This Rust library and CLI tool demonstrates an alternative method to find the base address of loaded DLLs without using a Process Environment Block (PEB) walk. This technique is particularly useful in scenarios where PEB walking might be detected or blocked.
This repository contains two branches with different approaches:
- Uses
winapicrate andVirtualQueryfor memory validation - Library functions (
lib.rs) have no print statements for clean integration - CLI tool (
main.rs) includes debug output for proof of concept - Good for learning and understanding the technique
- No external dependencies - completely self-contained
- No Windows API calls - uses direct memory access with exception handling instead of
VirtualQuery - No print statements in library functions
- Enhanced stealth - makes no API calls
- Better for implants/tools - leaves fewer traces and is harder to detect
Both branches are safe to use, but the OPSEC branch provides additional operational security benefits for scenarios where API calls might be monitored or blocked.
The program uses a stack walking approach to locate DLLs by:
-
Accessing the Thread Environment Block (TEB):
- Uses inline assembly to read the TEB pointer from the GS segment register (GS:[0x30])
- Retrieves the stack base (GS:[0x08]) and stack limit (GS:[0x10]) from the TEB
-
Stack Walking:
- Starts from the current stack pointer (RSP)
- Walks up the stack looking for return addresses
- Checks each address for executable memory
- Main branch: Uses
VirtualQueryto validate memory regions - OPSEC branch: Uses direct memory access with exception handling
-
Module Identification:
- For each potential return address, checks if it points to executable memory
- When executable memory is found, walks backwards to find the PE header
- Validates the module by checking:
- MZ signature (DOS header)
- PE signature
- DLL characteristics
- 64-bit architecture
- Module name from export directory
-
Validation:
- Verifies the module is the target DLL by checking its name in the export directory
- Confirms all PE header structures are valid
Traditional methods of finding DLLs often involve walking the PEB's module list. While effective, this approach can be:
- Detected by security software
- Blocked in certain environments
This stack walking method provides an alternative that:
- Doesn't rely on the PEB
- Can work in environments where PEB walking is blocked
- OPSEC branch: Makes no API calls
- Rust (nightly toolchain)
- Windows x64
- Main branch:
winapicrate - OPSEC branch: No external dependencies
Add to your Cargo.toml:
Main branch:
[dependencies]
moonwalk = { git = "https://github.com/Teach2Breach/moonwalk.git" }OPSEC branch:
[dependencies]
moonwalk = { git = "https://github.com/Teach2Breach/moonwalk.git", branch = "opsec" }Example usage in your code:
use moonwalk::find_dll_base;
fn main() {
// Find ntdll.dll
if let Some(ntdll_base) = find_dll_base("ntdll.dll") {
println!("ntdll.dll base: 0x{:X}", ntdll_base);
}
// Case-insensitive, .dll extension optional
if let Some(kernel32_base) = find_dll_base("KeRNEl32") {
println!("kernel32.dll base: 0x{:X}", kernel32_base);
}
}Build:
cargo build --releaseRun:
# Find ntdll.dll (default)
cargo run --release
# Find specific DLL (case insensitive, .dll extension optional)
cargo run --release kernel32.dll
cargo run --release KeRNEl32
cargo run --release USER32Print statements are no longer included. This image is included for educational purposes.
- DLL names are case-insensitive and the .dll extension is optional
- Only works with DLLs that are in the call stack
- Main branch: Uses
VirtualQueryfor safe memory access validation - OPSEC branch: Uses direct memory access with exception handling for maximum stealth
- Both branches have clean library interfaces with no debug output