Windows驱动开发学习记录-遍历内核已加载模块之二(使用ZwQuerySystemInformation)
-
附另两种方法链接:
《Windows驱动开发学习记录-遍历内核已加载模块之一(使用DriverSection)》
《Windows驱动开发学习记录-遍历内核已加载模块之三(使用 AuxKlib)》
1.原型
NTSTATUS ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
- SystemInformationClass 查询的系统信息类型,之后给出。遍历模块为 SystemModuleInformation,值11
- SystemInformation 返回结果的缓冲区
- SystemInformationLength 第二个参数缓冲区的大小
- ReturnLength 实际返回的大小
使用时调用两次该函数,第一次SystemInformationLength传0,返回的ReturnLength为结果大小,再根据此大小分配内存空间,再次调用。
2.SYSTEM_INFORMATION_CLASS类型
1 typedef enum _SYSTEM_INFORMATION_CLASS
2 {
3 SystemBasicInformation, // 0
4 SystemProcessorInformation, // 1
5 SystemPerformanceInformation, // 2
6 SystemTimeOfDayInformation, // 3
7 SystemPathInformation, // 4
8 SystemProcessInformation, //5
9 SystemCallCountInformation, // 6
10 SystemDeviceInformation, // 7
11 SystemProcessorPerformanceInformation, // 8
12 SystemFlagsInformation, // 9
13 SystemCallTimeInformation, // 10
14 SystemModuleInformation, // 11
15 SystemLocksInformation, // 12
16 SystemStackTraceInformation, // 13
17 SystemPagedPoolInformation, // 14
18 SystemNonPagedPoolInformation, // 15
19 SystemHandleInformation, // 16
20 SystemObjectInformation, // 17
21 SystemPageFileInformation, // 18
22 SystemVdmInstemulInformation, // 19
23 SystemVdmBopInformation, // 20
24 SystemFileCacheInformation, // 21
25 SystemPoolTagInformation, // 22
26 SystemInterruptInformation, // 23
27 SystemDpcBehaviorInformation, // 24
28 SystemFullMemoryInformation, // 25
29 SystemLoadGdiDriverInformation, // 26
30 SystemUnloadGdiDriverInformation, // 27
31 SystemTimeAdjustmentInformation, // 28
32 SystemSummaryMemoryInformation, // 29
33 SystemMirrorMemoryInformation, // 30
34 SystemPerformanceTraceInformation, // 31
35 SystemObsolete0, // 32
36 SystemExceptionInformation, // 33
37 SystemCrashDumpStateInformation, // 34
38 SystemKernelDebuggerInformation, // 35
39 SystemContextSwitchInformation, // 36
40 SystemRegistryQuotaInformation, // 37
41 SystemExtendServiceTableInformation, // 38
42 SystemPrioritySeperation, // 39
43 SystemVerifierAddDriverInformation, // 40
44 SystemVerifierRemoveDriverInformation, // 41
45 SystemProcessorIdleInformation, // 42
46 SystemLegacyDriverInformation, // 43
47 SystemCurrentTimeZoneInformation, // 44
48 SystemLookasideInformation, // 45
49 SystemTimeSlipNotification, // 46
50 SystemSessionCreate, // 47
51 SystemSessionDetach, // 48
52 SystemSessionInformation, // 49
53 SystemRangeStartInformation, // 50
54 SystemVerifierInformation, // 51
55 SystemVerifierThunkExtend, // 52
56 SystemSessionProcessInformation, // 53
57 SystemLoadGdiDriverInSystemSpace, // 54
58 SystemNumaProcessorMap, // 55
59 SystemPrefetcherInformation, // 56
60 SystemExtendedProcessInformation, // 57
61 SystemRecommendedSharedDataAlignment, // 58
62 SystemComPlusPackage, // 59
63 SystemNumaAvailableMemory, // 60
64 SystemProcessorPowerInformation, // 61
65 SystemEmulationBasicInformation, // 62
66 SystemEmulationProcessorInformation, // 63
67 SystemExtendedHandleInformation, // 64
68 SystemLostDelayedWriteInformation, // 65
69 SystemBigPoolInformation, // 66
70 SystemSessionPoolTagInformation, // 67
71 SystemSessionMappedViewInformation, // 68
72 SystemHotpatchInformation, // 69
73 SystemObjectSecurityMode, // 70
74 SystemWatchdogTimerHandler, // 71
75 SystemWatchdogTimerInformation, // 72
76 SystemLogicalProcessorInformation, // 73
77 SystemWow64SharedInformation, // 74
78 SystemRegisterFirmwareTableInformationHandler, // 75
79 SystemFirmwareTableInformation, // 76
80 SystemModuleInformationEx, // 77
81 SystemVerifierTriageInformation, // 78
82 SystemSuperfetchInformation, // 79
83 SystemMemoryListInformation, // 80
84 SystemFileCacheInformationEx, // 81
85 MaxSystemInfoClass //82
86
87 } SYSTEM_INFORMATION_CLASS;我们使用的是第11号功能SystemModuleInformation。
3.返回数据类型 _SYSTEM_MODULE_INFORMATION
64位环境下和32位环境下结构体不一样。
1 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY64 {
2 ULONG Reserved[4];
3 PVOID Base;
4 ULONG Size;
5 ULONG Flags;
6 USHORT Index;
7 USHORT Unknown;
8 USHORT LoadCount;
9 USHORT ModuleNameOffset;
10 CHAR ImageName[256];
11 } SYSTEM_MODULE_INFORMATION_ENTRY64, *PSYSTEM_MODULE_INFORMATION_ENTRY64;
12
13
14 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY32 {
15 ULONG Reserved[2];
16 PVOID Base;
17 ULONG Size;
18 ULONG Flags;
19 USHORT Index;
20 USHORT Unknown;
21 USHORT LoadCount;
22 USHORT ModuleNameOffset;
23 CHAR ImageName[256];
24 } SYSTEM_MODULE_INFORMATION_ENTRY32, * PSYSTEM_MODULE_INFORMATION_ENTRY32;
25
26 typedef struct _SYSTEM_MODULE_INFORMATION
27 {
28 ULONG Count;//内核中以加载的模块的个数
29 #ifdef _AMD64_
30 SYSTEM_MODULE_INFORMATION_ENTRY64 Module[1];
31 #else
32 SYSTEM_MODULE_INFORMATION_ENTRY32 Module[1];
33 #endif
34
35 } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
4.实现
- 头文件
#if DBG
#define KDPRINT(projectName, format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, projectName "::【" __FUNCTION__ "】" ##format, ##__VA_ARGS__ )
#else
#define KDPRINT(format, ...)
#endif
typedef enum
{
MmTagTypeZQSI = 'ISQZ', //ZwQuerySystemInformation
}MmTagType;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemModuleInformation = 11
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY64 {
ULONG Reserved[4];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY64, *PSYSTEM_MODULE_INFORMATION_ENTRY64;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY32 {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY32, * PSYSTEM_MODULE_INFORMATION_ENTRY32;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
#ifdef _AMD64_
SYSTEM_MODULE_INFORMATION_ENTRY64 Module[1];
#else
SYSTEM_MODULE_INFORMATION_ENTRY32 Module[1];
#endif
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
- .cpp文件
1 NTSTATUS PrintAllLoadedMoudleByZwQuerySystemInformation()
2 {
3 ULONG ulInfoLength = 0;
4 PVOID pBuffer = NULL;
5 NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
6 KDPRINT("【PrintLoadedModule】", "Enter.....\r\n");
7 do
8 {
9 ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
10 NULL,
11 NULL,
12 &ulInfoLength);
13 if ((ntStatus == STATUS_INFO_LENGTH_MISMATCH))
14 {
15 pBuffer = ExAllocatePoolWithTag(PagedPool, ulInfoLength, MmTagTypeZQSI);
16 if (pBuffer == NULL)
17 {
18 KDPRINT("【PrintLoadedModule】", "Allocate Memory Failed\r\n");
19 break;
20 }
21 ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
22 pBuffer,
23 ulInfoLength,
24 &ulInfoLength);
25 if (!NT_SUCCESS(ntStatus))
26 {
27 KDPRINT("【PrintLoadedModule】", "ZwQuerySystemInformation Failed\r\n");
28 break;
29 }
30
31 PSYSTEM_MODULE_INFORMATION pModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer;
32 if (pModuleInformation)
33 {
34 for (ULONG i = 0; i < pModuleInformation->Count; i++)
35 {
36 KDPRINT("【PrintLoadedModule】", "Image:%-50s\t\tBase:0x%p\r\n",
37 pModuleInformation->Module[i].ImageName, pModuleInformation->Module[i].Base);
38 }
39 KDPRINT("【PrintLoadedModule】", "共计%d个内核模块!\r\n", pModuleInformation->Count);
40 }
41
42 ntStatus = STATUS_SUCCESS;
43 }
44 } while (false);
45
46 if (pBuffer)
47 {
48 ExFreePoolWithTag(pBuffer, MmTagTypeZQSI);
49 }
50
51 return ntStatus;
52 }
5.运行结果
- XP 32位
- Win10 x64
