Improve x64 system region calculation

m417z · m417z · commit 52341eb84dc2 · 2025-11-04T20:55:07.000+02:00
InInitializationOrderModuleList might be unreliable due to security
products. Also, use a more defensive approach for unusual Ntdll.dll base
addresses.
diff --git a/Source/KNSoft.SlimDetours/Memory.c b/Source/KNSoft.SlimDetours/Memory.c
@@ -14,7 +14,7 @@
  *
  * The region is [0x50000000 ... 0x78000000) (640MB) on 32-bit Windows;
  * and [0x00007FF7FFFF0000 ... 0x00007FFFFFFF0000) (32GB) on 64-bit Windows, which is too large to avoid.
- * In this case, avoiding 1GB range starting at Ntdll.dll is make sense.
+ * In this case, avoiding 1GB range starting at Ntdll.dll makes sense.
  * If ASLR is disabled on NT6.0 or NT6.1, we reserve the top 1GB or 640MB region.
  *
  * The original Microsoft Detours always assumes and reserves [0x70000000 ... 0x80000000] (256MB) for system DLLs,
@@ -35,7 +35,7 @@ _STATIC_ASSERT(SYSTEM_RESERVED_REGION_HIGHEST + 1 == 0x00007FFFFFFF0000ULL);
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_SIZE == _32GB);
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_LOWEST == 0x00007FF7FFFF0000ULL);
 
-static ULONG_PTR s_ulSystemRegionHighLowerBound = MAXULONG_PTR;
+static const UNICODE_STRING g_usNtdllDll = RTL_CONSTANT_STRING(L"ntdll.dll");
 #else
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_HIGHEST + 1 == 0x78000000UL);
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_SIZE == _640MB);
@@ -116,18 +116,25 @@ detour_memory_init(VOID)
         {
 #if defined(_WIN64)
             /* 1GB after Ntdll.dll */
-            PLDR_DATA_TABLE_ENTRY NtdllLdrEntry;
+            PVOID NtdllBase = NULL;
+            LdrGetDllHandle(NULL, NULL, (PUNICODE_STRING)&g_usNtdllDll, &NtdllBase);
 
-            NtdllLdrEntry = CONTAINING_RECORD(NtCurrentPeb()->Ldr->InInitializationOrderModuleList.Flink,
-                                              LDR_DATA_TABLE_ENTRY,
-                                              InInitializationOrderLinks);
-            s_ulSystemRegionLowUpperBound = (ULONG_PTR)NtdllLdrEntry->DllBase + NtdllLdrEntry->SizeOfImage - 1;
-            s_ulSystemRegionLowLowerBound = s_ulSystemRegionLowUpperBound - _1GB + 1;
-            if (s_ulSystemRegionLowLowerBound < SYSTEM_RESERVED_REGION_LOWEST)
+            // Win10/Win11 ntdll virtual size is around 1.8-2.5MB, reserving 16MB should
+            // be enough to cover future growth. Moreover, the ntdll region is already
+            // used by ntdll, so it's merely an optimization.
+            s_ulSystemRegionLowUpperBound = (ULONG_PTR)NtdllBase + _16MB - 1;
+
+            // Ensure the reserved region is within the system reserved range. It should
+            // be, but be defensive just in case.
+            if (s_ulSystemRegionLowUpperBound < SYSTEM_RESERVED_REGION_LOWEST + _1GB - 1)
             {
-                s_ulSystemRegionHighLowerBound = s_ulSystemRegionLowLowerBound + SYSTEM_RESERVED_REGION_SIZE;
-                s_ulSystemRegionLowLowerBound = SYSTEM_RESERVED_REGION_LOWEST;
+                s_ulSystemRegionLowUpperBound = SYSTEM_RESERVED_REGION_LOWEST + _1GB - 1;
+            } else if (s_ulSystemRegionLowUpperBound > SYSTEM_RESERVED_REGION_HIGHEST)
+            {
+                s_ulSystemRegionLowUpperBound = SYSTEM_RESERVED_REGION_HIGHEST;
             }
+
+            s_ulSystemRegionLowLowerBound = s_ulSystemRegionLowUpperBound - _1GB + 1;
 #else
             s_ulSystemRegionLowUpperBound = SYSTEM_RESERVED_REGION_HIGHEST;
             s_ulSystemRegionLowLowerBound = SYSTEM_RESERVED_REGION_LOWEST;
@@ -207,13 +214,8 @@ BOOL
 detour_memory_is_system_reserved(
     _In_ PVOID Address)
 {
-    return
-        ((ULONG_PTR)Address >= s_ulSystemRegionLowLowerBound && (ULONG_PTR)Address <= s_ulSystemRegionLowUpperBound)
-#if defined(_WIN64)
-        || ((ULONG_PTR)Address >= s_ulSystemRegionHighLowerBound &&
-            (ULONG_PTR)Address <= SYSTEM_RESERVED_REGION_HIGHEST)
-#endif
-        ;
+    return (ULONG_PTR)Address >= s_ulSystemRegionLowLowerBound &&
+        (ULONG_PTR)Address <= s_ulSystemRegionLowUpperBound;
 }
 
 _Ret_notnull_
diff --git a/Source/KNSoft.SlimDetours/SlimDetours.NDK.inl b/Source/KNSoft.SlimDetours/SlimDetours.NDK.inl
@@ -100,6 +100,7 @@ C_ASSERT((ULONG_PTR)MI_ASLR_HIGHEST_SYSTEM_RANGE_ADDRESS - (ULONG_PTR)MI_ASLR_LO
 #define _GB(x) ((x) * _1GB)
 
 #define _512KB  _KB(512)
+#define _16MB   _MB(16)
 #define _640MB  _MB(640)
 #define _2GB    _GB(2)
 #define _32GB   _GB(32)
