-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpeb_link.h
More file actions
32 lines (30 loc) · 1.5 KB
/
peb_link.h
File metadata and controls
32 lines (30 loc) · 1.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#pragma once
// ============================================================================
// peb_link.h - PEB Loader Data Table Entry insertion
//
// After mapping a DLL with NtCreateSection(SEC_IMAGE), the image-backed
// memory appears in the VAD tree but NOT in PEB.Ldr module lists.
// Hyperion can detect this discrepancy by cross-referencing MEM_IMAGE
// VAD entries against PEB.Ldr.InLoadOrderModuleList.
//
// This module manually creates a FULL_LDR_DATA_TABLE_ENTRY in the target
// process and links it into all three PEB loader lists, making the DLL
// indistinguishable from a normally loaded module.
//
// Must be called AFTER mapping/relocation but BEFORE shellcode execution,
// so that threads created by DllMain (e.g. std::thread) have their
// owning module visible in the PEB.
// ============================================================================
#include "common.h"
#include "pe_image.h"
// Link a manually mapped DLL into the target's PEB loader lists.
//
// Parameters:
// process - Handle to target process (with VM read/write/query)
// dll_base - Remote base address of the mapped DLL
// image - Parsed PE image (for SizeOfImage, EntryPoint, TimeDateStamp)
// full_dll_path - Full path to the DLL on disk (used for FullDllName/BaseDllName)
//
// Returns true if the module was successfully linked into all 3 lists.
bool LinkModuleToPeb(HANDLE process, void* dll_base, PeImage& image,
const wchar_t* full_dll_path);