https://github.com/i32-sudo/psloadedmodulelist-dkom-unlinking
PsLoadedModuleList Unlinking through DKOM Manipulation
https://github.com/i32-sudo/psloadedmodulelist-dkom-unlinking
dkom eprocess list module ntoskrnl patchguard process psloadedmodulelist undetected unlinking
Last synced: 11 months ago
JSON representation
PsLoadedModuleList Unlinking through DKOM Manipulation
- Host: GitHub
- URL: https://github.com/i32-sudo/psloadedmodulelist-dkom-unlinking
- Owner: i32-Sudo
- Created: 2024-06-10T03:46:59.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-06-10T03:51:06.000Z (over 1 year ago)
- Last Synced: 2025-01-15T13:06:59.592Z (about 1 year ago)
- Topics: dkom, eprocess, list, module, ntoskrnl, patchguard, process, psloadedmodulelist, undetected, unlinking
- Homepage:
- Size: 4.88 KB
- Stars: 3
- Watchers: 2
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# PsLoadedModuleList-Dkom-Unlinking
PsLoadedModuleList Unlinking through DKOM Manipulation
```cpp
EXTERN_C
PLIST_ENTRY PsLoadedModuleList;
typedef struct _KLDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
// ULONG padding on IA64
PVOID GpValue;
/*PNON_PAGED_DEBUG_INFO*/ PVOID NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
// ULONG padding on IA64
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, * PKLDR_DATA_TABLE_ENTRY;
extern "C" void DkomUnlinking() {
PKLDR_DATA_TABLE_ENTRY pSelfEntry = nullptr;
auto pNext = PsLoadedModuleList->Flink;
if (pNext != NULL)
{
while (pNext != PsLoadedModuleList)
{
auto pEntry = CONTAINING_RECORD(pNext, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
auto pBase = pEntry->DllBase;
if (DriverObject->DriverStart == pBase)
{
pSelfEntry = pEntry;
break;
}
pNext = pNext->Flink;
}
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////
if (pSelfEntry)
{
KIRQL kIrql = KeRaiseIrqlToDpcLevel();
auto pPrevEntry = (PKLDR_DATA_TABLE_ENTRY)pSelfEntry->InLoadOrderLinks.Blink;
auto pNextEntry = (PKLDR_DATA_TABLE_ENTRY)pSelfEntry->InLoadOrderLinks.Flink;
if (pPrevEntry)
{
pPrevEntry->InLoadOrderLinks.Flink = pSelfEntry->InLoadOrderLinks.Flink;
}
if (pNextEntry)
{
pNextEntry->InLoadOrderLinks.Blink = pSelfEntry->InLoadOrderLinks.Blink;
}
pSelfEntry->InLoadOrderLinks.Flink = (PLIST_ENTRY)pSelfEntry;
pSelfEntry->InLoadOrderLinks.Blink = (PLIST_ENTRY)pSelfEntry;
KeLowerIrql(kIrql);
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////
}
```
# Contact
If you want an actually good Kernel Level Cheat that is UD My discord is -> `_ambitza`