Improve x64 system region calculation

m417z · m417z · commit 63fb5ddc1774 · 2025-11-12T02:04:10.000+02:00
InInitializationOrderModuleList might be unreliable due to security
products. Also, use a more defensive approach for unusual Ntdll.dll base
addresses.
diff --git a/Source/KNSoft.SlimDetours/Memory.c b/Source/KNSoft.SlimDetours/Memory.c
@@ -14,7 +14,7 @@
  *
  * The region is [0x50000000 ... 0x78000000) (640MB) on 32-bit Windows;
  * and [0x00007FF7FFFF0000 ... 0x00007FFFFFFF0000) (32GB) on 64-bit Windows, which is too large to avoid.
- * In this case, avoiding 1GB range starting at Ntdll.dll is make sense.
+ * In this case, avoiding 1GB range starting at Ntdll.dll makes sense.
  * If ASLR is disabled on NT6.0 or NT6.1, we reserve the top 1GB or 640MB region.
  *
  * The original Microsoft Detours always assumes and reserves [0x70000000 ... 0x80000000] (256MB) for system DLLs,
@@ -35,6 +35,7 @@ _STATIC_ASSERT(SYSTEM_RESERVED_REGION_HIGHEST + 1 == 0x00007FFFFFFF0000ULL);
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_SIZE == _32GB);
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_LOWEST == 0x00007FF7FFFF0000ULL);
 
+static const UNICODE_STRING g_usNtdllDll = RTL_CONSTANT_STRING(L"ntdll.dll");
 static ULONG_PTR s_ulSystemRegionHighLowerBound = MAXULONG_PTR;
 #else
 _STATIC_ASSERT(SYSTEM_RESERVED_REGION_HIGHEST + 1 == 0x78000000UL);
@@ -116,12 +117,21 @@ detour_memory_init(VOID)
         {
 #if defined(_WIN64)
             /* 1GB after Ntdll.dll */
-            PLDR_DATA_TABLE_ENTRY NtdllLdrEntry;
+            PVOID NtdllBase = NULL;
+            LdrGetDllHandle(NULL, NULL, (PUNICODE_STRING)&g_usNtdllDll, &NtdllBase);
+
+            // Note: The ntdll region isn't excluded, but it's already occupied
+            // by ntdll, so that shouldn't be a problem.
+            s_ulSystemRegionLowUpperBound = (ULONG_PTR)NtdllBase - 1;
+
+            // This condition is normally false, it's here just in case to have
+            // defined behavior in unusual situations (e.g. EDR tampering).
+            if (s_ulSystemRegionLowUpperBound < SYSTEM_RESERVED_REGION_LOWEST ||
+                s_ulSystemRegionLowUpperBound > SYSTEM_RESERVED_REGION_HIGHEST)
+            {
+                s_ulSystemRegionLowUpperBound = SYSTEM_RESERVED_REGION_HIGHEST;
+            }
 
-            NtdllLdrEntry = CONTAINING_RECORD(NtCurrentPeb()->Ldr->InInitializationOrderModuleList.Flink,
-                                              LDR_DATA_TABLE_ENTRY,
-                                              InInitializationOrderLinks);
-            s_ulSystemRegionLowUpperBound = (ULONG_PTR)NtdllLdrEntry->DllBase + NtdllLdrEntry->SizeOfImage - 1;
             s_ulSystemRegionLowLowerBound = s_ulSystemRegionLowUpperBound - _1GB + 1;
             if (s_ulSystemRegionLowLowerBound < SYSTEM_RESERVED_REGION_LOWEST)
             {
