
   VirtualProtect(Pointer(ModuleBase), 4096, OldProtect, @OldProtect);
 end;
end;