Examples of enumerating loaded modules without an API
Antivirus nowadays always checks whether a program is using an API that can be easily abused to determine whether it is malicious, for example, using LoadLibraryA to mount Kernel32.dll to get its ImageBase. So, if we can get the address of Kernel32.dll by not using LoadLibraryA, we can escape antivirus detection and make it think that we are not trying to use the Kernel32 DLL.
The following example is the source code of ldrParser.c, which is publicly available in the Chapter#3 folder of the GitHub project. In order to save space, this book only extracts the highlighted code; please refer to the complete source code to see the full project.
As mentioned earlier, the distribution of records in the PEB→LDR dynamic execution phase allows us to enumerate the loaded module information, so the first step is to get the current PEB address.
Figure 3.14 shows the source code of ldrParser.c:
Figure...
