Avoid undocumented API calls (RtlImageNtHeader)?

Forum for discussion about user-mode development.
Post Reply
j4ck
Posts: 3
Joined: Wed Dec 19, 2018 3:06 am

Wed Dec 19, 2018 3:17 am

I am developing code to hook a function in a remote process and I need to search for an unexported function. To get the search space, I need to get the size of the module. The usual way I've seen people do this is by RtlImageNtHeader. But I'm thinking, why not just use the documented function GetModuleInformation? Wouldn't it be less suspicious?

Which would you use and why?
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Wed Dec 19, 2018 3:33 am

It is trivial.

Code: Select all

if ((((PIMAGE_DOS_HEADER)Base)->e_magic == IMAGE_DOS_SIGNATURE) &&
                (((ULONG)((PIMAGE_DOS_HEADER)Base)->e_lfanew) < MAX_DOS_HEADER)) {
                NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + ((PIMAGE_DOS_HEADER)Base)->e_lfanew);
                if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
                    NtHeaders = NULL;
}
Ring0 - the source of inspiration
j4ck
Posts: 3
Joined: Wed Dec 19, 2018 3:06 am

Wed Dec 19, 2018 4:12 am

Ah I see. That's a much better way. Thanks
Post Reply