TitanLdr/Peb.c at master · benheise/TitanLdr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/**
 *
 * Reflective Loader
 *
 * GuidePoint Security LLC
 *
 * Threat and Attack Simulation
 *
**/

#include "Common.h"

/*!
 *
 * Purpose:
 *
 * Finds a module loaded in memory.
 *
!*/

D_SEC( E ) PVOID PebGetModule( _In_ ULONG Hash )
{
	PPEB			Peb = NULL;
	PLIST_ENTRY		Hdr = NULL;
	PLIST_ENTRY		Ent = NULL;
	PLDR_DATA_TABLE_ENTRY	Ldr = NULL;

	/* Get pointer to list */
	Peb = NtCurrentPeb();
	Hdr = & Peb->Ldr->InLoadOrderModuleList;
	Ent = Hdr->Flink;

	for ( ; Hdr != Ent ; Ent = Ent->Flink ) {
		Ldr = C_PTR( Ent );

		/* Compare the DLL Name! */
		if ( HashString( Ldr->BaseDllName.Buffer, Ldr->BaseDllName.Length ) == Hash ) {
			return Ldr->DllBase;
		};
	};
	return NULL;
};