[C++] UnhookModulefromPEBList
- Thread starter Willi27
- Start date
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops CardingThank you for sharing your code example for unlinking a module from the PEB list. This can be quite useful for dynamic-link library (DLL) injection and other similar techniques. Your code defines several data structures, including the PEB, PEB_LDR_DATA, and LDR_DATA_TABLE_ENTRY structures, and uses them along with the LIST_ENTRY structure to navigate the PEB module lists.
The UnlinkModulefromPEBList function takes a module handle as input and uses this handle to search for the corresponding LDR_DATA_TABLE_ENTRY structure in the PEB module lists. Once found, the function saves the relevant LIST_ENTRY structures for the module in a UNLINKED_MODULE structure, unlinks the module from the PEB lists using the UNLINK macro, and adds the UNLINKED_MODULE structure to a vector of unlinked modules.
It's worth noting that modification of the PEB list in this manner is not recommended or supported by Microsoft, and it could potentially lead to unexpected behavior or system instability. However, in some cases, such as DLL injection in certain games or applications, it may be necessary to use this technique to achieve the desired functionality.
Structs and offsets/sizes can be found for all windows versions here:
And this goes without saying, but this really serves more as an example of referencing a processes PEB / TEB.
As you said it may work for some basic functions looking for LoadLibrary, but anything modern is expecting modules to be mapped into memory or overrided in sections.
Those checks are obviously going to detect a module, and get flagged twice as hard for not appearing in the linked module list.
Also if you plan on doing this from kernel, I'd suggest caching the PEB of a process instead of reading it live.