forked from realoriginal/grimreaper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPeb.c
43 lines (38 loc) · 976 Bytes
/
Peb.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
/*!
*
* GRIMREAPER
*
* Austin Hudson
*
* suspicious.actor
*
!*/
#include "Common.h"
/*!
*
* Purpose:
*
* Searches the loaded modules for the base address. If it
* is not actively loaded it will return NULL.
*
!*/
D_SEC( B ) PVOID PebGetModule( _In_ UINT32 ModuleHash )
{
PLIST_ENTRY Hdr = NULL;
PLIST_ENTRY Ent = NULL;
PLDR_DATA_TABLE_ENTRY Ldt = NULL;
/* Get a pointer to the header and first entry of the list */
Hdr = C_PTR( & NtCurrentPeb()->Ldr->InLoadOrderModuleList );
Ent = C_PTR( Hdr->Flink );
/* Loop through the list until it reaches the end */
for ( ; Ent != Hdr ; Ent = Ent->Flink ) {
/* Parse the entry */
Ldt = C_PTR( CONTAINING_RECORD( Ent, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks ) );
/* Hash the name and compare to our requested hash */
if ( HashString( C_PTR( Ldt->BaseDllName.Buffer ), Ldt->BaseDllName.Length ) == ModuleHash ) {
/* Return its image base */
return C_PTR( Ldt->DllBase );
};
};
return NULL;
};