Avoid undocumented API calls (RtlImageNtHeader)?

Forum for discussion about user-mode development.
Post Reply
j4ck
Posts: 3
Joined: Wed Dec 19, 2018 3:06 am

Avoid undocumented API calls (RtlImageNtHeader)?

Post by j4ck » Wed Dec 19, 2018 3:17 am

I am developing code to hook a function in a remote process and I need to search for an unexported function. To get the search space, I need to get the size of the module. The usual way I've seen people do this is by RtlImageNtHeader. But I'm thinking, why not just use the documented function GetModuleInformation? Wouldn't it be less suspicious?

Which would you use and why?

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Avoid undocumented API calls (RtlImageNtHeader)?

Post by EP_X0FF » Wed Dec 19, 2018 3:33 am

It is trivial.

Code: Select all

if ((((PIMAGE_DOS_HEADER)Base)->e_magic == IMAGE_DOS_SIGNATURE) &&
                (((ULONG)((PIMAGE_DOS_HEADER)Base)->e_lfanew) < MAX_DOS_HEADER)) {
                NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + ((PIMAGE_DOS_HEADER)Base)->e_lfanew);
                if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
                    NtHeaders = NULL;
}
Ring0 - the source of inspiration

j4ck
Posts: 3
Joined: Wed Dec 19, 2018 3:06 am

Re: Avoid undocumented API calls (RtlImageNtHeader)?

Post by j4ck » Wed Dec 19, 2018 4:12 am

Ah I see. That's a much better way. Thanks

Post Reply