Avoid undocumented API calls (RtlImageNtHeader)?

#32329 by j4ck
Wed Dec 19, 2018 3:17 am

I am developing code to hook a function in a remote process and I need to search for an unexported function. To get the search space, I need to get the size of the module. The usual way I've seen people do this is by RtlImageNtHeader. But I'm thinking, why not just use the documented function GetModuleInformation? Wouldn't it be less suspicious?

Which would you use and why?

Username

j4ck

Posts

Joined

Wed Dec 19, 2018 3:06 am

Re: Avoid undocumented API calls (RtlImageNtHeader)?

#32330 by EP_X0FF
Wed Dec 19, 2018 3:33 am

It is trivial.

Code: Select all

if ((((PIMAGE_DOS_HEADER)Base)->e_magic == IMAGE_DOS_SIGNATURE) &&
                (((ULONG)((PIMAGE_DOS_HEADER)Base)->e_lfanew) < MAX_DOS_HEADER)) {
                NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + ((PIMAGE_DOS_HEADER)Base)->e_lfanew);
                if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
                    NtHeaders = NULL;
}

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Avoid undocumented API calls (RtlImageNtHeader)?

#32331 by j4ck
Wed Dec 19, 2018 4:12 am

Ah I see. That's a much better way. Thanks

Username

j4ck

Posts

Joined

Wed Dec 19, 2018 3:06 am

Page 1 of 1
3 posts