获得内核模块 通过DriverSection
/*************************************************************************************** * AUTHOR : yifi * DATE : 2016-1-20 * MODULE : EnumKernelModules.H * * IOCTRL Sample Driver * * Description: * Demonstrates communications between USER and KERNEL. * **************************************************************************************** * Copyright (C) 2010 yifi. ****************************************************************************************/ #ifndef CXX_ENUMKERNELMODULES_H #define CXX_ENUMKERNELMODULES_H #include <ntifs.h> typedef struct _LDR_DATA_TABLE_ENTRY64 { LIST_ENTRY64 InLoadOrderLinks; LIST_ENTRY64 InMemoryOrderLinks; LIST_ENTRY64 InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; PVOID SectionPointer; ULONG CheckSum; PVOID LoadedImports; PVOID EntryPointActivationContext; PVOID PatchInformation; LIST_ENTRY64 ForwarderLinks; LIST_ENTRY64 ServiceTagLinks; LIST_ENTRY64 StaticLinks; PVOID ContextInformation; ULONG64 OriginalBase; LARGE_INTEGER LoadTime; } LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64; typedef struct _LDR_DATA_TABLE_ENTRY32 { LIST_ENTRY32 InLoadOrderLinks; LIST_ENTRY32 InMemoryOrderLinks; LIST_ENTRY32 InInitializationOrderLinks; ULONG DllBase; ULONG EntryPoint; ULONG SizeOfImage; UNICODE_STRING32 FullDllName; UNICODE_STRING32 BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union { LIST_ENTRY32 HashLinks; struct { ULONG SectionPointer; ULONG CheckSum; }; }; union { struct { ULONG TimeDateStamp; }; struct { ULONG LoadedImports; }; }; } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; #ifdef _WIN64 #define LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY64 #define PLDR_DATA_TABLE_ENTRY PLDR_DATA_TABLE_ENTRY64 #else #define LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY32 #define PLDR_DATA_TABLE_ENTRY PLDR_DATA_TABLE_ENTRY32 #endif VOID UnloadDirver(PDRIVER_OBJECT DriverObject); BOOLEAN GetKernelModuleInformationByKernelModuleName(PDRIVER_OBJECT CurrentDriverObject); #endif /*************************************************************************************** * AUTHOR : yifi * DATE : 2016-1-20 * MODULE : EnumKernelModules.C * * Command: * Source of IOCTRL Sample Driver * * Description: * Demonstrates communications between USER and KERNEL. * **************************************************************************************** * Copyright (C) 2010 yifi. ****************************************************************************************/ //####################################################################################### //# I N C L U D E S //####################################################################################### /*************************************************************************************** * AUTHOR : yifi * DATE : 2016-9-8 * MODULE : KernelMode.C * * Command: * Source of IOCTRL Sample Driver * * Description: * Demonstrates communications between USER and KERNEL. * **************************************************************************************** * Copyright (C) 2010 yifi. ****************************************************************************************/ //####################################################################################### //# I N C L U D E S //####################################################################################### #ifndef CXX_KERNELMODE_H # include "KernelMode.h" #endif NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegisterPath) { GetKernelModuleInformationByKernelModuleName(DriverObject); return STATUS_SUCCESS; } BOOLEAN GetKernelModuleInformationByKernelModuleName(PDRIVER_OBJECT CurrentDriverObject) { BOOLEAN bOk = FALSE; if (CurrentDriverObject) { PLDR_DATA_TABLE_ENTRY ListHead = NULL, ListFlink = NULL; ListHead = (PLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection; //dt _DriverObject DbgPrint("%S\r\n", ListHead->BaseDllName.Buffer); if (ListHead->BaseDllName.Buffer) //wcsstr(ListHead->BaseDllName.Buffer, wzKernelModuleName) != NULL) { //*KernelModuleBase = (PVOID)ListHead->DllBase; //*ulKernelModuleSize = ListHead->SizeOfImage; bOk = TRUE; } ListFlink = (PLDR_DATA_TABLE_ENTRY)ListHead->InLoadOrderLinks.Flink; while ((PLDR_DATA_TABLE_ENTRY)ListFlink != ListHead) { DbgPrint("%S\r\n", ListFlink->BaseDllName.Buffer); if (ListFlink->BaseDllName.Buffer)//&&wcsstr(ListFlink->BaseDllName.Buffer, wzKernelModuleName) != NULL) { //*KernelModuleBase = (PVOID)ListFlink->DllBase; //*ulKernelModuleSize = ListFlink->SizeOfImage; bOk = TRUE; } ListFlink = (PLDR_DATA_TABLE_ENTRY)ListFlink->InLoadOrderLinks.Flink; } } return bOk; } //BOOLEAN GetKernelModuleInformationByKernelModuleName(WCHAR* wzKernelModuleName,PVOID* KernelModuleBase,ULONG32* ulKernelModuleSize) //{ // // BOOLEAN bOk = FALSE; // if (CurrentDriverObject) // { // PLDR_DATA_TABLE_ENTRY ListHead = NULL, ListFlink = NULL; // // // // ListHead = (PLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection; //dt _DriverObject // DbgPrint("%S\r\n",ListHead->BaseDllName.Buffer); // if (ListHead->BaseDllName.Buffer&& // wcsstr(ListHead->BaseDllName.Buffer,wzKernelModuleName)!=NULL) // { // // // *KernelModuleBase = (PVOID)ListHead->DllBase; // *ulKernelModuleSize = ListHead->SizeOfImage; // // bOk = TRUE; // } // // ListFlink = (PLDR_DATA_TABLE_ENTRY)ListHead->InLoadOrderLinks.Flink; // // while((PLDR_DATA_TABLE_ENTRY)ListFlink != ListHead) // { // DbgPrint("%S\r\n",ListFlink->BaseDllName.Buffer); // if (ListFlink->BaseDllName.Buffer&& // wcsstr(ListFlink->BaseDllName.Buffer,wzKernelModuleName)!=NULL) // { // // // *KernelModuleBase = (PVOID)ListFlink->DllBase; // *ulKernelModuleSize = ListFlink->SizeOfImage; // // bOk = TRUE; // } // // ListFlink = (PLDR_DATA_TABLE_ENTRY)ListFlink->InLoadOrderLinks.Flink; // } // } // // return bOk; //}
爱程序 不爱bug
爱生活 不爱黑眼圈
我和你们一样 我和你们不一样
我不是凡客 我要做geek
