Skip to content

Commit be7455a

Browse files
KN4CK3RKN4CK3R
committed
Restructured code (4/4)
1 parent e5f78fa commit be7455a

File tree

1 file changed

+37
-47
lines changed

1 file changed

+37
-47
lines changed

NativeCore/Windows/EnumerateRemoteSectionsAndModules.cpp

Lines changed: 37 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -7,47 +7,37 @@
77

88
#include "NativeCore.hpp"
99

10-
static DWORD GetRemotePeb(HANDLE process, PPEB* ppeb)
10+
PPEB GetRemotePeb(const HANDLE process)
1111
{
12-
const auto ntdll = GetModuleHandle(TEXT("ntdll"));
12+
static auto* const ntdll = GetModuleHandle(TEXT("ntdll"));
1313
if (!ntdll)
14-
return ERROR_MOD_NOT_FOUND;
15-
16-
using tRtlNtStatusToDosError = ULONG (NTAPI *)(
17-
_In_ NTSTATUS Status
18-
);
19-
const auto pRtlNtStatusToDosError = tRtlNtStatusToDosError(GetProcAddress(ntdll, "RtlNtStatusToDosError"));
20-
if (!pRtlNtStatusToDosError)
21-
return ERROR_NOT_FOUND;
22-
23-
using tNtQueryInformationProcess = NTSTATUS (NTAPI *)(
24-
_In_ HANDLE ProcessHandle,
25-
_In_ PROCESSINFOCLASS ProcessInformationClass,
26-
_Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,
27-
_In_ ULONG ProcessInformationLength,
28-
_Out_opt_ PULONG ReturnLength
29-
);
30-
31-
const auto pNtQueryInformationProcess = tNtQueryInformationProcess(GetProcAddress(ntdll, "NtQueryInformationProcess"));
14+
{
15+
return nullptr;
16+
}
17+
18+
using tNtQueryInformationProcess = NTSTATUS (NTAPI*)(_In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength);
19+
20+
static const auto pNtQueryInformationProcess = tNtQueryInformationProcess(GetProcAddress(ntdll, "NtQueryInformationProcess"));
3221
if (!pNtQueryInformationProcess)
33-
return ERROR_NOT_FOUND;
22+
{
23+
return nullptr;
24+
}
3425

3526
PROCESS_BASIC_INFORMATION pbi;
36-
const auto status = pNtQueryInformationProcess(process, ProcessBasicInformation, &pbi, sizeof(pbi), nullptr);
37-
if (!NT_SUCCESS(status))
38-
return pRtlNtStatusToDosError(status);
27+
if (!NT_SUCCESS(pNtQueryInformationProcess(process, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), nullptr)))
28+
{
29+
return nullptr;
30+
}
3931

40-
*ppeb = pbi.PebBaseAddress;
41-
42-
return ERROR_SUCCESS;
32+
return pbi.PebBaseAddress;
4333
}
4434

4535
using InternalEnumerateRemoteModulesCallback = std::function<void(EnumerateRemoteModuleData&)>;
4636

4737
bool EnumerateRemoteModulesNative(const RC_Pointer process, const InternalEnumerateRemoteModulesCallback& callback)
4838
{
49-
PPEB ppeb;
50-
if (GetRemotePeb(process, &ppeb) != ERROR_SUCCESS)
39+
auto* const ppeb = GetRemotePeb(process);
40+
if (ppeb == nullptr)
5141
{
5242
return false;
5343
}
@@ -58,7 +48,7 @@ bool EnumerateRemoteModulesNative(const RC_Pointer process, const InternalEnumer
5848
return false;
5949
}
6050

61-
const auto head = &ldr->InMemoryOrderModuleList;
51+
auto* const head = &ldr->InMemoryOrderModuleList;
6252
PLIST_ENTRY current;
6353
if (!ReadRemoteMemory(process, &head->Flink, &current, 0, sizeof(PLIST_ENTRY)))
6454
{
@@ -94,7 +84,7 @@ bool EnumerateRemoteModulesNative(const RC_Pointer process, const InternalEnumer
9484

9585
bool EnumerateRemoteModulesWinapi(const RC_Pointer process, const InternalEnumerateRemoteModulesCallback& callback)
9686
{
97-
const auto handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId(process));
87+
auto* const handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId(process));
9888
if (handle == INVALID_HANDLE_VALUE)
9989
{
10090
return false;
@@ -129,28 +119,28 @@ void RC_CallConv EnumerateRemoteSectionsAndModules(RC_Pointer process, Enumerate
129119

130120
std::vector<EnumerateRemoteSectionData> sections;
131121

132-
MEMORY_BASIC_INFORMATION memInfo = { };
133-
memInfo.RegionSize = 0x1000;
122+
MEMORY_BASIC_INFORMATION memory = { };
123+
memory.RegionSize = 0x1000;
134124
size_t address = 0;
135-
while (VirtualQueryEx(process, reinterpret_cast<LPCVOID>(address), &memInfo, sizeof(MEMORY_BASIC_INFORMATION)) != 0 && address + memInfo.RegionSize > address)
125+
while (VirtualQueryEx(process, reinterpret_cast<LPCVOID>(address), &memory, sizeof(MEMORY_BASIC_INFORMATION)) != 0 && address + memory.RegionSize > address)
136126
{
137-
if (memInfo.State == MEM_COMMIT)
127+
if (memory.State == MEM_COMMIT)
138128
{
139129
EnumerateRemoteSectionData section = {};
140-
section.BaseAddress = memInfo.BaseAddress;
141-
section.Size = memInfo.RegionSize;
130+
section.BaseAddress = memory.BaseAddress;
131+
section.Size = memory.RegionSize;
142132

143133
section.Protection = SectionProtection::NoAccess;
144-
if ((memInfo.Protect & PAGE_EXECUTE) == PAGE_EXECUTE) section.Protection |= SectionProtection::Execute;
145-
if ((memInfo.Protect & PAGE_EXECUTE_READ) == PAGE_EXECUTE_READ) section.Protection |= SectionProtection::Execute | SectionProtection::Read;
146-
if ((memInfo.Protect & PAGE_EXECUTE_READWRITE) == PAGE_EXECUTE_READWRITE) section.Protection |= SectionProtection::Execute | SectionProtection::Read | SectionProtection::Write;
147-
if ((memInfo.Protect & PAGE_EXECUTE_WRITECOPY) == PAGE_EXECUTE_WRITECOPY) section.Protection |= SectionProtection::Execute | SectionProtection::Read | SectionProtection::CopyOnWrite;
148-
if ((memInfo.Protect & PAGE_READONLY) == PAGE_READONLY) section.Protection |= SectionProtection::Read;
149-
if ((memInfo.Protect & PAGE_READWRITE) == PAGE_READWRITE) section.Protection |= SectionProtection::Read | SectionProtection::Write;
150-
if ((memInfo.Protect & PAGE_WRITECOPY) == PAGE_WRITECOPY) section.Protection |= SectionProtection::Read | SectionProtection::CopyOnWrite;
151-
if ((memInfo.Protect & PAGE_GUARD) == PAGE_GUARD) section.Protection |= SectionProtection::Guard;
134+
if ((memory.Protect & PAGE_EXECUTE) == PAGE_EXECUTE) section.Protection |= SectionProtection::Execute;
135+
if ((memory.Protect & PAGE_EXECUTE_READ) == PAGE_EXECUTE_READ) section.Protection |= SectionProtection::Execute | SectionProtection::Read;
136+
if ((memory.Protect & PAGE_EXECUTE_READWRITE) == PAGE_EXECUTE_READWRITE) section.Protection |= SectionProtection::Execute | SectionProtection::Read | SectionProtection::Write;
137+
if ((memory.Protect & PAGE_EXECUTE_WRITECOPY) == PAGE_EXECUTE_WRITECOPY) section.Protection |= SectionProtection::Execute | SectionProtection::Read | SectionProtection::CopyOnWrite;
138+
if ((memory.Protect & PAGE_READONLY) == PAGE_READONLY) section.Protection |= SectionProtection::Read;
139+
if ((memory.Protect & PAGE_READWRITE) == PAGE_READWRITE) section.Protection |= SectionProtection::Read | SectionProtection::Write;
140+
if ((memory.Protect & PAGE_WRITECOPY) == PAGE_WRITECOPY) section.Protection |= SectionProtection::Read | SectionProtection::CopyOnWrite;
141+
if ((memory.Protect & PAGE_GUARD) == PAGE_GUARD) section.Protection |= SectionProtection::Guard;
152142

153-
switch (memInfo.Type)
143+
switch (memory.Type)
154144
{
155145
case MEM_IMAGE:
156146
section.Type = SectionType::Image;
@@ -167,7 +157,7 @@ void RC_CallConv EnumerateRemoteSectionsAndModules(RC_Pointer process, Enumerate
167157

168158
sections.push_back(section);
169159
}
170-
address = reinterpret_cast<size_t>(memInfo.BaseAddress) + memInfo.RegionSize;
160+
address = reinterpret_cast<size_t>(memory.BaseAddress) + memory.RegionSize;
171161
}
172162

173163
const auto moduleEnumerator = [&](EnumerateRemoteModuleData& data)

0 commit comments

Comments
 (0)