Update README.md

hugsy · hugsy · commit cc8ee50a9edf · 2025-02-08T13:11:48.000-08:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -51,8 +51,6 @@ if(WIN32)
 
         # Listed by dependency order
         Common
-
-#         Crypto
         Network
         Symbols
         System
@@ -77,8 +75,6 @@ else()
 
         # Listed by dependency order
         Common
-
-  #      Crypto
         Network
         System
 
diff --git a/Modules/Common/Include/Error.hpp b/Modules/Common/Include/Error.hpp
@@ -138,8 +138,11 @@ enum class ErrorCode : uint32_t
     /// @brief Unexpected size comparison
     SizeMismatch,
 
-    /// @brief MalformedFile
+    /// @brief Malformed file
     MalformedFile,
+
+    /// @brief Malformed data
+    MalformedData,
 };
 
 
diff --git a/Modules/Process/Include/Win32/Process.hpp b/Modules/Process/Include/Win32/Process.hpp
@@ -413,8 +413,16 @@ class Process
     ExecuteCallbacks();
 
 
-    // TODO:
-    // - modules
+    ///
+    /// @brief Enumerate the process modules
+    ///
+    /// @return Result<std::vector<LDR_DATA_TABLE_ENTRY>>
+    ///
+    Result<std::vector<LDR_DATA_TABLE_ENTRY>>
+    Modules();
+
+
+    // TODO (finish):
     // - inject
     // - hook
 
@@ -478,6 +486,11 @@ class Process
     Result<std::unique_ptr<u8[]>>
     QueryInternal(const PROCESSINFOCLASS, const usize);
 
+    Result<std::vector<LDR_DATA_TABLE_ENTRY>>
+    EnumerateLocalModules();
+
+    Result<std::vector<LDR_DATA_TABLE_ENTRY>>
+    EnumerateRemoteModules();
 
 private: // Members
     u32 m_ProcessId {0};
diff --git a/Modules/Process/Source/Win32/Process.cpp b/Modules/Process/Source/Win32/Process.cpp
@@ -1,3 +1,5 @@
+#include "Win32/Process.hpp"
+
 #include <accctrl.h>
 #include <aclapi.h>
 #include <psapi.h>
@@ -10,7 +12,6 @@
 #include "Log.hpp"
 #include "Utils.hpp"
 #include "Win32/API.hpp"
-#include "Win32/Process.hpp"
 #include "Win32/System.hpp"
 #include "Win32/Thread.hpp"
 
@@ -26,6 +27,13 @@ usize
 GetPebLength();
 EXTERN_C_END
 
+using CriticalSection = GenericHandle<
+    RTL_CRITICAL_SECTION,
+    [](auto p)
+    {
+        ::LeaveCriticalSection(p);
+    }>;
+
 
 namespace pwn::Process
 {
@@ -570,6 +578,71 @@ Process::QueryInternal(const PROCESSINFOCLASS ProcessInformationClass, const usi
     return Ok(std::move(Buffer));
 }
 
+Result<std::vector<LDR_DATA_TABLE_ENTRY>>
+Process::Modules()
+{
+    return IsRemote() ? EnumerateRemoteModules() : EnumerateLocalModules();
+}
+
+
+Result<std::vector<LDR_DATA_TABLE_ENTRY>>
+Process::EnumerateLocalModules()
+{
+    std::vector<LDR_DATA_TABLE_ENTRY> res;
+    auto peb = Peb();
+    CriticalSection csLoaderLock {[&]()
+                                  {
+                                      auto lock = peb->LoaderLock;
+                                      ::EnterCriticalSection(lock);
+                                      return lock;
+                                  }()};
+
+    if ( !peb->Ldr->Initialized )
+        return Ok(res);
+
+
+    auto head = &(peb->Ldr->InLoadOrderModuleList);
+
+    for ( auto cur = head; cur->Flink && cur->Flink != head; cur = cur->Flink )
+    {
+        auto ptr = CONTAINING_RECORD(cur, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
+
+        // HACK We copy for now because the module may have been unloaded by the time we access it
+        LDR_DATA_TABLE_ENTRY entry {};
+        ::memcpy(&entry, ptr, sizeof(LDR_DATA_TABLE_ENTRY));
+        res.emplace_back(entry);
+    }
+
+    return Ok(res);
+}
+
+Result<std::vector<LDR_DATA_TABLE_ENTRY>>
+Process::EnumerateRemoteModules()
+{
+    std::vector<LDR_DATA_TABLE_ENTRY> res;
+    auto ppeb    = Peb();
+    auto mem     = Memory(*this);
+    auto peb_buf = Value(mem.Read((uptr)ppeb, sizeof(PEB)));
+    auto peb     = reinterpret_cast<PPEB>(peb_buf.data());
+
+    auto ldr_buf = Value(mem.Read((uptr)peb->Ldr, sizeof(PEB_LDR_DATA)));
+    auto ldr     = reinterpret_cast<PPEB_LDR_DATA>(ldr_buf.data());
+    auto head    = &(ldr->InLoadOrderModuleList);
+
+    for ( auto cur = head; cur->Flink && cur->Flink != head; cur = cur->Flink )
+    {
+        LDR_DATA_TABLE_ENTRY entry {};
+        auto buf = Value(mem.Read(
+            (uptr)CONTAINING_RECORD(cur, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks),
+            sizeof(LDR_DATA_TABLE_ENTRY)));
+        ::memcpy(&entry, buf.data(), sizeof(LDR_DATA_TABLE_ENTRY));
+        res.emplace_back(entry);
+    }
+
+    return Ok(res);
+}
+
+
 #pragma endregion Process
 
 
@@ -633,7 +706,6 @@ AppContainer::AppContainer(
         throw std::runtime_error("Failed to get SID");
     }
 
-
     dbg(L"sid={}", m_SidAsString.c_str());
 
     //
diff --git a/Modules/Process/Tests/pwn_win_process.cpp b/Modules/Process/Tests/pwn_win_process.cpp
@@ -151,3 +151,35 @@ TEST_CASE("Process Memory", "[" NS "]")
         // TODO
     }
 }
+
+
+TEST_CASE("Process Modules", "[" NS "]")
+{
+    SECTION("Local")
+    {
+        auto CurrentProcess = Process::Current();
+        auto mods           = CurrentProcess.Modules();
+        REQUIRE(Success(mods));
+
+        for ( auto const& mod : Value(mods) )
+        {
+            // Check betterer
+            CHECK((((uptr)mod.DllBase) & 0xfff) == 0);
+        }
+    }
+
+    SECTION("Remote")
+    {
+        auto values = Value(System::PidOf(L"explorer.exe"));
+        REQUIRE(values.size() > 0);
+
+        auto explorer = Process::Process(values[0]);
+        auto mods     = explorer.Modules();
+        REQUIRE(Success(mods));
+
+        for ( auto const& mod : Value(mods) )
+        {
+            CHECK((((uptr)mod.DllBase) & 0xfff) == 0);
+        }
+    }
+}
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@
   <a href="https://discord.gg/5HmwPxy3HP"><img alt="Discord" src="https://img.shields.io/badge/Discord-BlahCats-yellow"></a>
   <a href="https://github.dev/hugsy/pwn--"><img alt="Read Code" src="https://img.shields.io/badge/Code-Read%20pwn++-brightgreen?logo=visualstudiocode"></a>
   <a href="https://open.vscode.dev/hugsy/pwn--"><img alt="Open in VSCode" src="https://img.shields.io/static/v1?logo=visualstudiocode&label=&message=Open%20in%20VSCode&labelColor=2c2c32&color=007acc&logoColor=007acc"></a>
-  <a href="https://github.com/hugsy/pwn--/actions?query=workflow%3A%22CI+Build+for+MSVC%22"><img alt="CI" src="https://github.com/hugsy/pwn--/workflows/CI%20Build%20for%20MSVC/badge.svg"></a>
+  <a href="https://github.com/hugsy/pwn--/actions?query=workflow%3A%22Build%22"><img alt="CI" src="https://github.com/hugsy/pwn--/workflows/Build/badge.svg"></a>
 </p>
 
 ## Quick start
