A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #32329  by j4ck
 Wed Dec 19, 2018 3:17 am
I am developing code to hook a function in a remote process and I need to search for an unexported function. To get the search space, I need to get the size of the module. The usual way I've seen people do this is by RtlImageNtHeader. But I'm thinking, why not just use the documented function GetModuleInformation? Wouldn't it be less suspicious?

Which would you use and why?
 #32330  by EP_X0FF
 Wed Dec 19, 2018 3:33 am
It is trivial.
Code: Select all
if ((((PIMAGE_DOS_HEADER)Base)->e_magic == IMAGE_DOS_SIGNATURE) &&
                (((ULONG)((PIMAGE_DOS_HEADER)Base)->e_lfanew) < MAX_DOS_HEADER)) {
                NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + ((PIMAGE_DOS_HEADER)Base)->e_lfanew);
                if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
                    NtHeaders = NULL;
}