Skip to content

Commit f1b1b2b

Browse files
ricardojoserfricardojoserf
authored
Add files via upload
1 parent bd1939f commit f1b1b2b

File tree

1 file changed

+6
-89
lines changed

1 file changed

+6
-89
lines changed

GetModuleHandle/Program.cs

Lines changed: 6 additions & 89 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,16 @@
11
using System;
22
using System.Diagnostics;
3-
using System.IO;
43
using System.Runtime.InteropServices;
54

65

76
namespace GetModuleHandle
87
{
98
internal class Program
109
{
11-
// [DllImport("kernel32.dll", SetLastError = true)] static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
1210
[DllImport("ntdll.dll", SetLastError = true)] static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref PROCESS_BASIC_INFORMATION pbi, uint processInformationLength, ref uint returnLength);
11+
private struct PROCESS_BASIC_INFORMATION { public uint ExitStatus; public IntPtr PebBaseAddress; public UIntPtr AffinityMask; public int BasePriority; public UIntPtr UniqueProcessId; public UIntPtr InheritedFromUniqueProcessId; }
1312
// [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] public static extern IntPtr GetModuleHandle([MarshalAs(UnmanagedType.LPWStr)] string lpModuleName);
14-
private struct PROCESS_BASIC_INFORMATION { public uint ExitStatus; public IntPtr PebBaseAddress; public UIntPtr AffinityMask; public int BasePriority; public UIntPtr UniqueProcessId; public UIntPtr InheritedFromUniqueProcessId; }
15-
// unsafe struct LIST_ENTRY { public byte* Flink; public byte* Blink; }
16-
// unsafe struct UNICODE_STRING { public ushort Length; public ushort MaximumLength; public char* Buffer; }
17-
// struct LDR_DATA_TABLE_ENTRY { public LIST_ENTRY InMemoryOrderLinks; public LIST_ENTRY InInitializationOrderList; public IntPtr DllBase; public IntPtr EntryPoint; private IntPtr Reserved3; public UNICODE_STRING FullDllName; public UNICODE_STRING BaseDllName; }
18-
13+
1914

2015
private static T MarshalBytesTo<T>(byte[] bytes) {
2116
GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
@@ -30,107 +25,29 @@ unsafe static IntPtr auxGetModuleHandle(String dll_name) {
3025
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
3126
uint temp = 0;
3227
NtQueryInformationProcess(hProcess, 0x0, ref pbi, (uint)(IntPtr.Size * 6), ref temp);
33-
3428
IntPtr ldr_pointer = (IntPtr)((Int64)pbi.PebBaseAddress + 0x18);
3529
IntPtr ldr_adress = Marshal.ReadIntPtr(ldr_pointer);
36-
37-
// Source: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntpsapi_x/peb_ldr_data.htm
3830
IntPtr InInitializationOrderModuleList = ldr_adress + 0x30;
39-
/*
40-
byte[] data5 = new byte[Marshal.SizeOf(typeof(LIST_ENTRY))];
41-
ReadProcessMemory(hProcess, InInitializationOrderModuleList, data5, data5.Length, out _);
42-
LIST_ENTRY inInitializationOrderModuleList_list_entry = MarshalBytesTo<LIST_ENTRY>(data5);
43-
IntPtr next_flink = ((IntPtr)inInitializationOrderModuleList_list_entry.Flink);
44-
*/
31+
4532
IntPtr next_flink = Marshal.ReadIntPtr(InInitializationOrderModuleList);
46-
Console.WriteLine(next_flink);
47-
4833
IntPtr dll_base = (IntPtr) 1;
49-
50-
/*
51-
// FOR DEBUGGING
52-
IntPtr InLoadOrderModuleList = ldr_adress + 0x10;
53-
IntPtr InMemoryOrderModuleList = ldr_adress + 0x20;
54-
55-
// InLoadOrderModuleList
56-
byte[] data3 = new byte[Marshal.SizeOf(typeof(LIST_ENTRY))];
57-
ReadProcessMemory(hProcess, InLoadOrderModuleList, data3, data3.Length, out _);
58-
LIST_ENTRY InLoadOrderModuleList_list_entry = MarshalBytesTo<LIST_ENTRY>(data3);
59-
// InMemoryOrderModuleList
60-
byte[] data4 = new byte[Marshal.SizeOf(typeof(LIST_ENTRY))];
61-
ReadProcessMemory(hProcess, InMemoryOrderModuleList, data4, data4.Length, out _);
62-
LIST_ENTRY InMemoryOrderModuleList_list_entry = MarshalBytesTo<LIST_ENTRY>(data4);
63-
64-
Console.WriteLine("LdrTest: \t\t\t\t\t\t0x" + ldr_adress.ToString("X"));
65-
Console.WriteLine("InLoadOrderModuleList: \t\t\t\t\t0x" + InLoadOrderModuleList.ToString("X"));
66-
Console.WriteLine("InLoadOrderModuleList_list_entry.Flink :\t\t0x" + ((int)InLoadOrderModuleList_list_entry.Flink).ToString("X"));
67-
Console.WriteLine("InLoadOrderModuleList_list_entry.Blink :\t\t0x" + ((int)InLoadOrderModuleList_list_entry.Blink).ToString("X"));
68-
Console.WriteLine("InMemoryOrderModuleList: \t\t\t\t0x" + InMemoryOrderModuleList.ToString("X"));
69-
Console.WriteLine("InMemoryOrderModuleList_list_entry.Flink :\t\t0x" + ((int)InMemoryOrderModuleList_list_entry.Flink).ToString("X"));
70-
Console.WriteLine("InMemoryOrderModuleList_list_entry.Blink :\t\t0x" + ((int)InMemoryOrderModuleList_list_entry.Blink).ToString("X"));
71-
Console.WriteLine("InInitializationOrderModuleList: \t\t\t0x" + InInitializationOrderModuleList.ToString("X"));
72-
Console.WriteLine("InInitializationOrderModuleList_list_entry.Flink :\t0x" + inInitializationOrderModuleList_list_entry_flink.ToString("X"));
73-
Console.WriteLine("InInitializationOrderModuleList_list_entry.Blink :\t0x" + ((int)inInitializationOrderModuleList_list_entry.Blink).ToString("X"));
74-
*/
75-
7634
while (dll_base != IntPtr.Zero)
7735
{
78-
next_flink = next_flink - 0x10;
79-
80-
/*
81-
byte[] data6 = new byte[Marshal.SizeOf(typeof(LDR_DATA_TABLE_ENTRY))];
82-
ReadProcessMemory(hProcess, next_flink, data6, data6.Length, out _);
83-
LDR_DATA_TABLE_ENTRY ldr_data_table_entry_test = MarshalBytesTo<LDR_DATA_TABLE_ENTRY>(data6);
84-
*/
85-
/*
86-
struct LDR_DATA_TABLE_ENTRY { public LIST_ENTRY InMemoryOrderLinks; public LIST_ENTRY InInitializationOrderList; public IntPtr DllBase; public IntPtr EntryPoint; private IntPtr Reserved3; public UNICODE_STRING FullDllName; public UNICODE_STRING BaseDllName; }
87-
*/
88-
89-
dll_base = Marshal.ReadIntPtr(next_flink + 0x20); // dll_base = ldr_data_table_entry_test.DllBase;
90-
91-
// String base_dll_name = new String(ldr_data_table_entry_test.BaseDllName.Buffer);
92-
93-
/*
94-
Int16 test = Marshal.ReadInt16(next_flink + 0x48);
95-
Console.WriteLine("Length: " + test);
96-
Int16 test2 = Marshal.ReadInt16(next_flink + 0x4a);
97-
Console.WriteLine("MaximumLength: " + test2);
98-
*/
36+
next_flink = next_flink - 0x10;
37+
dll_base = Marshal.ReadIntPtr(next_flink + 0x20);
9938
IntPtr buffer = Marshal.ReadIntPtr(next_flink + 0x50);
100-
101-
// Console.WriteLine("next_flink + 0x50: \t0x" + (next_flink + 0x50).ToString("X"));
102-
// Console.WriteLine("buffer: \t0x" + buffer.ToString("X"));
103-
10439
String char_aux = null;
10540
String base_dll_name = "";
10641
while (char_aux != "") {
10742
char_aux = Marshal.PtrToStringAnsi(buffer);
10843
buffer += 2;
10944
base_dll_name += char_aux;
11045
}
111-
112-
/*
113-
Console.WriteLine("ldr_data_table_entry_test.BaseDllName.Length: " + (int)ldr_data_table_entry_test.BaseDllName.Length);
114-
Console.WriteLine("ldr_data_table_entry_test.BaseDllName.MaximumLength: " + (int)ldr_data_table_entry_test.BaseDllName.MaximumLength);
115-
Console.WriteLine("ldr_data_table_entry_test.BaseDllName.Buffer: 0x" + ((int)ldr_data_table_entry_test.BaseDllName.Buffer).ToString("X"));
116-
*/
117-
next_flink = Marshal.ReadIntPtr(next_flink + 0x10); // next_flink = (IntPtr)ldr_data_table_entry_test.InInitializationOrderList.Flink;
118-
119-
// Console.WriteLine(base_dll_name);
120-
// Console.WriteLine(dll_base.ToString("X"));
121-
// Console.ReadLine();
46+
next_flink = Marshal.ReadIntPtr(next_flink + 0x10);
12247
if (dll_name.ToLower() == base_dll_name.ToLower())
12348
{
12449
return dll_base;
12550
}
126-
/*
127-
// FOR DEBUGGING
128-
Console.WriteLine("FullDllName: \t" + new String(ldr_data_table_entry_test.FullDllName.Buffer));
129-
Console.WriteLine("BaseDllName: \t" + base_dll_name);
130-
Console.WriteLine("DllBase: \t0x" + dll_base.ToString("X"));
131-
Console.WriteLine("Flink: \t0x{0}", next_flink.ToString("X"));
132-
Console.ReadLine();
133-
*/
13451
}
13552
return IntPtr.Zero;
13653
}

0 commit comments

Comments
 (0)