Change PEB Name

Post date: Dec 9, 2010 10:45:58 PM

This snippet details how to spoof the PEB name of your process in the LDR module list.

Author: SF6

Modded by: steve10120

procedure ChangePebName(szPath:PWideChar);

//SF6 & steve10120

var

  pPEB:       Pointer;

  dwLen:      DWORD;

  pLdrModule: Pointer;

begin

asm

    MOV EAX, FS:[$30]

    MOV pPEB, EAX

  end;

  dwLen := lstrlenW(szPath) * 2;

  pLdrModule := Pointer(PDWORD(DWORD(pPEB) + $C)^);

  pLdrModule := Pointer(PDWORD(DWORD(pLdrModule) + $C)^);

  PDWORD(DWORD(pLdrModule) + $24)^ := dwLen;

  PDWORD(DWORD(pLdrModule) + $28)^ := DWORD(szPath);

end;