-2

I manual map dll and i can't get MODULEINFO for it's working region with GetModuleInformation (it's always answer for me with "Unable to obtain module")?. That happens because that function tries to get data from the module list in the process environment block. But a manually mapped dll is usually not linked in that list unless of course you manually add a new list entry. It doesn't use the info from the header (or at least not directly). So i already has dllBase that is hModule. So now i only need to get it's size. Is any way to get it without GetModuleInformation?

static void someFunc(HINSTANCE hModule)
{
    // all the vars we need for the GetModuleInformation call
    MODULEINFO modInfo;
    HANDLE hProcess = GetCurrentProcess();

    if (GetModuleInformation(hProcess, hModule, &modInfo, sizeof(MODULEINFO)))
    {
        // some work
    }
    else {
        std::cout << "Unable to obtain module" << std::endl;
    }
}
SLI
  • 713
  • 11
  • 29
  • 1
    "[GetModuleInformation() failing] happens because that function tries to get data from the module list in the process environment block." how can you tell that for sure? It's more likely that the `hProcess`-handle you pass to `GetModuleInformation()` simply doesn't have the `PROCESS_QUERY_INFORMATION` and `PROCESS_VM_READ` access rights. – Swordfish Jul 24 '18 at 20:37
  • You know it's size when you mapped it. That is, assuming my understanding of what you mean by manual mapping is correct. – David Heffernan Jul 24 '18 at 20:37
  • @DavidHeffernan yes i know, but my questions is how can i get it from injected dll. – SLI Jul 24 '18 at 20:40
  • @Swordfish Let me check that. – SLI Jul 24 '18 at 20:41
  • @SLI First you said you "manually mapped" the dll (whatever that is), now you say, you inject it. Yet you fail to attest how ecactly the dll gets loaded in the target process. – Swordfish Jul 24 '18 at 20:48
  • @Swordfish It's just a play on words. No need to find fault with words. My question is how to get size of module without using GetModuleInformation. – SLI Jul 24 '18 at 20:53
  • How does the module get loaded in the process?? – Swordfish Jul 24 '18 at 21:10
  • @Swordfish i am using this lib - https://github.com/DarthTon/Blackbone. It can Manually map native PE images. I just watched, it's OpenProcess with PROCESS_ALL_ACCESS rights. – SLI Jul 24 '18 at 21:11
  • It's seems to me that the question relies heavily on knowledge of how you loaded this module. Which is not present in the question. – David Heffernan Jul 24 '18 at 21:28
  • `GetModuleInformation` relies on its internal bookkeeping information to service requests. If you sidestep the loader, that updates the internal information, you can no longer use this API. Which raises the question: Why are you fighting the system instead of using it the way it was meant to be used? – IInspectable Jul 24 '18 at 22:07
  • @IInspectable Because GetModuleInformation is not working for me as i don't use LoadLibrary for injecting my dll. – SLI Jul 24 '18 at 22:12
  • *as i don't use LoadLibrary for injecting my dll* - so what you want ? if you not link this dll to `PEB_LDR_DATA` `GetModuleInformation` will not view your dll – RbMm Jul 24 '18 at 22:26
  • @RbMm i already know that. So i am asking is there any other ways to get module size without using GetModuleInformation. – SLI Jul 24 '18 at 22:29
  • 1
    Question doesn't make sense. You already *know* the module size, since - presumably - that is required for your manual mapping (whatever that is). Why don't you use it? – IInspectable Jul 24 '18 at 22:32
  • @IInspectable Sure, i know it in exe that is manual map my DLL, but i can't get it inside DLL where i use my code. – SLI Jul 24 '18 at 22:35
  • 3
    inside dll you can easy access `IMAGE_OPTIONAL_HEADER` and read `SizeOfImage` – RbMm Jul 24 '18 at 22:39
  • @RbMm Thank you. This is exactly what I was looking for. Please post your solution as answer. – SLI Jul 24 '18 at 22:58
  • @SLI If you want to reduce overhead (not re-calculate it within your module), pass it as an argument for your DLL entry-point routine... and bobs your uncle, you now already have the size of the module (in memory, on disk, or both - you decide). Simple as that. – ImmortaleVBR Jul 25 '18 at 06:40

1 Answers1

2

if we want get image size for mapped image in self process - we can read it from SizeOfImage member of IMAGE_OPTIONAL_HEADER - this is size of the mapped as image image in memory (not size on disk)

ULONG GetImageSize(PVOID ImageBase = &__ImageBase)
{
    if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(ImageBase))
    {
        return pinth->OptionalHeader.SizeOfImage;
    }

    return 0;
}
RbMm
  • 31,280
  • 3
  • 35
  • 56
  • What is difference between ImageNtHeader and RtlImageNtHeader? – SLI Jul 24 '18 at 23:18
  • 1
    @SLI - no ofcourse, except from which dll it exported. for `ImageNtHeader` need load `Dbghelp.dll` to process, when for `RtlImageNtHeader` nothing need (ntdll always exist). also you can and very easy manually access `IMAGE_NT_HEADERS` if you inject dll manually – RbMm Jul 24 '18 at 23:22
  • any way to get a disk size of image? – SLI Jul 25 '18 at 00:48
  • @SLI - for what ? if you know file for image - query image size. anyway `GetModuleInformation` not return it for you too – RbMm Jul 25 '18 at 00:57