//getModuleLoadedOrder returns the start address of module located at i in the load order. This might be useful if there is a function you need that isn't in ntdll, or if some rude individual has loaded themselves before ntdll.
//GetModuleLoadedOrder returns the start address of module located at i in the load order. This might be useful if there is a function you need that isn't in ntdll, or if some rude individual has loaded themselves before ntdll.
//Image contains info about a loaded image. Literally just a Base Addr and a Size - it should allow someone with a handy PE parser to pull the image out of memory...
36
+
type Image struct {
37
+
BaseAddr uint64
38
+
Size uint64
39
+
}
40
+
41
+
//InMemLoads returns a map of loaded dll paths to current process offsets (aka images) in the current process. No syscalls are made.
42
+
func InMemLoads() (map[string]Image, error) {
43
+
ret := make(map[string]Image)
44
+
s, si, p := GetModuleLoadedOrder(0)
45
+
start := p
46
+
i := 1
47
+
ret[p] = Image{uint64(s), uint64(si)}
48
+
for {
49
+
s, si, p = GetModuleLoadedOrder(i)
50
+
if p != "" {
51
+
ret[p] = Image{uint64(s), uint64(si)}
52
+
}
53
+
if p == start {
54
+
break
55
+
}
56
+
i++
57
+
}
58
+
59
+
return ret, nil
60
+
}
61
+
21
62
//GetSysIDFromMemory takes the exported syscall name or ordinal and gets the ID it refers to (try not to supply both, it might not work how you expect). This function will not use a clean version of the dll, if AV has hooked the in-memory ntdll module, the results of this call may be bad.