关于枚举windows内核模块地址 

 1 #include <ntddk.h>
 2 
 3 typedef struct _LDR_DATA_TABLE_ENTRY_FIX
 4 {
 5     struct _LIST_ENTRY InLoadOrderLinks;                                    //0x0
 6     struct _LIST_ENTRY InMemoryOrderLinks;                                  //0x10
 7     struct _LIST_ENTRY InInitializationOrderLinks;                          //0x20
 8     VOID* DllBase;                                                          //0x30
 9     VOID* EntryPoint;                                                       //0x38
10     ULONG SizeOfImage;                                                      //0x40
11     struct _UNICODE_STRING FullDllName;                                     //0x48
12     struct _UNICODE_STRING BaseDllName;                                     //0x58
13 }LDR_DATA_TABLE_ENTRY_FIX, *PLDR_DATA_TABLE_ENTRY_FIX;
14 //
15 // 参考此网站从PDB导出的windows内核数据结构
16 // ref:https://www.vergiliusproject.com/kernels/x64/Windows%207%20%7C%202008R2/SP1/_LDR_DATA_TABLE_ENTRY
17 //
18 VOID DriverUnload (
19     PDRIVER_OBJECT DriverObject
20     )
21 {
22     KdPrint(("EnumDriverModule DriverUnload\r\n"));
23 }
24 NTSTATUS DriverEntry(
25     PDRIVER_OBJECT DriverObject,
26     PUNICODE_STRING RegistryPath
27     )
28 {
29     PLDR_DATA_TABLE_ENTRY_FIX loader_entry = (PLDR_DATA_TABLE_ENTRY_FIX)(DriverObject->DriverSection);
30     PLIST_ENTRY pLISTHead = &loader_entry->InLoadOrderLinks;
31     PLIST_ENTRY pListEntry = pLISTHead;
32     
33     KdPrint(("EnumDriverModule DriverEntry\r\n"));
34     while (pListEntry->Flink != pLISTHead) {
35         loader_entry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY_FIX, InLoadOrderLinks);
36         pListEntry = pListEntry->Flink;
37         KdPrint(("%wZ\t0x%I64X\t%I64u(B)\t0x%I64X\t%wZ\r\n",
38                 &loader_entry->BaseDllName,
39                 loader_entry->DllBase,
40                 loader_entry->SizeOfImage,
41                 DriverObject,
42                 &loader_entry->FullDllName));
43     }
44     DriverObject->DriverUnload = DriverUnload;
45     return 0;
46 }
 1 #
 2 # DO NOT EDIT THIS FILE!!!  Edit .\sources. if you want to add a new source
 3 # file to this component.  This file merely indirects to the real make file
 4 # that is shared by all the components of Windows NT
 5 #
 6 !IF DEFINED(_NT_TARGET_VERSION)
 7 !    IF $(_NT_TARGET_VERSION)>=0x501
 8 !        INCLUDE $(NTMAKEENV)\makefile.def
 9 !    ELSE
10 !        message BUILDMSG: Warning : The sample "$(MAKEDIR)" is not valid for the current OS target.
11 !    ENDIF
12 !ELSE
13 !    INCLUDE $(NTMAKEENV)\makefile.def
14 !ENDIF
1 TARGETNAME=EnumDriverModule
2 TARGETPATH=obj
3 TARGETTYPE=DRIVER
4 
5 
6 MSC_WARNING_LEVEL=/W3
7 
8 SOURCES=EnumDriverModule.c
 1 Bcdedit.exe -set {current} TESTSIGNING ON
 2 bcdedit.exe -set {current} loadoptions DDISABLE_INTEGRITY_CHECKS
 3 
 4 sc create EnumDriverModule  binPath= C:\driver\EnumDriverModule.sys type= kernel
 5 
 6 sc query EnumDriverModule  
 7 sc start EnumDriverModule  
 8 sc stop EnumDriverModule
 9 sc delete EnumDriverModule
10 
11 ed nt!Kd_DEFAULT_MASK

 

posted @ 2022-04-09 22:32  maojun1998  阅读(91)  评论(0编辑  收藏  举报