Windows两种遍历所有内核模块的方法_Windows遍历系统内核模块代码_

测试环境

知识兔

Windows10 X64(本机) + Windows X64(测试机) + Windows XP(测试机)

下面是具体代码与实现:

#include "ntifs.h"#ifdef _M_X32//0xa8 bytes (sizeof)typedef struct _LDR_DATA_TABLE_ENTRY {        struct _LIST_ENTRY InLoadOrderLinks;                                    //0x0        struct _LIST_ENTRY InMemoryOrderLinks;                                  //0x8        struct _LIST_ENTRY InInitializationOrderLinks;                          //0x10        VOID* DllBase;                                                          //0x18        VOID* EntryPoint;                                                       //0x1c        ULONG SizeOfImage;                                                      //0x20        struct _UNICODE_STRING FullDllName;                                     //0x24        struct _UNICODE_STRING BaseDllName;                                     //0x2c        union {                UCHAR FlagGroup[4];                                                 //0x34                ULONG Flags;                                                        //0x34                struct {                        ULONG PackagedBinary : 1;                                         //0x34                        ULONG MarkedForRemoval : 1;                                       //0x34                        ULONG ImageDll : 1;                                               //0x34                        ULONG LoadNotificationsSent : 1;                                  //0x34                        ULONG TelemetryEntryProcessed : 1;                                //0x34                        ULONG ProcessStaticImport : 1;                                    //0x34                        ULONG InLegacyLists : 1;                                          //0x34                        ULONG InIndexes : 1;                                              //0x34                        ULONG ShimDll : 1;                                                //0x34                        ULONG InExceptionTable : 1;                                       //0x34                        ULONG ReservedFlags1 : 2;                                         //0x34                        ULONG LoadInProgress : 1;                                         //0x34                        ULONG LoadConfigProcessed : 1;                                    //0x34                        ULONG EntryProcessed : 1;                                         //0x34                        ULONG ProtectDelayLoad : 1;                                       //0x34                        ULONG ReservedFlags3 : 2;                                         //0x34                        ULONG DontCallForThreads : 1;                                     //0x34                        ULONG ProcessAttachCalled : 1;                                    //0x34                        ULONG ProcessAttachFailed : 1;                                    //0x34                        ULONG CorDeferredValidate : 1;                                    //0x34                        ULONG CorImage : 1;                                               //0x34                        ULONG DontRelocate : 1;                                           //0x34                        ULONG CorILOnly : 1;                                              //0x34                        ULONG ChpeImage : 1;                                              //0x34                        ULONG ReservedFlags5 : 2;                                         //0x34                        ULONG Redirected : 1;                                             //0x34                        ULONG ReservedFlags6 : 2;                                         //0x34                        ULONG CompatDatabaseProcessed : 1;                                //0x34                };        };        USHORT ObsoleteLoadCount;                                               //0x38        USHORT TlsIndex;                                                        //0x3a        struct _LIST_ENTRY HashLinks;                                           //0x3c        ULONG TimeDateStamp;                                                    //0x44        struct _ACTIVATION_CONTEXT* EntryPointActivationContext;                //0x48        VOID* Lock;                                                             //0x4c        struct _LDR_DDAG_NODE* DdagNode;                                        //0x50        struct _LIST_ENTRY NodeModuleLink;                                      //0x54        struct _LDRP_LOAD_CONTEXT* LoadContext;                                 //0x5c        VOID* ParentDllBase;                                                    //0x60        VOID* SwitchBackContext;                                                //0x64        struct _RTL_BALANCED_NODE BaseAddressIndexNode;                         //0x68        struct _RTL_BALANCED_NODE MappingInfoIndexNode;                         //0x74        ULONG OriginalBase;                                                     //0x80        union _LARGE_INTEGER LoadTime;                                          //0x88        ULONG BaseNameHashValue;                                                //0x90        enum _LDR_DLL_LOAD_REASON LoadReason;                                   //0x94        ULONG ImplicitPathOptions;                                              //0x98        ULONG ReferenceCount;                                                   //0x9c        ULONG DependentLoadFlags;                                               //0xa0        UCHAR SigningLevel;                                                     //0xa4}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;#else//0x138 bytes (sizeof)typedef struct _LDR_DATA_TABLE_ENTRY {        struct _LIST_ENTRY InLoadOrderLinks;                                    //0x0        struct _LIST_ENTRY InMemoryOrderLinks;                                  //0x10        struct _LIST_ENTRY InInitializationOrderLinks;                          //0x20        VOID* DllBase;                                                          //0x30        VOID* EntryPoint;                                                       //0x38        ULONG SizeOfImage;                                                      //0x40        struct _UNICODE_STRING FullDllName;                                     //0x48        struct _UNICODE_STRING BaseDllName;                                     //0x58        union {                UCHAR FlagGroup[4];                                                 //0x68                ULONG Flags;                                                        //0x68                struct {                        ULONG PackagedBinary : 1;                                         //0x68                        ULONG MarkedForRemoval : 1;                                       //0x68                        ULONG ImageDll : 1;                                               //0x68                        ULONG LoadNotificationsSent : 1;                                  //0x68                        ULONG TelemetryEntryProcessed : 1;                                //0x68                        ULONG ProcessStaticImport : 1;                                    //0x68                        ULONG InLegacyLists : 1;                                          //0x68                        ULONG InIndexes : 1;                                              //0x68                        ULONG ShimDll : 1;                                                //0x68                        ULONG InExceptionTable : 1;                                       //0x68                        ULONG ReservedFlags1 : 2;                                         //0x68                        ULONG LoadInProgress : 1;                                         //0x68                        ULONG LoadConfigProcessed : 1;                                    //0x68                        ULONG EntryProcessed : 1;                                         //0x68                        ULONG ProtectDelayLoad : 1;                                       //0x68                        ULONG ReservedFlags3 : 2;                                         //0x68                        ULONG DontCallForThreads : 1;                                     //0x68                        ULONG ProcessAttachCalled : 1;                                    //0x68                        ULONG ProcessAttachFailed : 1;                                    //0x68                        ULONG CorDeferredValidate : 1;                                    //0x68                        ULONG CorImage : 1;                                               //0x68                        ULONG DontRelocate : 1;                                           //0x68                        ULONG CorILOnly : 1;                                              //0x68                        ULONG ChpeImage : 1;                                              //0x68                        ULONG ChpeEmulatorImage : 1;                                      //0x68                        ULONG ReservedFlags5 : 1;                                         //0x68                        ULONG Redirected : 1;                                             //0x68                        ULONG ReservedFlags6 : 2;                                         //0x68                        ULONG CompatDatabaseProcessed : 1;                                //0x68                };        };        USHORT ObsoleteLoadCount;                                               //0x6c        USHORT TlsIndex;                                                        //0x6e        struct _LIST_ENTRY HashLinks;                                           //0x70        ULONG TimeDateStamp;                                                    //0x80        struct _ACTIVATION_CONTEXT* EntryPointActivationContext;                //0x88        VOID* Lock;                                                             //0x90        struct _LDR_DDAG_NODE* DdagNode;                                        //0x98        struct _LIST_ENTRY NodeModuleLink;                                      //0xa0        struct _LDRP_LOAD_CONTEXT* LoadContext;                                 //0xb0        VOID* ParentDllBase;                                                    //0xb8        VOID* SwitchBackContext;                                                //0xc0        struct _RTL_BALANCED_NODE BaseAddressIndexNode;                         //0xc8        struct _RTL_BALANCED_NODE MappingInfoIndexNode;                         //0xe0        ULONGLONG OriginalBase;                                                 //0xf8        union _LARGE_INTEGER LoadTime;                                          //0x100        ULONG BaseNameHashValue;                                                //0x108        enum _LDR_DLL_LOAD_REASON LoadReason;                                   //0x10c        ULONG ImplicitPathOptions;                                              //0x110        ULONG ReferenceCount;                                                   //0x114        ULONG DependentLoadFlags;                                               //0x118        UCHAR SigningLevel;                                                     //0x11c        ULONG CheckSum;                                                         //0x120        VOID* ActivePatchImageBase;                                             //0x128        enum _LDR_HOT_PATCH_STATE HotPatchState;                                //0x130}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;#endiftypedef __kernel_entry NTSTATUS funNtQuerySystemInformation(        char    SystemInformationClass,        PVOID   SystemInformation,        ULONG   SystemInformationLength,        PULONG  ReturnLength);#define WORD unsigned short#define BYTE unsigned chartypedef struct _SYSTEM_MODULE {        ULONG                Reserved1;        ULONG                Reserved2;        PVOID                ImageBaseAddress;        size_t                ImageSize;        size_t                Flags;        WORD                 Id;        WORD                 Rank;        WORD                 w018;        WORD                 NameOffset;        BYTE                 Name[MAXIMUM_FILENAME_LENGTH];} SYSTEM_MODULE, * PSYSTEM_MODULE;typedef struct _SYSTEM_MODULE_INFORMATION {        size_t                ModulesCount;        SYSTEM_MODULE        Modules[0];} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;void PrintAllMoudleBySection(PDRIVER_OBJECT driver) {        LDR_DATA_TABLE_ENTRY* ldr = driver->DriverSection;        LIST_ENTRY* Var_Ldr = ldr;        do {                DbgPrint("%wZ %x\n", &ldr->BaseDllName, ldr->DllBase);                ldr = ldr->InLoadOrderLinks.Flink;        } while (Var_Ldr != ldr);}void PrintAllMoudleByNtQuerySystemInformation() {        UNICODE_STRING DstUnicodeString;        RtlInitUnicodeString(&DstUnicodeString, L"NtQuerySystemInformation");        funNtQuerySystemInformation* NtQuerySystemInformation = MmGetSystemRoutineAddress(&DstUnicodeString);        if (NtQuerySystemInformation == NULL) {                DbgPrint("获取地址失败\n");                return STATUS_UNSUCCESSFUL;        }        SYSTEM_MODULE_INFORMATION* SystemInformation;        unsigned int SystemInfoSize = 0x1000;        unsigned int ReturnLength = 0;        do {                SystemInformation = ExAllocatePoolWithTag(PagedPool, SystemInfoSize, " kdD");                if (SystemInformation == NULL) {                        DbgPrint("分配内存失败\n");                        return STATUS_UNSUCCESSFUL;                }                NTSTATUS Status = NtQuerySystemInformation(0xB, SystemInformation, SystemInfoSize, &ReturnLength);                if (NT_SUCCESS(Status)) {                        break;                } else if (Status != STATUS_INFO_LENGTH_MISMATCH) {                        return STATUS_INFO_LENGTH_MISMATCH;                } else {                        ExFreePoolWithTag(SystemInformation, " kdD");                        SystemInfoSize <<= 1;                }        } while (1);        DbgPrint("\n\n****************************************************************\n\n\n");        for (size_t i = 0; i < SystemInformation->ModulesCount; i++) {                unsigned char* Name = SystemInformation->Modules[i].NameOffset + SystemInformation->Modules[i].Name;                DbgPrint("%s %x\n", Name, SystemInformation->Modules[i].ImageBaseAddress);        }        ExFreePoolWithTag(SystemInformation, " kdD");}NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path) {        driver->Flags |= 0x20;        driver->DriverUnload = DriverUnload;        PrintAllMoudleBySection(driver);        PrintAllMoudleByNtQuerySystemInformation();        DbgPrint("Hello Wolrd!\n");        return STATUS_SUCCESS;}

• 上一篇：火绒剑独立版v2021.06.01
• 下一篇：360加速球+U盘悬浮窗 v13.0.0.1141独立版

猜你还喜欢

• 11-05 Win10手动安装.appx格式UWP应用的方法
• 11-01 win7怎么设置多地区时间显示
• 11-01 Windows怎么修复桌面图标缓存
• 10-29 使用批处理查看所有连接过的WiFi名称和密码
• 10-24 苹果笔记本怎么重装系统win7
• 10-24 电脑win11显卡设置怎么进去
• 10-18 CE修改器如何添加插件
• 10-16 火绒怎么关闭开启自启动
• 09-02 IObit Smart Defrag怎么设置成中文
• 07-25 笔记本电池损坏的原因有哪些
• 07-21 PowerPoint是什么软件
• 07-15 打印机脱机状态怎么办，小编教你如何快速解决电脑打印机脱机问题

搜一下它不香吗

最新PC软件

• 服务删除工具v2.0绿色版
• 断网查绿色单文件版
• Windows系统调校v1.1.35
• 360极速浏览器X v21.0.1160绿色版
• qBittorrent v4.5.0.10绿色增强版
• HiBit Uninstaller v3.0.10单文件版
• 运动步数管理v1.0.2
• Iriun Webcam v2.7.7绿色版
• PC搜狗输入法v13.0.0.6738绿色精简版
• 分区助手技术员版v9.13.0绿色版

湘公网安备 43041202000037号 湘ICP备2020018726号-3

Copyright © 2021-2022 All right reserved.  网站声明

>

点击下载