ProxyWorkItemLoadLibrary

typedef NTSTATUS(NTAPI* NTWAITFORSINGLEOBJECT)(HANDLE, BOOL, PLARGE_INTEGER);
typedef NTSTATUS(NTAPI* RTLQUEUEWORKITEM)(PRTL_WORK_ITEM_ROUTINE, PVOID, ULONG);

HMODULE ProxyWorkItemLoadLibraryW(_In_ LPCWSTR lpModuleName)
{
	NTWAITFORSINGLEOBJECT NtWaitForSingleObject = NULL;
	RTLQUEUEWORKITEM RtlQueueWorkItem = NULL;
	NTSTATUS Status = STATUS_SUCCESS;
	LARGE_INTEGER Timeout = { 0 };

	NtWaitForSingleObject = (NTWAITFORSINGLEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWaitForSingleObject");
	RtlQueueWorkItem = (RTLQUEUEWORKITEM)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlQueueWorkItem");

	if (!NtWaitForSingleObject || !RtlQueueWorkItem)
		return NULL;

	if(RtlQueueWorkItem((PRTL_WORK_ITEM_ROUTINE)&LoadLibraryW, (PVOID)lpModuleName, WT_EXECUTEDEFAULT) != STATUS_SUCCESS)
		return NULL;

	Timeout.QuadPart = -500000;

	NtWaitForSingleObject(GetCurrentProcessNoForward(), FALSE, &Timeout);

	return GetModuleHandleW(lpModuleName);
}

HMODULE ProxyWorkItemLoadLibraryA(_In_ LPCSTR lpModuleName)
{
	NTWAITFORSINGLEOBJECT NtWaitForSingleObject = NULL;
	RTLQUEUEWORKITEM RtlQueueWorkItem = NULL;
	NTSTATUS Status = STATUS_SUCCESS;
	LARGE_INTEGER Timeout = { 0 };

	NtWaitForSingleObject = (NTWAITFORSINGLEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWaitForSingleObject");
	RtlQueueWorkItem = (RTLQUEUEWORKITEM)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlQueueWorkItem");

	if (!NtWaitForSingleObject || !RtlQueueWorkItem)
		return NULL;

	if(RtlQueueWorkItem((PRTL_WORK_ITEM_ROUTINE)&LoadLibraryA, (PVOID)lpModuleName, WT_EXECUTEDEFAULT) != STATUS_SUCCESS)
		return NULL;

	Timeout.QuadPart = -500000;

	NtWaitForSingleObject(GetCurrentProcessNoForward(), FALSE, &Timeout);

	return GetModuleHandleA(lpModuleName);
}

PreviousProxyRegisterWaitLoadLibraryNextFunction Import Methods

Last updated