Improve x64 system region calculation

m417z · m417z · commit 5d6781760766 · 2025-11-05T10:57:00.000+02:00
InInitializationOrderModuleList might be unreliable due to security
products. Also, use a more defensive approach for unusual Ntdll.dll base
addresses.
diff --git a/Source/KNSoft.SlimDetours/Memory.c b/Source/KNSoft.SlimDetours/Memory.c
@@ -14,7 +14,7 @@
  *
  * The region is [0x50000000 ... 0x78000000) (640MB) on 32-bit Windows;
  * and [0x00007FF7FFFF0000 ... 0x00007FFFFFFF0000) (32GB) on 64-bit Windows, which is too large to avoid.
- * In this case, avoiding 1GB range starting at Ntdll.dll is make sense.
+ * In this case, avoiding 1GB range starting at Ntdll.dll makes sense.
  * If ASLR is disabled on NT6.0 or NT6.1, we reserve the top 1GB or 640MB region.
  *
  * The original Microsoft Detours always assumes and reserves [0x70000000 ... 0x80000000] (256MB) for system DLLs,
@@ -35,6 +35,7 @@ _STATIC_ASSERT(SYSTEM_RESERVED_REGION_HIGHEST + 1 == 0x00007FFFFFFF0000ULL);
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_SIZE == _32GB);
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_LOWEST == 0x00007FF7FFFF0000ULL);
 
+static const UNICODE_STRING g_usNtdllDll = RTL_CONSTANT_STRING(L"ntdll.dll");
 static ULONG_PTR s_ulSystemRegionHighLowerBound = MAXULONG_PTR;
 #else
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_HIGHEST + 1 == 0x78000000UL);
@@ -116,12 +117,19 @@ detour_memory_init(VOID)
         {
 #if defined(_WIN64)
             /* 1GB after Ntdll.dll */
-            PLDR_DATA_TABLE_ENTRY NtdllLdrEntry;
+            PVOID NtdllBase = NULL;
+            LdrGetDllHandle(NULL, NULL, (PUNICODE_STRING)&g_usNtdllDll, &NtdllBase);
+
+            // Win10/Win11 ntdll virtual size is around 1.8-2.5MB, reserving 16MB should
+            // be enough to cover future growth. Moreover, the ntdll region is already
+            // used by ntdll, so it's merely an optimization.
+            s_ulSystemRegionLowUpperBound = (ULONG_PTR)NtdllBase + _16MB - 1;
+            if (s_ulSystemRegionLowUpperBound < SYSTEM_RESERVED_REGION_LOWEST ||
+			    s_ulSystemRegionLowUpperBound > SYSTEM_RESERVED_REGION_HIGHEST)
+            {
+                s_ulSystemRegionLowUpperBound = SYSTEM_RESERVED_REGION_HIGHEST;
+            }
 
-            NtdllLdrEntry = CONTAINING_RECORD(NtCurrentPeb()->Ldr->InInitializationOrderModuleList.Flink,
-                                              LDR_DATA_TABLE_ENTRY,
-                                              InInitializationOrderLinks);
-            s_ulSystemRegionLowUpperBound = (ULONG_PTR)NtdllLdrEntry->DllBase + NtdllLdrEntry->SizeOfImage - 1;
             s_ulSystemRegionLowLowerBound = s_ulSystemRegionLowUpperBound - _1GB + 1;
             if (s_ulSystemRegionLowLowerBound < SYSTEM_RESERVED_REGION_LOWEST)
             {
diff --git a/Source/KNSoft.SlimDetours/SlimDetours.NDK.inl b/Source/KNSoft.SlimDetours/SlimDetours.NDK.inl
@@ -100,6 +100,7 @@ C_ASSERT((ULONG_PTR)MI_ASLR_HIGHEST_SYSTEM_RANGE_ADDRESS - (ULONG_PTR)MI_ASLR_LO
 #define _GB(x) ((x) * _1GB)
 
 #define _512KB  _KB(512)
+#define _16MB   _MB(16)
 #define _640MB  _MB(640)
 #define _2GB    _GB(2)
 #define _32GB   _GB(32)
