MCPcopy Index your code
hub / github.com/Teach2Breach/moonwalk

github.com/Teach2Breach/moonwalk @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
8 symbols 10 edges 2 files 1 documented · 12%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

moonwalk: DLL Base Address Finder

This Rust library and CLI tool demonstrates an alternative method to find the base address of loaded DLLs without using a Process Environment Block (PEB) walk. This technique is particularly useful in scenarios where PEB walking might be detected or blocked.

Branch Differences

This repository contains two branches with different approaches:

Main Branch

  • Uses winapi crate and VirtualQuery for memory validation
  • Library functions (lib.rs) have no print statements for clean integration
  • CLI tool (main.rs) includes debug output for proof of concept
  • Good for learning and understanding the technique

OPSEC Branch

  • No external dependencies - completely self-contained
  • No Windows API calls - uses direct memory access with exception handling instead of VirtualQuery
  • No print statements in library functions
  • Enhanced stealth - makes no API calls
  • Better for implants/tools - leaves fewer traces and is harder to detect

Both branches are safe to use, but the OPSEC branch provides additional operational security benefits for scenarios where API calls might be monitored or blocked.

How It Works

The program uses a stack walking approach to locate DLLs by:

  1. Accessing the Thread Environment Block (TEB):
  2. Uses inline assembly to read the TEB pointer from the GS segment register (GS:[0x30])
  3. Retrieves the stack base (GS:[0x08]) and stack limit (GS:[0x10]) from the TEB

  4. Stack Walking:

  5. Starts from the current stack pointer (RSP)
  6. Walks up the stack looking for return addresses
  7. Checks each address for executable memory
  8. Main branch: Uses VirtualQuery to validate memory regions
  9. OPSEC branch: Uses direct memory access with exception handling

  10. Module Identification:

  11. For each potential return address, checks if it points to executable memory
  12. When executable memory is found, walks backwards to find the PE header
  13. Validates the module by checking:

    • MZ signature (DOS header)
    • PE signature
    • DLL characteristics
    • 64-bit architecture
    • Module name from export directory
  14. Validation:

  15. Verifies the module is the target DLL by checking its name in the export directory
  16. Confirms all PE header structures are valid

Why This Approach?

Traditional methods of finding DLLs often involve walking the PEB's module list. While effective, this approach can be: - Detected by security software - Blocked in certain environments

This stack walking method provides an alternative that: - Doesn't rely on the PEB - Can work in environments where PEB walking is blocked - OPSEC branch: Makes no API calls

Requirements

  • Rust (nightly toolchain)
  • Windows x64
  • Main branch: winapi crate
  • OPSEC branch: No external dependencies

Usage

As a Library

Add to your Cargo.toml:

Main branch:

[dependencies]
moonwalk = { git = "https://github.com/Teach2Breach/moonwalk.git" }

OPSEC branch:

[dependencies]
moonwalk = { git = "https://github.com/Teach2Breach/moonwalk.git", branch = "opsec" }

Example usage in your code:

use moonwalk::find_dll_base;

fn main() {
    // Find ntdll.dll
    if let Some(ntdll_base) = find_dll_base("ntdll.dll") {
        println!("ntdll.dll base: 0x{:X}", ntdll_base);
    }

    // Case-insensitive, .dll extension optional
    if let Some(kernel32_base) = find_dll_base("KeRNEl32") {
        println!("kernel32.dll base: 0x{:X}", kernel32_base);
    }
}

As a CLI Tool

Build:

cargo build --release

Run:

# Find ntdll.dll (default)
cargo run --release

# Find specific DLL (case insensitive, .dll extension optional)
cargo run --release kernel32.dll
cargo run --release KeRNEl32
cargo run --release USER32

Example

Print statements are no longer included. This image is included for educational purposes.

Moonwalk DLL Base Address Finder Demo

Notes

  • DLL names are case-insensitive and the .dll extension is optional
  • Only works with DLLs that are in the call stack
  • Main branch: Uses VirtualQuery for safe memory access validation
  • OPSEC branch: Uses direct memory access with exception handling for maximum stealth
  • Both branches have clean library interfaces with no debug output

Core symbols most depended-on inside this repo

is_target_dll
called by 1
src/lib.rs
find_dll_base
called by 1
src/lib.rs
main
called by 0
src/main.rs

Shape

Class 5
Function 3

Languages

Rust100%

Modules by API surface

src/lib.rs7 symbols
src/main.rs1 symbols

For agents

$ claude mcp add moonwalk \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact