非PEB获取ntdll和kernel32模块基址的精妙之道<\/h1>

前言<\/h2>
在Windows系统编程和安全研究中，获取关键系统模块（如ntdll.dll和kernel32.dll）的基地址是一项基础但重要的技术。传统方法通过PEB（Process Environment Block）获取模块基址已被广泛使用，但也容易被安全软件检测。本文将详细介绍几种不依赖PEB获取这些关键模块基址的替代方法。<\/p>

方法一：通过TEB（Thread Environment Block）获取<\/h2>
虽然TEB通常与PEB相关联，但我们可以通过更隐蔽的方式利用它：<\/p>
\/\/ 32位实现
<\/span><\/span><\/span><\/span>__declspec<\/span>(naked<\/span>) HMODULE GetNtdllBaseFromTeb() {
<\/span><\/span>    __asm<\/span> {
<\/span><\/span>        mov eax, fs:[0x18<\/span>]   \/\/ 获取TEB地址
<\/span><\/span><\/span><\/span>        mov eax, [eax +<\/span> 0x30<\/span>] \/\/ 获取PEB地址
<\/span><\/span><\/span><\/span>        mov eax, [eax +<\/span> 0x0C<\/span>] \/\/ 获取PEB_LDR_DATA
<\/span><\/span><\/span><\/span>        mov eax, [eax +<\/span> 0x1C<\/span>] \/\/ 获取InInitializationOrderModuleList.Flink
<\/span><\/span><\/span><\/span>        mov eax, [eax]        \/\/ 获取第一个模块(通常是ntdll)
<\/span><\/span><\/span><\/span>        mov eax, [eax +<\/span> 0x08<\/span>] \/\/ 获取基地址
<\/span><\/span><\/span><\/span>        ret
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 64位实现
<\/span><\/span><\/span><\/span>HMODULE GetNtdllBaseFromTeb64() {
<\/span><\/span>    PPEB pPeb;
<\/span><\/span>    PPEB_LDR_DATA pLdr;
<\/span><\/span>    PLDR_DATA_TABLE_ENTRY pEntry;
<\/span><\/span>    
<\/span><\/span>    pPeb =<\/span> (PPEB)__readgsqword(0x60<\/span>);
<\/span><\/span>    pLdr =<\/span> (PPEB_LDR_DATA)pPeb-><\/span>Ldr;
<\/span><\/span>    pEntry =<\/span> (PLDR_DATA_TABLE_ENTRY)pLdr-><\/span>InInitializationOrderModuleList.Flink;
<\/span><\/span>    return<\/span> (HMODULE)pEntry-><\/span>DllBase;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方法二：通过异常处理链获取<\/h2>
利用SEH（结构化异常处理）机制获取模块基址：<\/p>
HMODULE GetModuleBaseViaException<\/span>() {
<\/span><\/span>    __try<\/span> {
<\/span><\/span>        \/\/ 故意触发异常
<\/span><\/span><\/span><\/span>        *<\/span>(int<\/span>*<\/span>)0<\/span> =<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    __except<\/span>(GetExceptionInformation() ?<\/span> 
<\/span><\/span>        ((EXCEPTION_POINTERS*<\/span>)GetExceptionInformation())-><\/span>ContextRecord-><\/span>Eip : 0<\/span>) {
<\/span><\/span>        MEMORY_BASIC_INFORMATION mbi;
<\/span><\/span>        CONTEXT*<\/span> ctx =<\/span> ((EXCEPTION_POINTERS*<\/span>)GetExceptionInformation())-><\/span>ContextRecord;
<\/span><\/span>        VirtualQuery((void<\/span>*<\/span>)ctx-><\/span>Eip, &<\/span>mbi, sizeof<\/span>(mbi));
<\/span><\/span>        return<\/span> (HMODULE)mbi.AllocationBase;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方法三：通过API调用栈回溯<\/h2>
利用调用栈回溯技术获取调用者模块基址：<\/p>
HMODULE GetModuleBaseViaStackWalk<\/span>() {
<\/span><\/span>    PVOID addresses[1<\/span>];
<\/span><\/span>    USHORT frames =<\/span> CaptureStackBackTrace(1<\/span>, 1<\/span>, addresses, NULL);
<\/span><\/span>    if<\/span> (frames ==<\/span> 1<\/span>) {
<\/span><\/span>        MEMORY_BASIC_INFORMATION mbi;
<\/span><\/span>        if<\/span> (VirtualQuery(addresses[0<\/span>], &<\/span>mbi, sizeof<\/span>(mbi))) {
<\/span><\/span>            return<\/span> (HMODULE)mbi.AllocationBase;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方法四：通过内存扫描<\/h2>
直接扫描进程内存查找模块特征：<\/p>
HMODULE FindModuleByMemoryScan<\/span>(const<\/span> char<\/span>*<\/span> moduleName) {
<\/span><\/span>    SYSTEM_INFO sysInfo;
<\/span><\/span>    GetSystemInfo(&<\/span>sysInfo);
<\/span><\/span>    LPBYTE pStart =<\/span> (LPBYTE)sysInfo.lpMinimumApplicationAddress;
<\/span><\/span>    LPBYTE pEnd =<\/span> (LPBYTE)sysInfo.lpMaximumApplicationAddress;
<\/span><\/span>    
<\/span><\/span>    MEMORY_BASIC_INFORMATION mbi;
<\/span><\/span>    while<\/span> (pStart <<\/span> pEnd) {
<\/span><\/span>        if<\/span> (VirtualQuery(pStart, &<\/span>mbi, sizeof<\/span>(mbi)) ==<\/span> sizeof<\/span>(mbi)) {
<\/span><\/span>            if<\/span> (mbi.State ==<\/span> MEM_COMMIT &&<\/span> mbi.Type ==<\/span> MEM_IMAGE) {
<\/span><\/span>                IMAGE_DOS_HEADER*<\/span> pDos =<\/span> (IMAGE_DOS_HEADER*<\/span>)mbi.AllocationBase;
<\/span><\/span>                if<\/span> (pDos-><\/span>e_magic ==<\/span> IMAGE_DOS_SIGNATURE) {
<\/span><\/span>                    IMAGE_NT_HEADERS*<\/span> pNt =<\/span> (IMAGE_NT_HEADERS*<\/span>)((LPBYTE)pDos +<\/span> pDos-><\/span>e_lfanew);
<\/span><\/span>                    if<\/span> (pNt-><\/span>Signature ==<\/span> IMAGE_NT_SIGNATURE) {
<\/span><\/span>                        PIMAGE_EXPORT_DIRECTORY pExport =<\/span> (PIMAGE_EXPORT_DIRECTORY)(
<\/span><\/span>                            (LPBYTE)pDos +<\/span> pNt-><\/span>OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
<\/span><\/span>                        if<\/span> (pExport) {
<\/span><\/span>                            char<\/span>*<\/span> pName =<\/span> (char<\/span>*<\/span>)((LPBYTE)pDos +<\/span> pExport-><\/span>Name);
<\/span><\/span>                            if<\/span> (_stricmp(pName, moduleName) ==<\/span> 0<\/span>) {
<\/span><\/span>                                return<\/span> (HMODULE)mbi.AllocationBase;
<\/span><\/span>                            }
<\/span><\/span>                        }
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>            pStart +=<\/span> mbi.RegionSize;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方法五：通过未文档化API<\/h2>
使用未公开的API函数获取模块信息：<\/p>
typedef<\/span> struct<\/span> _LDR_MODULE {
<\/span><\/span>    LIST_ENTRY InLoadOrderModuleList;
<\/span><\/span>    LIST_ENTRY InMemoryOrderModuleList;
<\/span><\/span>    LIST_ENTRY InInitializationOrderModuleList;
<\/span><\/span>    PVOID BaseAddress;
<\/span><\/span>    \/\/ ... 其他字段
<\/span><\/span><\/span><\/span>} LDR_MODULE, *<\/span>PLDR_MODULE;
<\/span><\/span>
<\/span><\/span>HMODULE GetModuleBaseUndocumented<\/span>() {
<\/span><\/span>    PPEB pPeb =<\/span> NtCurrentTeb()-><\/span>ProcessEnvironmentBlock;
<\/span><\/span>    PLDR_MODULE pLdrModule =<\/span> (PLDR_MODULE)pPeb-><\/span>Ldr-><\/span>InLoadOrderModuleList.Flink;
<\/span><\/span>    return<\/span> (HMODULE)pLdrModule-><\/span>BaseAddress;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方法六：通过TEB的静态TLS数组<\/h2>
利用线程本地存储(TLS)数组获取：<\/p>
HMODULE GetModuleBaseViaTls<\/span>() {
<\/span><\/span>    PTEB pTeb =<\/span> NtCurrentTeb();
<\/span><\/span>    \/\/ TLS数组的第4个槽位通常指向kernel32.dll
<\/span><\/span><\/span><\/span>    HMODULE hModule =<\/span> (HMODULE)pTeb-><\/span>TlsSlots[3<\/span>]; 
<\/span><\/span>    return<\/span> hModule;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方法七：通过API哈希搜索<\/h2>
结合内存扫描和API哈希技术：<\/p>
DWORD HashAPI<\/span>(const<\/span> char<\/span>*<\/span> apiName) {
<\/span><\/span>    DWORD hash =<\/span> 0<\/span>;
<\/span><\/span>    while<\/span> (*<\/span>apiName) {
<\/span><\/span>        hash =<\/span> ((hash <<<\/span> 5<\/span>) +<\/span> hash) +<\/span> *<\/span>apiName++<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> hash;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>HMODULE FindModuleByAPIHash<\/span>(DWORD apiHash) {
<\/span><\/span>    SYSTEM_INFO sysInfo;
<\/span><\/span>    GetSystemInfo(&<\/span>sysInfo);
<\/span><\/span>    LPBYTE pStart =<\/span> (LPBYTE)sysInfo.lpMinimumApplicationAddress;
<\/span><\/span>    LPBYTE pEnd =<\/span> (LPBYTE)sysInfo.lpMaximumApplicationAddress;
<\/span><\/span>    
<\/span><\/span>    MEMORY_BASIC_INFORMATION mbi;
<\/span><\/span>    while<\/span> (pStart <<\/span> pEnd) {
<\/span><\/span>        if<\/span> (VirtualQuery(pStart, &<\/span>mbi, sizeof<\/span>(mbi)) ==<\/span> sizeof<\/span>(mbi)) {
<\/span><\/span>            if<\/span> (mbi.State ==<\/span> MEM_COMMIT &&<\/span> mbi.Type ==<\/span> MEM_IMAGE) {
<\/span><\/span>                IMAGE_DOS_HEADER*<\/span> pDos =<\/span> (IMAGE_DOS_HEADER*<\/span>)mbi.AllocationBase;
<\/span><\/span>                if<\/span> (pDos-><\/span>e_magic ==<\/span> IMAGE_DOS_SIGNATURE) {
<\/span><\/span>                    IMAGE_NT_HEADERS*<\/span> pNt =<\/span> (IMAGE_NT_HEADERS*<\/span>)((LPBYTE)pDos +<\/span> pDos-><\/span>e_lfanew);
<\/span><\/span>                    if<\/span> (pNt-><\/span>Signature ==<\/span> IMAGE_NT_SIGNATURE) {
<\/span><\/span>                        PIMAGE_EXPORT_DIRECTORY pExport =<\/span> (PIMAGE_EXPORT_DIRECTORY)(
<\/span><\/span>                            (LPBYTE)pDos +<\/span> pNt-><\/span>OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
<\/span><\/span>                        if<\/span> (pExport) {
<\/span><\/span>                            DWORD*<\/span> pNames =<\/span> (DWORD*<\/span>)((LPBYTE)pDos +<\/span> pExport-><\/span>AddressOfNames);
<\/span><\/span>                            for<\/span> (DWORD i =<\/span> 0<\/span>; i <<\/span> pExport-><\/span>NumberOfNames; i++<\/span>) {
<\/span><\/span>                                char<\/span>*<\/span> pName =<\/span> (char<\/span>*<\/span>)((LPBYTE)pDos +<\/span> pNames[i]);
<\/span><\/span>                                if<\/span> (HashAPI(pName) ==<\/span> apiHash) {
<\/span><\/span>                                    return<\/span> (HMODULE)mbi.AllocationBase;
<\/span><\/span>                                }
<\/span><\/span>                            }
<\/span><\/span>                        }
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>            pStart +=<\/span> mbi.RegionSize;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方法八：通过中断门或调用门<\/h2>
利用CPU特权指令获取（需内核权限）：<\/p>
; 32位示例
<\/span><\/span><\/span><\/span>get_module_base:
<\/span><\/span>    push<\/span> ebp<\/span>
<\/span><\/span>    mov<\/span> ebp<\/span>, esp<\/span>
<\/span><\/span>    sidt<\/span> [ebp-6<\/span>]      ; 获取IDT地址
<\/span><\/span><\/span><\/span>    mov<\/span> eax<\/span>, [ebp-4<\/span>]  ; 获取IDT基址
<\/span><\/span><\/span><\/span>    mov<\/span> eax<\/span>, [eax<\/span>+<\/span>4<\/span>]  ; 获取第一个中断处理程序地址
<\/span><\/span><\/span><\/span>    shr<\/span> eax<\/span>, 16<\/span>       ; 获取段选择子
<\/span><\/span><\/span><\/span>    and<\/span> eax<\/span>, 0xFFF8<\/span>   ; 清除TI和RPL位
<\/span><\/span><\/span><\/span>    mov<\/span> eax<\/span>, [eax<\/span>]    ; 获取段描述符
<\/span><\/span><\/span><\/span>    mov<\/span> eax<\/span>, [eax<\/span>+<\/span>2<\/span>]  ; 获取段基址
<\/span><\/span><\/span><\/span>    leave<\/span>
<\/span><\/span>    ret<\/span>
<\/span><\/span><\/code><\/pre>方法九：通过Vectored Exception Handling<\/h2>
利用向量化异常处理机制：<\/p>
HMODULE GetModuleBaseViaVEH<\/span>() {
<\/span><\/span>    PVOID handler =<\/span> AddVectoredExceptionHandler(1<\/span>, [](PEXCEPTION_POINTERS pExc) -><\/span> LONG {
<\/span><\/span>        MEMORY_BASIC_INFORMATION mbi;
<\/span><\/span>        VirtualQuery((void<\/span>*<\/span>)pExc-><\/span>ContextRecord-><\/span>Eip, &<\/span>mbi, sizeof<\/span>(mbi));
<\/span><\/span>        pExc-><\/span>ContextRecord-><\/span>Eax =<\/span> (DWORD)mbi.AllocationBase;
<\/span><\/span>        return<\/span> EXCEPTION_CONTINUE_EXECUTION;
<\/span><\/span>    });
<\/span><\/span>    
<\/span><\/span>    __try<\/span> {
<\/span><\/span>        __asm<\/span> int<\/span> 3<\/span>; \/\/ 触发断点异常
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    __except<\/span>(EXCEPTION_EXECUTE_HANDLER) {
<\/span><\/span>        HMODULE hModule;
<\/span><\/span>        __asm<\/span> mov hModule, eax;
<\/span><\/span>        RemoveVectoredExceptionHandler(handler);
<\/span><\/span>        return<\/span> hModule;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>方法十：通过硬件断点<\/h2>
利用调试寄存器获取：<\/p>
HMODULE GetModuleBaseViaHwBp<\/span>() {
<\/span><\/span>    CONTEXT ctx =<\/span> {0<\/span>};
<\/span><\/span>    ctx.ContextFlags =<\/span> CONTEXT_DEBUG_REGISTERS;
<\/span><\/span>    ctx.Dr0 =<\/span> (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"<\/span>), "LoadLibraryA"<\/span>);
<\/span><\/span>    ctx.Dr7 =<\/span> (1<\/span> <<<\/span> 0<\/span>) |<\/span> (1<\/span> <<<\/span> 2<\/span>); \/\/ 设置DR0为执行断点
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    SetThreadContext(GetCurrentThread(), &<\/span>ctx);
<\/span><\/span>    
<\/span><\/span>    __try<\/span> {
<\/span><\/span>        LoadLibraryA("user32.dll"<\/span>); \/\/ 触发硬件断点
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    __except<\/span>(GetExceptionCode() ==<\/span> EXCEPTION_SINGLE_STEP ?<\/span> 
<\/span><\/span>             EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {
<\/span><\/span>        MEMORY_BASIC_INFORMATION mbi;
<\/span><\/span>        VirtualQuery((void<\/span>*<\/span>)ctx.Dr0, &<\/span>mbi, sizeof<\/span>(mbi));
<\/span><\/span>        return<\/span> (HMODULE)mbi.AllocationBase;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>防御措施与检测方法<\/h2>
了解这些技术后，安全开发者可以采取以下防御措施：<\/p>

内存保护<\/strong>：使用PAGE_GUARD保护关键模块内存区域<\/li>
API监控<\/strong>：挂钩VirtualQuery等关键API检测异常调用模式<\/li>
异常监控<\/strong>：监控异常的频率和来源<\/li>
调用栈验证<\/strong>：检查API调用的返回地址是否在预期模块内<\/li>
TEB\/PEB保护<\/strong>：使用内存加密技术保护关键数据结构<\/li>
<\/ol>
总结<\/h2>
本文详细介绍了10种不依赖PEB获取ntdll和kernel32模块基址的技术，从简单的TEB访问到复杂的硬件断点利用。这些技术在恶意软件分析、反病毒开发和系统安全研究中都有重要应用。理解这些方法不仅有助于开发更安全的软件，也能帮助安全研究人员更好地检测和防御恶意代码。<\/p>