This Rust library and CLI tool demonstrates an alternative method to find the base address of loaded DLLs without using a Process Environment Block (PEB) walk. This technique is particularly useful in scenarios where PEB walking might be detected or blocked.
This repository contains two branches with different approaches:
winapi crate and VirtualQuery for memory validationlib.rs) have no print statements for clean integrationmain.rs) includes debug output for proof of conceptVirtualQueryBoth branches are safe to use, but the OPSEC branch provides additional operational security benefits for scenarios where API calls might be monitored or blocked.
The program uses a stack walking approach to locate DLLs by:
Retrieves the stack base (GS:[0x08]) and stack limit (GS:[0x10]) from the TEB
Stack Walking:
VirtualQuery to validate memory regionsOPSEC branch: Uses direct memory access with exception handling
Module Identification:
Validates the module by checking:
Validation:
Traditional methods of finding DLLs often involve walking the PEB's module list. While effective, this approach can be: - Detected by security software - Blocked in certain environments
This stack walking method provides an alternative that: - Doesn't rely on the PEB - Can work in environments where PEB walking is blocked - OPSEC branch: Makes no API calls
winapi crateAdd to your Cargo.toml:
Main branch:
[dependencies]
moonwalk = { git = "https://github.com/Teach2Breach/moonwalk.git" }
OPSEC branch:
[dependencies]
moonwalk = { git = "https://github.com/Teach2Breach/moonwalk.git", branch = "opsec" }
Example usage in your code:
use moonwalk::find_dll_base;
fn main() {
// Find ntdll.dll
if let Some(ntdll_base) = find_dll_base("ntdll.dll") {
println!("ntdll.dll base: 0x{:X}", ntdll_base);
}
// Case-insensitive, .dll extension optional
if let Some(kernel32_base) = find_dll_base("KeRNEl32") {
println!("kernel32.dll base: 0x{:X}", kernel32_base);
}
}
Build:
cargo build --release
Run:
# Find ntdll.dll (default)
cargo run --release
# Find specific DLL (case insensitive, .dll extension optional)
cargo run --release kernel32.dll
cargo run --release KeRNEl32
cargo run --release USER32
Print statements are no longer included. This image is included for educational purposes.

VirtualQuery for safe memory access validation$ claude mcp add moonwalk \
-- python -m otcore.mcp_server <graph>