wavvs · July 30, 2022 21:14
diff --git a/knowndll_poc.c b/knowndll_poc.c
 #include <windows.h>
 #include <winternl.h>
 #include <stdio.h>

 // POC for resolving library base address via KnownDlls

 typedef enum _SECTION_INFORMATION_CLASS
 {
 	SectionBasicInformation,
 	SectionImageInformation,
 } SECTION_INFORMATION_CLASS;

 typedef struct _SECTION_IMAGE_INFORMATION {
 	PVOID                   EntryPoint;
 	ULONG                   StackZeroBits;
 	ULONG                   StackReserved;
 	ULONG                   StackCommit;
 	ULONG                   ImageSubsystem;
 	WORD                    SubSystemVersionLow;
 	WORD                    SubSystemVersionHigh;
 	ULONG                   Unknown1;
 	ULONG                   ImageCharacteristics;
 	ULONG                   ImageMachineType;
 	ULONG                   Unknown2[3];
 } SECTION_IMAGE_INFORMATION, * PSECTION_IMAGE_INFORMATION;

 typedef NTSTATUS(NTAPI* _NtOpenSection)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
 typedef NTSTATUS(NTAPI* _NtQuerySection)(HANDLE, SECTION_INFORMATION_CLASS, PVOID, ULONG, PULONG);
 typedef void(WINAPI* _RtlInitUnicodeString)(PUNICODE_STRING, PCWSTR);

 void main()
 {
 	// should use indirect syscalls obviously, this is just for convenience (how?)
 	HMODULE hModule = GetModuleHandleA("ntdll.dll");
 	printf("[*] NTDLL base address: 0x%p\n", hModule);
 	_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(hModule, "RtlInitUnicodeString");
 	_NtOpenSection NtOpenSection = (_NtOpenSection)GetProcAddress(hModule, "NtOpenSection");
 	_NtQuerySection NtQuerySection = (_NtQuerySection)GetProcAddress(hModule, "NtQuerySection");

 	WCHAR* ntdll = L"\\KnownDlls\\ntdll.dll";
 	UNICODE_STRING ntSectionName;
 	RtlInitUnicodeString(&ntSectionName, ntdll);

 	OBJECT_ATTRIBUTES ObjectAttributes;
 	InitializeObjectAttributes(&ObjectAttributes, &ntSectionName, 0, NULL, NULL);

 	HANDLE sectionHandle = NULL;
 	PVOID baseAddress = NULL;
 	ULONG_PTR viewSize = 0;

 	NTSTATUS ntStatus = NtOpenSection(&sectionHandle, SECTION_QUERY, &ObjectAttributes);
 	if (ntStatus == 0)
 	{
 		PSECTION_IMAGE_INFORMATION sii = calloc(1024, sizeof(SECTION_IMAGE_INFORMATION));
 		ULONG size = 0;
 		ntStatus = NtQuerySection(sectionHandle, SectionImageInformation, sii, 1024, &size);
 		if (ntStatus == 0)
 		{
 			if (hModule == sii->EntryPoint)
 			{
 				printf("[*] Found NTDLL base address: 0x%p\n", sii->EntryPoint);
 			}
 			else
 			{
 				printf("[*] Error: NTDLL base address is different\n");
 			}
 		}
 		else
 		{
 			printf("[*] NtQuerySection failed: %x\n", ntStatus);
 		}
 	}
 	else
 	{
 		printf("[*] NtOpenSection failed %d\n", ntStatus);
 	}
 }
	#include <windows.h>
	#include <winternl.h>
	#include <stdio.h>

	// POC for resolving library base address via KnownDlls

	typedef enum _SECTION_INFORMATION_CLASS
	{
	SectionBasicInformation,
	SectionImageInformation,
	} SECTION_INFORMATION_CLASS;

	typedef struct _SECTION_IMAGE_INFORMATION {
	PVOID EntryPoint;
	ULONG StackZeroBits;
	ULONG StackReserved;
	ULONG StackCommit;
	ULONG ImageSubsystem;
	WORD SubSystemVersionLow;
	WORD SubSystemVersionHigh;
	ULONG Unknown1;
	ULONG ImageCharacteristics;
	ULONG ImageMachineType;
	ULONG Unknown2[3];
	} SECTION_IMAGE_INFORMATION, * PSECTION_IMAGE_INFORMATION;

	typedef NTSTATUS(NTAPI* _NtOpenSection)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
	typedef NTSTATUS(NTAPI* _NtQuerySection)(HANDLE, SECTION_INFORMATION_CLASS, PVOID, ULONG, PULONG);
	typedef void(WINAPI* _RtlInitUnicodeString)(PUNICODE_STRING, PCWSTR);

	void main()
	{
	// should use indirect syscalls obviously, this is just for convenience (how?)
	HMODULE hModule = GetModuleHandleA("ntdll.dll");
	printf("[*] NTDLL base address: 0x%p\n", hModule);
	_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(hModule, "RtlInitUnicodeString");
	_NtOpenSection NtOpenSection = (_NtOpenSection)GetProcAddress(hModule, "NtOpenSection");
	_NtQuerySection NtQuerySection = (_NtQuerySection)GetProcAddress(hModule, "NtQuerySection");

	WCHAR* ntdll = L"\\KnownDlls\\ntdll.dll";
	UNICODE_STRING ntSectionName;
	RtlInitUnicodeString(&ntSectionName, ntdll);

	OBJECT_ATTRIBUTES ObjectAttributes;
	InitializeObjectAttributes(&ObjectAttributes, &ntSectionName, 0, NULL, NULL);

	HANDLE sectionHandle = NULL;
	PVOID baseAddress = NULL;
	ULONG_PTR viewSize = 0;

	NTSTATUS ntStatus = NtOpenSection(&sectionHandle, SECTION_QUERY, &ObjectAttributes);
	if (ntStatus == 0)
	{
	PSECTION_IMAGE_INFORMATION sii = calloc(1024, sizeof(SECTION_IMAGE_INFORMATION));
	ULONG size = 0;
	ntStatus = NtQuerySection(sectionHandle, SectionImageInformation, sii, 1024, &size);
	if (ntStatus == 0)
	{
	if (hModule == sii->EntryPoint)
	{
	printf("[*] Found NTDLL base address: 0x%p\n", sii->EntryPoint);
	}
	else
	{
	printf("[*] Error: NTDLL base address is different\n");
	}
	}
	else
	{
	printf("[*] NtQuerySection failed: %x\n", ntStatus);
	}
	}
	else
	{
	printf("[*] NtOpenSection failed %d\n", ntStatus);
	}
	}