Examples of disguising and hiding loaded DLLs
The following example is the module_disguise.c code under the Chapter#3 folder of the GitHub project, which is publicly available in this book's repository. In order to save space, this book only extracts the highlighted code; please refer to the complete source code to see all the details of the project.
In the previous section, you have seen that we can crawl the PEB→LDR structure in dynamic memory to get the desired function module image base address. The next question is whether the information recorded in these dynamic modules can be forged for malicious use. The answer is yes. In this section, we design two functions: renameDynModule and HideModule. The former is used to disguise dynamic module information with confusing paths and names, while the latter is used to hide the specified dynamically loaded module from the record.
Figure 3.17 shows the renameDynModule function, which has only one input parameter for the...
