DLL Hiding

[nitrogrlie]

Bump.

Nitrogrlie:

Did you try what I suggested to prove my claims? (VMMap and ModuleShark)

Okay, found some time last night to try VMMap and you are correct, it does find the unlinked modules. Process Explorer however doesn't list the DLLs in the Lower Pane after I remove them.

Currently I'm trying to figure out how to obtain the VadRoot address and write my own Vad walker from user-space.

[Cypher]

I have to admit, I didn't really lookup what NtQueryVirtualMemory does in general, had problems finding a good documentation.

But I still don't really understand why they don't scan for signatures of known hacks.

They do...

You have to use VirtualQuery though in order to enumerate all the memory regions otherwise it would be horribly inefficient and potentially inaccurate.

[Cypher]

Okay, found some time last night to try VMMap and you are correct, it does find the unlinked modules. Process Explorer however doesn't list the DLLs in the Lower Pane after I remove them.

Currently I'm trying to figure out how to obtain the VadRoot address and write my own Vad walker from user-space.

Process Explorer uses the PEB linked list, VMMap uses the kernel file mappings.

Hence my point about hooking NtQueryVirtualMemory.

Also, you can't directly read or write to the VAD list from usermode afaik. I'm pretty sure that's all stored in kernel memory.

At any rate, you'll still need to hook the NtQueryVirtualMemory API if you're in usermode, because even if you can work out how to write to the VAD tree that will do you little good because there's still no way to spoof the values (i.e. keep the pages executable but make them look free).*

* Of course you can write to the VAD tree indirectly using the VirtualQuery/VirtualProtect APIs, however I was talking about modifying the VADs "directly".

[nitrogrlie]

At any rate, you'll still need to hook the NtQueryVirtualMemory API if you're in usermode, because even if you can work out how to write to the VAD tree that will do you little good because there's still no way to spoof the values (i.e. keep the pages executable but make them look free).

You are probably right, but I wonder if you couldn't get away with labeling them as free but page guarding them so they don't get over-written and playing with VirtualProtect when you need to execute. N/m I guess that won't work cause you need at least some stub of executable thread always spinning to detect even the smallest IPC message and handle it.

[Cypher]

You are probably right, but I wonder if you couldn't get away with labeling them as free but page guarding them so they don't get over-written and playing with VirtualProtect when you need to execute. N/m I guess that won't work cause you need at least some stub of executable thread always spinning to detect even the smallest IPC message and handle it.

Still wouldn't work, because you still need to hide the file mapping, which you can't do from usermode without either manually mapping your module or hooking NtQueryVirtualMemory.