Merge pull request #5 from rad9800/main

Create RfRemoveDllFromPeb.cpp
2022-07-21 23:52:00 -05:00 · 2022-07-21 23:52:00 -05:00 · d63e92f32d
parent f53815150d 6a79be1bb3
commit d63e92f32d
1 changed files with 78 additions and 0 deletions
--- a/API/RfRemoveDllFromPeb.cpp
+++ b/API/RfRemoveDllFromPeb.cpp
@ -0,0 +1,78 @@
+void RfRemoveEntryList(LIST_ENTRY* Entry)
+{
+	if (Entry != NULL) {
+		PLIST_ENTRY OldFlink;
+		PLIST_ENTRY OldBlink;
+		OldFlink = Entry->Flink;
+		OldBlink = Entry->Blink;
+		OldFlink->Blink = OldBlink;
+		OldBlink->Flink = OldFlink;
+		Entry->Flink = NULL;
+		Entry->Blink = NULL;
+	}
+}
+
+BOOL RfRemoveDllFromPebW(LPCWSTR lpModuleName) {
+	PPEB Peb = GetPeb();
+	PLDR_MODULE Module = NULL;
+
+	PLIST_ENTRY Head = &Peb->LoaderData->InMemoryOrderModuleList;
+	PLIST_ENTRY Next = Head->Flink;
+	Module = (PLDR_MODULE)((PBYTE)Next - 16);
+
+	while (Next != Head)
+	{
+		Module = (PLDR_MODULE)((PBYTE)Next - 16);
+		if (Module->BaseDllName.Buffer != NULL)
+		{
+			if (StringCompareW(lpModuleName, Module->BaseDllName.Buffer) == 0)
+			{
+				RemoveEntryList(&Module->InLoadOrderModuleList);
+				RemoveEntryList(&Module->InInitializationOrderModuleList);
+				RemoveEntryList(&Module->InMemoryOrderModuleList);
+				RemoveEntryList(&Module->HashTableEntry);
+				
+				return TRUE;
+			}
+				
+		}
+
+		Next = Next->Flink;
+	}
+
+	return FALSE;
+}
+
+BOOL RfRemoveDllFromPebA(LPCSTR lpModuleName) {
+	PPEB Peb = GetPeb();
+	PLDR_MODULE Module = NULL;
+	CHAR wDllName[64] = { 0 };
+	PLIST_ENTRY Head = &Peb->LoaderData->InMemoryOrderModuleList;
+	PLIST_ENTRY Next = Head->Flink;
+	Module = (PLDR_MODULE)((PBYTE)Next - 16);
+
+	while (Next != Head)
+	{
+		Module = (PLDR_MODULE)((PBYTE)Next - 16);
+		if (Module->BaseDllName.Buffer != NULL)
+		{
+			RfZeroMemory(wDllName, sizeof(wDllName));
+			WCharStringToCharString(wDllName, Module->BaseDllName.Buffer, 64);
+			if (StringCompareA(lpModuleName, Module->BaseDllName.Buffer) == 0)
+			{
+
+				RemoveEntryList(&Module->InLoadOrderModuleList);
+				RemoveEntryList(&Module->InInitializationOrderModuleList);
+				RemoveEntryList(&Module->InMemoryOrderModuleList);
+				RemoveEntryList(&Module->HashTableEntry);
+
+				return TRUE;
+			}
+
+		}
+
+		Next = Next->Flink;
+	}
+
+	return FALSE;
+}