ngdbg/base.cpp at master · luffyhwl/ngdbg · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
/*++

	This is the part of NGdbg kernel debugger

	base.cpp

	Contains routines that calculate image base.

--*/

#include <ntifs.h>
#include "winnt.h"

extern "C"
{

BOOLEAN
FindBaseAndSize(
	IN PVOID SomePtr,
	OUT PVOID *BaseAddress OPTIONAL,
	OUT ULONG *ImageSize OPTIONAL
	)
{
	ULONG SomeAddress = (ULONG) SomePtr;

	for ( SomeAddress &= 0xFFFFF000 ; ; SomeAddress -= PAGE_SIZE )
	{
		if(MmIsAddressValid ((PVOID)SomeAddress) && *(USHORT*)SomeAddress == IMAGE_DOS_SIGNATURE ) // MZ signature?
		{
			PVOID NtHeader = RtlImageNtHeader ((PVOID)SomeAddress);// + ((IMAGE_DOS_HEADER*)SomeAddress)->e_lfanew;

			if (MmIsAddressValid ((PVOID)NtHeader) && *(ULONG*)NtHeader == IMAGE_NT_SIGNATURE) // PE signature?
			{
				if (ARGUMENT_PRESENT (BaseAddress))
					*BaseAddress = (PVOID)SomeAddress;

				if (ARGUMENT_PRESENT (ImageSize))
					*ImageSize = ((IMAGE_NT_HEADERS*)NtHeader)->OptionalHeader.SizeOfImage;

				return TRUE;
			}
		}
	}

	return FALSE;
}

PVOID
FindSelfBase(
	)
/**
	Find our module's base address and size
*/
{
	PVOID SomeAddress;
	PVOID g_SelfBase;
	__asm
	{
		call _1
_1:		pop [SomeAddress]
	}

	if (FindBaseAndSize (SomeAddress, &g_SelfBase, NULL))
		return g_SelfBase;
	return NULL;
}


}