libpeconv/peb__lookup_8cpp_source.html

#include "ntddk.h"


#include <peconv/peb_lookup.h>


class SectionLocker {

public:

    SectionLocker(RTL_CRITICAL_SECTION &_section)

        : section(_section)

    {

        RtlEnterCriticalSection(&section);

    }


    ~SectionLocker()

    {

        RtlLeaveCriticalSection(&section);

    }


protected:

    RTL_CRITICAL_SECTION &section;

};


//here we don't want to use any functions imported form extenal modules


typedef struct _LDR_MODULE {

    LIST_ENTRY  InLoadOrderModuleList;//   +0x00

    LIST_ENTRY  InMemoryOrderModuleList;// +0x08

    LIST_ENTRY  InInitializationOrderModuleList;// +0x10

    void*   BaseAddress; // +0x18

    void*   EntryPoint;  // +0x1c

    ULONG   SizeOfImage;

    UNICODE_STRING FullDllName;

    UNICODE_STRING BaseDllName;

    ULONG   Flags;

    SHORT   LoadCount;

    SHORT   TlsIndex;

    HANDLE  SectionHandle;

    ULONG   CheckSum;

    ULONG   TimeDateStamp;

} LDR_MODULE, *PLDR_MODULE;


inline PPEB get_peb()

{

#if defined(_WIN64)

    return (PPEB)__readgsqword(0x60);

#else

    return (PPEB)__readfsdword(0x30);

/*

//alternative way to fetch it:

    LPVOID PEB = NULL;

    __asm {

        mov eax, fs:[30h]

        mov PEB, eax

    };

    return (PPEB)PEB;


    or:

    LPVOID PEB = RtlGetCurrentPeb();

*/

#endif

}


inline WCHAR to_lowercase(WCHAR c1)

{

    if (c1 <= L'Z' && c1 >= L'A') {

        c1 = (c1 - L'A') + L'a';

    }

    return c1;

}


bool is_wanted_module(LPWSTR curr_name, LPWSTR wanted_name)

{

    if (wanted_name == NULL || curr_name == NULL) return false;


    WCHAR *curr_end_ptr = curr_name;

    while (*curr_end_ptr != L'\0') {

        curr_end_ptr++;

    }

    if (curr_end_ptr == curr_name) return false;


    WCHAR *wanted_end_ptr = wanted_name;

    while (*wanted_end_ptr != L'\0') {

        wanted_end_ptr++;

    }

    if (wanted_end_ptr == wanted_name) return false;


    while ((curr_end_ptr != curr_name) && (wanted_end_ptr != wanted_name)) {


        if (to_lowercase(*wanted_end_ptr) != to_lowercase(*curr_end_ptr)) {

            return false;

        }

        wanted_end_ptr--;

        curr_end_ptr--;

    }

    return true;

}


HMODULE peconv::get_module_via_peb(IN OPTIONAL LPWSTR module_name)

{

    PPEB peb = get_peb();

    if (!peb) {

        return NULL;

    }

    SectionLocker locker(*peb->LoaderLock);

    LIST_ENTRY head = peb->Ldr->InLoadOrderModuleList;


    const PLDR_MODULE first_module = *((PLDR_MODULE *)(&head));

    PLDR_MODULE curr_module = first_module;

    if (!module_name) {

        return (HMODULE)(curr_module->BaseAddress);

    }


    // it is a cyclic list, so if the next record links to the initial one, it means we went throught the full loop

    do {

        // this should also work as a terminator, because the BaseAddress of the last module in the cycle is NULL

        if (curr_module == NULL || curr_module->BaseAddress == NULL) {

            break;

        }

        if (is_wanted_module(curr_module->BaseDllName.Buffer, module_name)) {

            return (HMODULE)(curr_module->BaseAddress);

        }

        curr_module = (PLDR_MODULE)curr_module->InLoadOrderModuleList.Flink;


    } while (curr_module != first_module);


    return NULL;

}


size_t peconv::get_module_size_via_peb(IN OPTIONAL HMODULE hModule)

{

    PPEB peb = get_peb();

    if (!peb) {

        return 0;

    }

    SectionLocker locker(*peb->LoaderLock);

    LIST_ENTRY head = peb->Ldr->InLoadOrderModuleList;


    const PLDR_MODULE first_module = *((PLDR_MODULE *)(&head));

    PLDR_MODULE curr_module = first_module;

    if (!hModule) {

        return (size_t)(curr_module->SizeOfImage);

    }


    // it is a cyclic list, so if the next record links to the initial one, it means we went throught the full loop

    do {

        // this should also work as a terminator, because the BaseAddress of the last module in the cycle is NULL

        if (curr_module == NULL || curr_module->BaseAddress == NULL) {

            break;

        }

        if (hModule == (HMODULE)(curr_module->BaseAddress)) {

            return (size_t)(curr_module->SizeOfImage);

        }

        curr_module = (PLDR_MODULE)curr_module->InLoadOrderModuleList.Flink;


    } while (curr_module != first_module);


    return 0;

}


bool peconv::set_main_module_in_peb(HMODULE module_ptr)

{

    PPEB peb = get_peb();

    if (peb == NULL) {

        return false;

    }

    SectionLocker locker(*peb->FastPebLock);

    peb->ImageBaseAddress = module_ptr;

    return true;

}


HMODULE peconv::get_main_module_via_peb()

{

    PPEB peb = get_peb();

    if (peb == NULL) {

        return NULL;

    }

    SectionLocker locker(*peb->FastPebLock);

    return (HMODULE) peb->ImageBaseAddress;

}

SectionLocker
Definition: peb_lookup.cpp:5

SectionLocker::SectionLocker
SectionLocker(RTL_CRITICAL_SECTION &_section)
Definition: peb_lookup.cpp:7

SectionLocker::~SectionLocker
~SectionLocker()
Definition: peb_lookup.cpp:13

SectionLocker::section
RTL_CRITICAL_SECTION & section
Definition: peb_lookup.cpp:19

peconv::get_main_module_via_peb
HMODULE get_main_module_via_peb()
Definition: peb_lookup.cpp:170

peconv::set_main_module_in_peb
bool set_main_module_in_peb(HMODULE hModule)
Definition: peb_lookup.cpp:159

peconv::get_module_size_via_peb
size_t get_module_size_via_peb(IN OPTIONAL HMODULE hModule=nullptr)
Definition: peb_lookup.cpp:128

peconv::get_module_via_peb
HMODULE get_module_via_peb(IN OPTIONAL LPWSTR module_name=nullptr)
Definition: peb_lookup.cpp:97

ntddk.h

RtlLeaveCriticalSection
NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection(IN PRTL_CRITICAL_SECTION CriticalSection)

RtlEnterCriticalSection
NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection(IN PRTL_CRITICAL_SECTION CriticalSection)

is_wanted_module
bool is_wanted_module(LPWSTR curr_name, LPWSTR wanted_name)
Definition: peb_lookup.cpp:70

PLDR_MODULE
struct _LDR_MODULE * PLDR_MODULE

get_peb
PPEB get_peb()
Definition: peb_lookup.cpp:41

to_lowercase
WCHAR to_lowercase(WCHAR c1)
Definition: peb_lookup.cpp:62

LDR_MODULE
struct _LDR_MODULE LDR_MODULE

peb_lookup.h
Functions for retrieving process information from PEB.

_LDR_MODULE
Definition: peb_lookup.cpp:24

_LDR_MODULE::InLoadOrderModuleList
LIST_ENTRY InLoadOrderModuleList
Definition: peb_lookup.cpp:25

_LDR_MODULE::FullDllName
UNICODE_STRING FullDllName
Definition: peb_lookup.cpp:31

_LDR_MODULE::CheckSum
ULONG CheckSum
Definition: peb_lookup.cpp:37

_LDR_MODULE::SizeOfImage
ULONG SizeOfImage
Definition: peb_lookup.cpp:30

_LDR_MODULE::TlsIndex
SHORT TlsIndex
Definition: peb_lookup.cpp:35

_LDR_MODULE::SectionHandle
HANDLE SectionHandle
Definition: peb_lookup.cpp:36

_LDR_MODULE::TimeDateStamp
ULONG TimeDateStamp
Definition: peb_lookup.cpp:38

_LDR_MODULE::EntryPoint
void * EntryPoint
Definition: peb_lookup.cpp:29

_LDR_MODULE::Flags
ULONG Flags
Definition: peb_lookup.cpp:33

_LDR_MODULE::InMemoryOrderModuleList
LIST_ENTRY InMemoryOrderModuleList
Definition: peb_lookup.cpp:26

_LDR_MODULE::BaseAddress
void * BaseAddress
Definition: peb_lookup.cpp:28

_LDR_MODULE::BaseDllName
UNICODE_STRING BaseDllName
Definition: peb_lookup.cpp:32

_LDR_MODULE::LoadCount
SHORT LoadCount
Definition: peb_lookup.cpp:34

_LDR_MODULE::InInitializationOrderModuleList
LIST_ENTRY InInitializationOrderModuleList
Definition: peb_lookup.cpp:27

_PEB_LDR_DATA::InLoadOrderModuleList
LIST_ENTRY InLoadOrderModuleList
Definition: ntddk.h:2662

_PEB
Definition: ntddk.h:2698

_PEB::LoaderLock
PRTL_CRITICAL_SECTION LoaderLock
Definition: ntddk.h:2769

_PEB::Ldr
PPEB_LDR_DATA Ldr
Definition: ntddk.h:2707

_PEB::ImageBaseAddress
PVOID ImageBaseAddress
Definition: ntddk.h:2706

_PEB::FastPebLock
PRTL_CRITICAL_SECTION FastPebLock
Definition: ntddk.h:2711

_UNICODE_STRING
Definition: ntddk.h:80

_UNICODE_STRING::Buffer
PWSTR Buffer
Definition: ntddk.h:83