BlackBone
Windows memory hacking library
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros
Functions | Variables
Loader.c File Reference
#include "Private.h"
#include "Loader.h"
#include <Ntstrsafe.h>

Functions

NTSTATUS BBMapWorker (IN PVOID pArg)
 System worker thread that performs actual mapping More...
 
NTSTATUS BBInitLdrData (IN PKLDR_DATA_TABLE_ENTRY pThisModule)
 Initialize loader stuff More...
 
PKLDR_DATA_TABLE_ENTRY BBGetSystemModule (IN PUNICODE_STRING pName, IN PVOID pAddress)
 Get address of a system module Either 'pName' or 'pAddress' is required to perform search More...
 
PVOID BBGetUserModuleBase (IN PEPROCESS pProcess, IN PUNICODE_STRING ModuleName, IN BOOLEAN isWow64)
 Get module base address by name More...
 
PVOID BBGetModuleExport (IN PVOID pBase, IN PCCHAR name_ord)
 Get exported function address More...
 
NTSTATUS BBResolveReferences (IN PVOID pImageBase)
 Resolve module references and fill the IAT More...
 
NTSTATUS BBMMapDriver (IN PUNICODE_STRING pPath)
 Manually map driver into system space More...
 

Variables

PLIST_ENTRY PsLoadedModuleList
 
DYNAMIC_DATA dynData
 

Function Documentation

PVOID BBGetModuleExport ( IN PVOID  pBase,
IN PCCHAR  name_ord 
)

Get exported function address

Parameters
pBaseModule base
name_ordFunction name or ordinal
Returns
Found address, NULL if not found
PKLDR_DATA_TABLE_ENTRY BBGetSystemModule ( IN PUNICODE_STRING  pName,
IN PVOID  pAddress 
)

Get address of a system module Either 'pName' or 'pAddress' is required to perform search

Parameters
pNameBase name of the image (e.g. hal.dll)
pAddressAddress inside module
Returns
Found loader entry. NULL if nothing found
PVOID BBGetUserModuleBase ( IN PEPROCESS  pProcess,
IN PUNICODE_STRING  ModuleName,
IN BOOLEAN  isWow64 
)

Get module base address by name

Parameters
pProcessTarget process
ModuleNameNodule name to search for
isWow64If TRUE - search in 32-bit PEB
Returns
Found address, NULL if not found
NTSTATUS BBInitLdrData ( IN PKLDR_DATA_TABLE_ENTRY  pThisModule)

Initialize loader stuff

Parameters
pThisModuleAny valid system module
Returns
Status code
NTSTATUS BBMapWorker ( IN PVOID  pArg)

System worker thread that performs actual mapping

Parameters
pArgPath to the driver - PUNICODE_STRING type
Returns
Status code
NTSTATUS BBMMapDriver ( IN PUNICODE_STRING  pPath)

Manually map driver into system space

Parameters
pPathFully qualified native path to the driver
Returns
Status code
NTSTATUS BBResolveReferences ( IN PVOID  pImageBase)

Resolve module references and fill the IAT

Parameters
pImageBaseImage base to be processed
Returns
Status code

Variable Documentation

DYNAMIC_DATA dynData
PLIST_ENTRY PsLoadedModuleList