Jump to content

Loaded DLL List without calling any windows DLL

Unc3nZureD

By Unc3nZureD,
in Programming & Scripts

 Share

Recommended Posts

Unc3nZureD Contributor

Unc3nZureD 59

Posted
Posted

Hi :)

With this, you are going to be able to go trough the loaded DLL list of your process easily without using APIs like EnumProcessModules, or any similar :)

 

So, first you will need these stuffs, just paste it: 

#include <Windows.h>
#include <iostream>  // Optional for printing

typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct LDR_DATA_ENTRY {
    LIST_ENTRY              InMemoryOrderModuleList;
    PVOID                   BaseAddress;
    PVOID                   EntryPoint;
    ULONG                   SizeOfImage;
    UNICODE_STRING          FullDllName;
    UNICODE_STRING          BaseDllName;
    ULONG                   Flags;
    SHORT                   LoadCount;
    SHORT                   TlsIndex;
    LIST_ENTRY              HashTableEntry;
    ULONG                   TimeDateStamp;
} LDR_DATA_ENTRY, *PLDR_DATA_ENTRY;

__declspec(naked) PLDR_DATA_ENTRY GetLdrDataEntry() {
    __asm
    {
        mov eax, fs:[0x30]
        mov eax, [eax + 0x0C]
        mov eax, [eax + 0x1C]
        retn
    }
}

 

Now you've got everything to perform a loop thru' the modules! Note that this ONLY works with x86. On x64 it's a littlebit different. If you need x64 code, PM me.

  

void LoopModules()
{
    PLDR_DATA_ENTRY cursor = GetLdrDataEntry();    // Get the address of LDR_DATA_ENTRY

    while (cursor->BaseAddress)      // while until the list ends
    {
        cursor = (PLDR_DATA_ENTRY)cursor->InMemoryOrderModuleList.Flink;    // current bookmark

        printf("Name: [%S] \n>\t Address: [0x%p]\n>\t Entrypoint: [0x%p]\n", cursor->BaseDllName.Buffer, cursor->BaseAddress, cursor->EntryPoint);

        // Now you know every information of the module.
    }
}

 

Result:

Spoiler

221911zmqbtch.png

 

This is this simplest tutorial I could make, so this way you can easily detect modules even if WinAPI is hooked. There's at least one more method to find injected modules, but this one is the easiest and least complex.

Good luck :)

  • Love 5

spacer.png

Link to comment
Share on other sites
  • Replies 5
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Unc3nZureD
Unc3nZureD

Hi With this, you are going to be able to go trough the loaded DLL list of your process easily without using APIs like EnumProcessModules, or any similar   So, first you will need the

Unc3nZureD
Unc3nZureD

It's works 100% but only if you CAN use it and KNOW what it does.

 Share
Go to topic listing

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.