https://github.com/ricardojoserf/getmodulehandle
GetModuleHandle implementation in C# using only NtQueryInformationProcess by walking the PEB
https://github.com/ricardojoserf/getmodulehandle
dynamic-function-resolution getmodulehandle malware-development sektor7
Last synced: 25 days ago
JSON representation
GetModuleHandle implementation in C# using only NtQueryInformationProcess by walking the PEB
- Host: GitHub
- URL: https://github.com/ricardojoserf/getmodulehandle
- Owner: ricardojoserf
- Created: 2023-07-07T09:26:59.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-02-09T12:49:01.000Z (about 2 years ago)
- Last Synced: 2024-05-01T13:11:38.682Z (almost 2 years ago)
- Topics: dynamic-function-resolution, getmodulehandle, malware-development, sektor7
- Language: C#
- Homepage: https://ricardojoserf.github.io/getmodulehandle/
- Size: 31.3 KB
- Stars: 4
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# GetModuleHandle - Custom implementation in C#
It works like the [GetModuleHandle](https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea) WinAPI: it takes a DLL name, walks the PEB structure and returns the DLL base address.
It only uses the [NtQueryInformationProcess](https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess) native API call, without using structs.
It works in both 32-bit and 64-bit processes. You can test this using the binaries in the Releases section:
-----------------------------------
### Sources
- Sektor7's Malware Intermediate course by [reenz0h](https://twitter.com/reenz0h) implements this code in C++
- tebpeb32.h: [https://bytepointer.com/resources/tebpeb32.htm](https://bytepointer.com/resources/tebpeb64.htm)
- tebpeb64.h: [https://bytepointer.com/resources/tebpeb64.htm](https://bytepointer.com/resources/tebpeb64.htm)