Skip to content

Commit c9ee50f

Browse files
ricardojoserfricardojoserf
authored
Add files via upload
1 parent f1b1b2b commit c9ee50f

File tree

1 file changed

+60
-27
lines changed

1 file changed

+60
-27
lines changed

GetModuleHandle/Program.cs

Lines changed: 60 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -7,69 +7,102 @@ namespace GetModuleHandle
77
{
88
internal class Program
99
{
10-
[DllImport("ntdll.dll", SetLastError = true)] static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref PROCESS_BASIC_INFORMATION pbi, uint processInformationLength, ref uint returnLength);
11-
private struct PROCESS_BASIC_INFORMATION { public uint ExitStatus; public IntPtr PebBaseAddress; public UIntPtr AffinityMask; public int BasePriority; public UIntPtr UniqueProcessId; public UIntPtr InheritedFromUniqueProcessId; }
12-
// [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] public static extern IntPtr GetModuleHandle([MarshalAs(UnmanagedType.LPWStr)] string lpModuleName);
10+
[DllImport("ntdll.dll", SetLastError = true)]
11+
public static extern uint NtQueryInformationProcess(
12+
IntPtr processHandle,
13+
int processInformationClass,
14+
IntPtr pbi,
15+
uint processInformationLength,
16+
out IntPtr returnLength
17+
);
1318

19+
public unsafe static IntPtr CustomGetModuleHandle(String dll_name, uint process_basic_information_size, int peb_offset, int ldr_offset, int inInitializationOrderModuleList_offset, int flink_dllbase_offset, int flink_buffer_offset)
20+
{
21+
IntPtr hProcess = Process.GetCurrentProcess().Handle;
1422

15-
private static T MarshalBytesTo<T>(byte[] bytes) {
16-
GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
17-
T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
18-
handle.Free();
19-
return theStructure;
20-
}
23+
// Create byte array with the size of the PROCESS_BASIC_INFORMATION structure
24+
byte[] pbi_byte_array = new byte[process_basic_information_size];
2125

26+
// Create a PROCESS_BASIC_INFORMATION structure in the byte array
27+
IntPtr pbi_addr = IntPtr.Zero;
28+
fixed (byte* p = pbi_byte_array)
29+
{
30+
pbi_addr = (IntPtr)p;
31+
NtQueryInformationProcess(hProcess, 0x0, pbi_addr, process_basic_information_size, out _);
32+
Console.WriteLine("[+] Process_Basic_Information Address: \t\t0x" + pbi_addr.ToString("X"));
33+
}
2234

23-
unsafe static IntPtr auxGetModuleHandle(String dll_name) {
24-
IntPtr hProcess = Process.GetCurrentProcess().Handle;
25-
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
26-
uint temp = 0;
27-
NtQueryInformationProcess(hProcess, 0x0, ref pbi, (uint)(IntPtr.Size * 6), ref temp);
28-
IntPtr ldr_pointer = (IntPtr)((Int64)pbi.PebBaseAddress + 0x18);
35+
// Get PEB Base Address
36+
IntPtr peb_pointer = pbi_addr + peb_offset;
37+
Console.WriteLine("[+] PEB Address Pointer:\t\t\t0x"+peb_pointer.ToString("X"));
38+
IntPtr pebaddress = Marshal.ReadIntPtr(peb_pointer);
39+
Console.WriteLine("[+] PEB Address:\t\t\t\t0x" + pebaddress.ToString("X"));
40+
41+
// Get Ldr
42+
IntPtr ldr_pointer = pebaddress + ldr_offset;
2943
IntPtr ldr_adress = Marshal.ReadIntPtr(ldr_pointer);
30-
IntPtr InInitializationOrderModuleList = ldr_adress + 0x30;
44+
Console.WriteLine("[+] LDR Pointer:\t\t\t\t0x" + ldr_pointer.ToString("X"));
45+
Console.WriteLine("[+] LDR Address:\t\t\t\t0x" + ldr_adress.ToString("X"));
46+
47+
// Get InInitializationOrderModuleList (LIST_ENTRY) inside _PEB_LDR_DATA struct
48+
IntPtr InInitializationOrderModuleList = ldr_adress + inInitializationOrderModuleList_offset;
49+
Console.WriteLine("[+] InInitializationOrderModuleList:\t\t0x" + InInitializationOrderModuleList.ToString("X"));
3150

3251
IntPtr next_flink = Marshal.ReadIntPtr(InInitializationOrderModuleList);
33-
IntPtr dll_base = (IntPtr) 1;
52+
IntPtr dll_base = (IntPtr)1337;
3453
while (dll_base != IntPtr.Zero)
3554
{
36-
next_flink = next_flink - 0x10;
37-
dll_base = Marshal.ReadIntPtr(next_flink + 0x20);
38-
IntPtr buffer = Marshal.ReadIntPtr(next_flink + 0x50);
55+
next_flink = next_flink - 0x10;
56+
// Get DLL base address
57+
dll_base = Marshal.ReadIntPtr(next_flink + flink_dllbase_offset);
58+
IntPtr buffer = Marshal.ReadIntPtr(next_flink + flink_buffer_offset);
59+
// Get DLL name from buffer address
3960
String char_aux = null;
4061
String base_dll_name = "";
41-
while (char_aux != "") {
62+
while (char_aux != "")
63+
{
4264
char_aux = Marshal.PtrToStringAnsi(buffer);
4365
buffer += 2;
4466
base_dll_name += char_aux;
4567
}
4668
next_flink = Marshal.ReadIntPtr(next_flink + 0x10);
69+
// Compare with DLL name we are searching
4770
if (dll_name.ToLower() == base_dll_name.ToLower())
4871
{
49-
return dll_base;
72+
return dll_base;
5073
}
5174
}
75+
5276
return IntPtr.Zero;
5377
}
5478

55-
5679
static void Main(string[] args)
5780
{
5881
if (args.Length < 1)
5982
{
60-
Console.WriteLine("[-] Usage: GetModuleHandle.exe DLL_NAME");
83+
Console.WriteLine("[-] Usage: GetModuleHandle.exe DLL_NAME.dll");
6184
System.Environment.Exit(0);
6285
}
6386
string dll_name = args[0];
64-
IntPtr base_address = auxGetModuleHandle(dll_name);
65-
87+
IntPtr base_address = IntPtr.Zero;
88+
if (IntPtr.Size == 4)
89+
{
90+
Console.WriteLine("[+] 32-bit process");
91+
base_address = CustomGetModuleHandle(dll_name, 24, 0x4, 0x0c, 0x1c, 0x18, 0x30);
92+
}
93+
else if (IntPtr.Size == 8)
94+
{
95+
Console.WriteLine("[+] 64-bit process");
96+
base_address = CustomGetModuleHandle(dll_name, 48, 0x8, 0x18, 0x30, 0x20, 0x50);
97+
}
98+
6699
if (base_address == IntPtr.Zero)
67100
{
68101
Console.WriteLine("[-] DLL name not found");
69102
}
70103
else
71104
{
72-
Console.WriteLine("[+] Base address of {0}: \t0x{1}", dll_name, base_address.ToString("X"));
105+
Console.WriteLine("[+] RESULT: \t\t\t\t\t0x{1}", dll_name, base_address.ToString("X"));
73106
// Console.WriteLine("[+] Base address of {0}: \t0x{1} [GetModuleHandle]", dll_name, GetModuleHandle(dll_name).ToString("X"));
74107
}
75108
}

0 commit comments

Comments
 (0)