Windows两种遍历所有内核模块的方法_Windows遍历系统内核模块代码_
测试环境
Windows10 X64(本机) + Windows X64(测试机) + Windows XP(测试机)
下面是具体代码与实现:
#include "ntifs.h"#ifdef _M_X32//0xa8 bytes (sizeof)typedef struct _LDR_DATA_TABLE_ENTRY { struct _LIST_ENTRY InLoadOrderLinks; //0x0 struct _LIST_ENTRY InMemoryOrderLinks; //0x8 struct _LIST_ENTRY InInitializationOrderLinks; //0x10 VOID* DllBase; //0x18 VOID* EntryPoint; //0x1c ULONG SizeOfImage; //0x20 struct _UNICODE_STRING FullDllName; //0x24 struct _UNICODE_STRING BaseDllName; //0x2c union { UCHAR FlagGroup[4]; //0x34 ULONG Flags; //0x34 struct { ULONG PackagedBinary : 1; //0x34 ULONG MarkedForRemoval : 1; //0x34 ULONG ImageDll : 1; //0x34 ULONG LoadNotificationsSent : 1; //0x34 ULONG TelemetryEntryProcessed : 1; //0x34 ULONG ProcessStaticImport : 1; //0x34 ULONG InLegacyLists : 1; //0x34 ULONG InIndexes : 1; //0x34 ULONG ShimDll : 1; //0x34 ULONG InExceptionTable : 1; //0x34 ULONG ReservedFlags1 : 2; //0x34 ULONG LoadInProgress : 1; //0x34 ULONG LoadConfigProcessed : 1; //0x34 ULONG EntryProcessed : 1; //0x34 ULONG ProtectDelayLoad : 1; //0x34 ULONG ReservedFlags3 : 2; //0x34 ULONG DontCallForThreads : 1; //0x34 ULONG ProcessAttachCalled : 1; //0x34 ULONG ProcessAttachFailed : 1; //0x34 ULONG CorDeferredValidate : 1; //0x34 ULONG CorImage : 1; //0x34 ULONG DontRelocate : 1; //0x34 ULONG CorILOnly : 1; //0x34 ULONG ChpeImage : 1; //0x34 ULONG ReservedFlags5 : 2; //0x34 ULONG Redirected : 1; //0x34 ULONG ReservedFlags6 : 2; //0x34 ULONG CompatDatabaseProcessed : 1; //0x34 }; }; USHORT ObsoleteLoadCount; //0x38 USHORT TlsIndex; //0x3a struct _LIST_ENTRY HashLinks; //0x3c ULONG TimeDateStamp; //0x44 struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x48 VOID* Lock; //0x4c struct _LDR_DDAG_NODE* DdagNode; //0x50 struct _LIST_ENTRY NodeModuleLink; //0x54 struct _LDRP_LOAD_CONTEXT* LoadContext; //0x5c VOID* ParentDllBase; //0x60 VOID* SwitchBackContext; //0x64 struct _RTL_BALANCED_NODE BaseAddressIndexNode; //0x68 struct _RTL_BALANCED_NODE MappingInfoIndexNode; //0x74 ULONG OriginalBase; //0x80 union _LARGE_INTEGER LoadTime; //0x88 ULONG BaseNameHashValue; //0x90 enum _LDR_DLL_LOAD_REASON LoadReason; //0x94 ULONG ImplicitPathOptions; //0x98 ULONG ReferenceCount; //0x9c ULONG DependentLoadFlags; //0xa0 UCHAR SigningLevel; //0xa4}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;#else//0x138 bytes (sizeof)typedef struct _LDR_DATA_TABLE_ENTRY { struct _LIST_ENTRY InLoadOrderLinks; //0x0 struct _LIST_ENTRY InMemoryOrderLinks; //0x10 struct _LIST_ENTRY InInitializationOrderLinks; //0x20 VOID* DllBase; //0x30 VOID* EntryPoint; //0x38 ULONG SizeOfImage; //0x40 struct _UNICODE_STRING FullDllName; //0x48 struct _UNICODE_STRING BaseDllName; //0x58 union { UCHAR FlagGroup[4]; //0x68 ULONG Flags; //0x68 struct { ULONG PackagedBinary : 1; //0x68 ULONG MarkedForRemoval : 1; //0x68 ULONG ImageDll : 1; //0x68 ULONG LoadNotificationsSent : 1; //0x68 ULONG TelemetryEntryProcessed : 1; //0x68 ULONG ProcessStaticImport : 1; //0x68 ULONG InLegacyLists : 1; //0x68 ULONG InIndexes : 1; //0x68 ULONG ShimDll : 1; //0x68 ULONG InExceptionTable : 1; //0x68 ULONG ReservedFlags1 : 2; //0x68 ULONG LoadInProgress : 1; //0x68 ULONG LoadConfigProcessed : 1; //0x68 ULONG EntryProcessed : 1; //0x68 ULONG ProtectDelayLoad : 1; //0x68 ULONG ReservedFlags3 : 2; //0x68 ULONG DontCallForThreads : 1; //0x68 ULONG ProcessAttachCalled : 1; //0x68 ULONG ProcessAttachFailed : 1; //0x68 ULONG CorDeferredValidate : 1; //0x68 ULONG CorImage : 1; //0x68 ULONG DontRelocate : 1; //0x68 ULONG CorILOnly : 1; //0x68 ULONG ChpeImage : 1; //0x68 ULONG ChpeEmulatorImage : 1; //0x68 ULONG ReservedFlags5 : 1; //0x68 ULONG Redirected : 1; //0x68 ULONG ReservedFlags6 : 2; //0x68 ULONG CompatDatabaseProcessed : 1; //0x68 }; }; USHORT ObsoleteLoadCount; //0x6c USHORT TlsIndex; //0x6e struct _LIST_ENTRY HashLinks; //0x70 ULONG TimeDateStamp; //0x80 struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x88 VOID* Lock; //0x90 struct _LDR_DDAG_NODE* DdagNode; //0x98 struct _LIST_ENTRY NodeModuleLink; //0xa0 struct _LDRP_LOAD_CONTEXT* LoadContext; //0xb0 VOID* ParentDllBase; //0xb8 VOID* SwitchBackContext; //0xc0 struct _RTL_BALANCED_NODE BaseAddressIndexNode; //0xc8 struct _RTL_BALANCED_NODE MappingInfoIndexNode; //0xe0 ULONGLONG OriginalBase; //0xf8 union _LARGE_INTEGER LoadTime; //0x100 ULONG BaseNameHashValue; //0x108 enum _LDR_DLL_LOAD_REASON LoadReason; //0x10c ULONG ImplicitPathOptions; //0x110 ULONG ReferenceCount; //0x114 ULONG DependentLoadFlags; //0x118 UCHAR SigningLevel; //0x11c ULONG CheckSum; //0x120 VOID* ActivePatchImageBase; //0x128 enum _LDR_HOT_PATCH_STATE HotPatchState; //0x130}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;#endiftypedef __kernel_entry NTSTATUS funNtQuerySystemInformation( char SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);#define WORD unsigned short#define BYTE unsigned chartypedef struct _SYSTEM_MODULE { ULONG Reserved1; ULONG Reserved2; PVOID ImageBaseAddress; size_t ImageSize; size_t Flags; WORD Id; WORD Rank; WORD w018; WORD NameOffset; BYTE Name[MAXIMUM_FILENAME_LENGTH];} SYSTEM_MODULE, * PSYSTEM_MODULE;typedef struct _SYSTEM_MODULE_INFORMATION { size_t ModulesCount; SYSTEM_MODULE Modules[0];} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;void PrintAllMoudleBySection(PDRIVER_OBJECT driver) { LDR_DATA_TABLE_ENTRY* ldr = driver->DriverSection; LIST_ENTRY* Var_Ldr = ldr; do { DbgPrint("%wZ %x\n", &ldr->BaseDllName, ldr->DllBase); ldr = ldr->InLoadOrderLinks.Flink; } while (Var_Ldr != ldr);}void PrintAllMoudleByNtQuerySystemInformation() { UNICODE_STRING DstUnicodeString; RtlInitUnicodeString(&DstUnicodeString, L"NtQuerySystemInformation"); funNtQuerySystemInformation* NtQuerySystemInformation = MmGetSystemRoutineAddress(&DstUnicodeString); if (NtQuerySystemInformation == NULL) { DbgPrint("获取地址失败\n"); return STATUS_UNSUCCESSFUL; } SYSTEM_MODULE_INFORMATION* SystemInformation; unsigned int SystemInfoSize = 0x1000; unsigned int ReturnLength = 0; do { SystemInformation = ExAllocatePoolWithTag(PagedPool, SystemInfoSize, " kdD"); if (SystemInformation == NULL) { DbgPrint("分配内存失败\n"); return STATUS_UNSUCCESSFUL; } NTSTATUS Status = NtQuerySystemInformation(0xB, SystemInformation, SystemInfoSize, &ReturnLength); if (NT_SUCCESS(Status)) { break; } else if (Status != STATUS_INFO_LENGTH_MISMATCH) { return STATUS_INFO_LENGTH_MISMATCH; } else { ExFreePoolWithTag(SystemInformation, " kdD"); SystemInfoSize <<= 1; } } while (1); DbgPrint("\n\n****************************************************************\n\n\n"); for (size_t i = 0; i < SystemInformation->ModulesCount; i++) { unsigned char* Name = SystemInformation->Modules[i].NameOffset + SystemInformation->Modules[i].Name; DbgPrint("%s %x\n", Name, SystemInformation->Modules[i].ImageBaseAddress); } ExFreePoolWithTag(SystemInformation, " kdD");}NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path) { driver->Flags |= 0x20; driver->DriverUnload = DriverUnload; PrintAllMoudleBySection(driver); PrintAllMoudleByNtQuerySystemInformation(); DbgPrint("Hello Wolrd!\n"); return STATUS_SUCCESS;}
猜你还喜欢
- 11-05 Win10手动安装.appx格式UWP应用的方法
- 11-01 win7怎么设置多地区时间显示
- 11-01 Windows怎么修复桌面图标缓存
- 10-29 使用批处理查看所有连接过的WiFi名称和密码
- 10-24 苹果笔记本怎么重装系统win7
- 10-24 电脑win11显卡设置怎么进去
- 10-18 CE修改器如何添加插件
- 10-16 火绒怎么关闭开启自启动
- 09-02 IObit Smart Defrag怎么设置成中文
- 07-25 笔记本电池损坏的原因有哪些
- 07-21 PowerPoint是什么软件
- 07-15 打印机脱机状态怎么办,小编教你如何快速解决电脑打印机脱机问题
- 搜一下它不香吗
- 最新PC软件
湘公网安备 43041202000037号 
湘ICP备2020018726号-3
Copyright © 2021-2022 All right reserved. 网站声明
>
![洞窟探险2(Spelunky 2)中文免安装版下载[百度网盘资源]](/wp-content/uploads/2023/09/19/11/202309191117074678220000.jpeg)
