libpeconv/peb__lookup_8cpp_source.html

#include "ntddk.h"

#ifdef _DEBUG

#include <iostream>

#endif

#include <peconv/peb_lookup.h>


class SectionLocker {

public:


    SectionLocker(RTL_CRITICAL_SECTION &_section)

        : section(_section)

    {

        RtlEnterCriticalSection(&section);

    }


    ~SectionLocker()

    {

        RtlLeaveCriticalSection(&section);

    }


protected:

    RTL_CRITICAL_SECTION &section;

};


//here we don't want to use any functions imported form extenal modules


typedef struct _LDR_MODULE {

    LIST_ENTRY  InLoadOrderModuleList;//   +0x00

    LIST_ENTRY  InMemoryOrderModuleList;// +0x08

    LIST_ENTRY  InInitializationOrderModuleList;// +0x10

    void*   BaseAddress; // +0x18

    void*   EntryPoint;  // +0x1c

    ULONG   SizeOfImage;

    UNICODE_STRING FullDllName;

    UNICODE_STRING BaseDllName;

    ULONG   Flags;

    SHORT   LoadCount;

    SHORT   TlsIndex;

    HANDLE  SectionHandle;

    ULONG   CheckSum;

    ULONG   TimeDateStamp;

} LDR_MODULE, *PLDR_MODULE;


inline PPEB get_peb()

{

#if defined(_M_AMD64)

    return (PPEB)__readgsqword(0x60);

#elif defined(_M_ARM64)

    PPEB peb = (PPEB)(*(__getReg(18) + 0x60));

    #ifdef _DEBUG

    std::cout << "[+] ARM64 TEB: " << __getReg(18) << " PEB: " <<  peb << "\n";

    #endif

    return peb;

#else

    return (PPEB)__readfsdword(0x30);

/*

//alternative way to fetch it:

    LPVOID PEB = NULL;

    __asm {

        mov eax, fs:[30h]

        mov PEB, eax

    };

    return (PPEB)PEB;


    or:

    LPVOID PEB = RtlGetCurrentPeb();

*/

#endif

}


inline WCHAR to_lowercase(WCHAR c1)

{

    if (c1 <= L'Z' && c1 >= L'A') {

        c1 = (c1 - L'A') + L'a';

    }

    return c1;

}


bool is_wanted_module(LPCWSTR curr_name, LPCWSTR wanted_name)

{

    if (wanted_name == NULL || curr_name == NULL) return false;


    LPCWSTR curr_end_ptr = curr_name;

    while (*curr_end_ptr != L'\0') {

        curr_end_ptr++;

    }

    if (curr_end_ptr == curr_name) return false;


    LPCWSTR wanted_end_ptr = wanted_name;

    while (*wanted_end_ptr != L'\0') {

        wanted_end_ptr++;

    }

    if (wanted_end_ptr == wanted_name) return false;


    while ((curr_end_ptr != curr_name) && (wanted_end_ptr != wanted_name)) {


        if (to_lowercase(*wanted_end_ptr) != to_lowercase(*curr_end_ptr)) {

            return false;

        }

        wanted_end_ptr--;

        curr_end_ptr--;

    }

    return true;

}


HMODULE peconv::get_module_via_peb(IN OPTIONAL LPCWSTR module_name)

{

    PPEB peb = get_peb();

    if (!peb) {

        return NULL;

    }

    SectionLocker locker(*peb->LoaderLock);

    LIST_ENTRY head = peb->Ldr->InLoadOrderModuleList;


    const PLDR_MODULE first_module = *((PLDR_MODULE *)(&head));

    PLDR_MODULE curr_module = first_module;

    if (!module_name) {

        return (HMODULE)(curr_module->BaseAddress);

    }


    // it is a cyclic list, so if the next record links to the initial one, it means we went throught the full loop

    do {

        // this should also work as a terminator, because the BaseAddress of the last module in the cycle is NULL

        if (curr_module == NULL || curr_module->BaseAddress == NULL) {

            break;

        }

        if (is_wanted_module(curr_module->BaseDllName.Buffer, module_name)) {

            return (HMODULE)(curr_module->BaseAddress);

        }

        curr_module = (PLDR_MODULE)curr_module->InLoadOrderModuleList.Flink;


    } while (curr_module != first_module);


    return NULL;

}


size_t peconv::get_module_size_via_peb(IN OPTIONAL HMODULE hModule)

{

    PPEB peb = get_peb();

    if (!peb) {

        return 0;

    }

    SectionLocker locker(*peb->LoaderLock);

    LIST_ENTRY head = peb->Ldr->InLoadOrderModuleList;


    const PLDR_MODULE first_module = *((PLDR_MODULE *)(&head));

    PLDR_MODULE curr_module = first_module;

    if (!hModule) {

        return (size_t)(curr_module->SizeOfImage);

    }


    // it is a cyclic list, so if the next record links to the initial one, it means we went throught the full loop

    do {

        // this should also work as a terminator, because the BaseAddress of the last module in the cycle is NULL

        if (curr_module == NULL || curr_module->BaseAddress == NULL) {

            break;

        }

        if (hModule == (HMODULE)(curr_module->BaseAddress)) {

            return (size_t)(curr_module->SizeOfImage);

        }

        curr_module = (PLDR_MODULE)curr_module->InLoadOrderModuleList.Flink;


    } while (curr_module != first_module);


    return 0;

}


bool peconv::set_main_module_in_peb(HMODULE module_ptr)

{

    PPEB peb = get_peb();

    if (peb == NULL) {

        return false;

    }

    SectionLocker locker(*peb->FastPebLock);

    peb->ImageBaseAddress = module_ptr;

    return true;

}


HMODULE peconv::get_main_module_via_peb()

{

    PPEB peb = get_peb();

    if (peb == NULL) {

        return NULL;

    }

    SectionLocker locker(*peb->FastPebLock);

    return (HMODULE) peb->ImageBaseAddress;

}


SectionLocker
Definition peb_lookup.cpp:7

SectionLocker::SectionLocker
SectionLocker(RTL_CRITICAL_SECTION &_section)
Definition peb_lookup.cpp:9

SectionLocker::~SectionLocker
~SectionLocker()
Definition peb_lookup.cpp:15

SectionLocker::section
RTL_CRITICAL_SECTION & section
Definition peb_lookup.cpp:21

parse_delayed_desc
bool parse_delayed_desc(BYTE *modulePtr, const size_t moduleSize, const ULONGLONG img_base, LPSTR lib_name, const T_FIELD ordinal_flag, IMAGE_DELAYLOAD_DESCRIPTOR *desc, peconv::t_function_resolver *func_resolver)
Definition delayed_imports_loader.cpp:26

peconv::get_main_module_via_peb
HMODULE get_main_module_via_peb()
Definition peb_lookup.cpp:178

peconv::get_module_via_peb
HMODULE get_module_via_peb(IN OPTIONAL LPCWSTR module_name=nullptr)
Definition peb_lookup.cpp:105

peconv::set_main_module_in_peb
bool set_main_module_in_peb(HMODULE hModule)
Definition peb_lookup.cpp:167

peconv::get_module_size_via_peb
size_t get_module_size_via_peb(IN OPTIONAL HMODULE hModule=nullptr)
Definition peb_lookup.cpp:136

PLDR_MODULE
struct _LDR_MODULE * PLDR_MODULE

is_wanted_module
bool is_wanted_module(LPCWSTR curr_name, LPCWSTR wanted_name)
Definition peb_lookup.cpp:78

get_peb
PPEB get_peb()
Definition peb_lookup.cpp:43

to_lowercase
WCHAR to_lowercase(WCHAR c1)
Definition peb_lookup.cpp:70

LDR_MODULE
struct _LDR_MODULE LDR_MODULE

peb_lookup.h
Functions for retrieving process information from PEB.

_LDR_MODULE
Definition peb_lookup.cpp:26

_LDR_MODULE::InLoadOrderModuleList
LIST_ENTRY InLoadOrderModuleList
Definition peb_lookup.cpp:27

_LDR_MODULE::FullDllName
UNICODE_STRING FullDllName
Definition peb_lookup.cpp:33

_LDR_MODULE::CheckSum
ULONG CheckSum
Definition peb_lookup.cpp:39

_LDR_MODULE::SizeOfImage
ULONG SizeOfImage
Definition peb_lookup.cpp:32

_LDR_MODULE::TlsIndex
SHORT TlsIndex
Definition peb_lookup.cpp:37

_LDR_MODULE::SectionHandle
HANDLE SectionHandle
Definition peb_lookup.cpp:38

_LDR_MODULE::TimeDateStamp
ULONG TimeDateStamp
Definition peb_lookup.cpp:40

_LDR_MODULE::EntryPoint
void * EntryPoint
Definition peb_lookup.cpp:31

_LDR_MODULE::Flags
ULONG Flags
Definition peb_lookup.cpp:35

_LDR_MODULE::InMemoryOrderModuleList
LIST_ENTRY InMemoryOrderModuleList
Definition peb_lookup.cpp:28

_LDR_MODULE::BaseAddress
void * BaseAddress
Definition peb_lookup.cpp:30

_LDR_MODULE::BaseDllName
UNICODE_STRING BaseDllName
Definition peb_lookup.cpp:34

_LDR_MODULE::LoadCount
SHORT LoadCount
Definition peb_lookup.cpp:36

_LDR_MODULE::InInitializationOrderModuleList
LIST_ENTRY InInitializationOrderModuleList
Definition peb_lookup.cpp:29