private unsafe IntPtr RemapNtModule()
{
var baseAddress = IntPtr.Zero;
var uni = new UNICODE_STRING();
if (Is32Bits)
{
RtlInitUnicodeString(ref uni, $"\\KnownDlls32\\{ModuleName}");
}
else
{
RtlInitUnicodeString(ref uni, $"\\KnownDlls\\{ModuleName}");
}
var objAttribute = new OBJECT_ATTRIBUTES
{
Length = sizeof(OBJECT_ATTRIBUTES),
ObjectName = &uni,
Attributes = 0x00000040
};
NtOpenSection(out var handler, 0x04, ref objAttribute);
NtMapViewOfSection(handler, (IntPtr)(-1), ref baseAddress, IntPtr.Zero, IntPtr.Zero, out _, out _, 1, 0,
0x02);
NtClose(handler);
return(baseAddress);
}
public static extern void RtlInitUnicodeString(ref UNICODE_STRING DestinationString,
[MarshalAs(UnmanagedType.LPWStr)] string SourceString);
