Windows两种遍历所有内核模块的方法

作者：小编日期：2022-04-10浏览：110分类：电脑教程
测试环境

Windows10 X64(本机) + Windows X64(测试机) + Windows XP(测试机)
下面是具体代码与实现:
#include "ntifs.h"
#ifdef _M_X32
//0xa8 bytes (sizeof)
typedef struct _LDR_DATA_TABLE_ENTRY {
        struct _LIST_ENTRY InLoadOrderLinks;                                    //0x0
        struct _LIST_ENTRY InMemoryOrderLinks;                                  //0x8
        struct _LIST_ENTRY InInitializationOrderLinks;                          //0x10
        VOID* DllBase;                                                          //0x18
        VOID* EntryPoint;                                                       //0x1c
        ULONG SizeOfImage;                                                      //0x20
        struct _UNICODE_STRING FullDllName;                                     //0x24
        struct _UNICODE_STRING BaseDllName;                                     //0x2c
        union {
                UCHAR FlagGroup[4];                                                 //0x34
                ULONG Flags;                                                        //0x34
                struct {
                        ULONG PackagedBinary : 1;                                         //0x34
                        ULONG MarkedForRemoval : 1;                                       //0x34
                        ULONG ImageDll : 1;                                               //0x34
                        ULONG LoadNotificationsSent : 1;                                  //0x34
                        ULONG TelemetryEntryProcessed : 1;                                //0x34
                        ULONG ProcessStaticImport : 1;                                    //0x34
                        ULONG InLegacyLists : 1;                                          //0x34
                        ULONG InIndexes : 1;                                              //0x34
                        ULONG ShimDll : 1;                                                //0x34
                        ULONG InExceptionTable : 1;                                       //0x34
                        ULONG ReservedFlags1 : 2;                                         //0x34
                        ULONG LoadInProgress : 1;                                         //0x34
                        ULONG LoadConfigProcessed : 1;                                    //0x34
                        ULONG EntryProcessed : 1;                                         //0x34
                        ULONG ProtectDelayLoad : 1;                                       //0x34
                        ULONG ReservedFlags3 : 2;                                         //0x34
                        ULONG DontCallForThreads : 1;                                     //0x34
                        ULONG ProcessAttachCalled : 1;                                    //0x34
                        ULONG ProcessAttachFailed : 1;                                    //0x34
                        ULONG CorDeferredValidate : 1;                                    //0x34
                        ULONG CorImage : 1;                                               //0x34
                        ULONG DontRelocate : 1;                                           //0x34
                        ULONG CorILOnly : 1;                                              //0x34
                        ULONG ChpeImage : 1;                                              //0x34
                        ULONG ReservedFlags5 : 2;                                         //0x34
                        ULONG Redirected : 1;                                             //0x34
                        ULONG ReservedFlags6 : 2;                                         //0x34
                        ULONG CompatDatabaseProcessed : 1;                                //0x34
                };
        };
        USHORT ObsoleteLoadCount;                                               //0x38
        USHORT TlsIndex;                                                        //0x3a
        struct _LIST_ENTRY HashLinks;                                           //0x3c
        ULONG TimeDateStamp;                                                    //0x44
        struct _ACTIVATION_CONTEXT* EntryPointActivationContext;                //0x48
        VOID* Lock;                                                             //0x4c
        struct _LDR_DDAG_NODE* DdagNode;                                        //0x50
        struct _LIST_ENTRY NodeModuleLink;                                      //0x54
        struct _LDRP_LOAD_CONTEXT* LoadContext;                                 //0x5c
        VOID* ParentDllBase;                                                    //0x60
        VOID* SwitchBackContext;                                                //0x64
        struct _RTL_BALANCED_NODE BaseAddressIndexNode;                         //0x68
        struct _RTL_BALANCED_NODE MappingInfoIndexNode;                         //0x74
        ULONG OriginalBase;                                                     //0x80
        union _LARGE_INTEGER LoadTime;                                          //0x88
        ULONG BaseNameHashValue;                                                //0x90
        enum _LDR_DLL_LOAD_REASON LoadReason;                                   //0x94
        ULONG ImplicitPathOptions;                                              //0x98
        ULONG ReferenceCount;                                                   //0x9c
        ULONG DependentLoadFlags;                                               //0xa0
        UCHAR SigningLevel;                                                     //0xa4
}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;
#else
//0x138 bytes (sizeof)
typedef struct _LDR_DATA_TABLE_ENTRY {
        struct _LIST_ENTRY InLoadOrderLinks;                                    //0x0
        struct _LIST_ENTRY InMemoryOrderLinks;                                  //0x10
        struct _LIST_ENTRY InInitializationOrderLinks;                          //0x20
        VOID* DllBase;                                                          //0x30
        VOID* EntryPoint;                                                       //0x38
        ULONG SizeOfImage;                                                      //0x40
        struct _UNICODE_STRING FullDllName;                                     //0x48
        struct _UNICODE_STRING BaseDllName;                                     //0x58
        union {
                UCHAR FlagGroup[4];                                                 //0x68
                ULONG Flags;                                                        //0x68
                struct {
                        ULONG PackagedBinary : 1;                                         //0x68
                        ULONG MarkedForRemoval : 1;                                       //0x68
                        ULONG ImageDll : 1;                                               //0x68
                        ULONG LoadNotificationsSent : 1;                                  //0x68
                        ULONG TelemetryEntryProcessed : 1;                                //0x68
                        ULONG ProcessStaticImport : 1;                                    //0x68
                        ULONG InLegacyLists : 1;                                          //0x68
                        ULONG InIndexes : 1;                                              //0x68
                        ULONG ShimDll : 1;                                                //0x68
                        ULONG InExceptionTable : 1;                                       //0x68
                        ULONG ReservedFlags1 : 2;                                         //0x68
                        ULONG LoadInProgress : 1;                                         //0x68
                        ULONG LoadConfigProcessed : 1;                                    //0x68
                        ULONG EntryProcessed : 1;                                         //0x68
                        ULONG ProtectDelayLoad : 1;                                       //0x68
                        ULONG ReservedFlags3 : 2;                                         //0x68
                        ULONG DontCallForThreads : 1;                                     //0x68
                        ULONG ProcessAttachCalled : 1;                                    //0x68
                        ULONG ProcessAttachFailed : 1;                                    //0x68
                        ULONG CorDeferredValidate : 1;                                    //0x68
                        ULONG CorImage : 1;                                               //0x68
                        ULONG DontRelocate : 1;                                           //0x68
                        ULONG CorILOnly : 1;                                              //0x68
                        ULONG ChpeImage : 1;                                              //0x68
                        ULONG ChpeEmulatorImage : 1;                                      //0x68
                        ULONG ReservedFlags5 : 1;                                         //0x68
                        ULONG Redirected : 1;                                             //0x68
                        ULONG ReservedFlags6 : 2;                                         //0x68
                        ULONG CompatDatabaseProcessed : 1;                                //0x68
                };
        };
        USHORT ObsoleteLoadCount;                                               //0x6c
        USHORT TlsIndex;                                                        //0x6e
        struct _LIST_ENTRY HashLinks;                                           //0x70
        ULONG TimeDateStamp;                                                    //0x80
        struct _ACTIVATION_CONTEXT* EntryPointActivationContext;                //0x88
        VOID* Lock;                                                             //0x90
        struct _LDR_DDAG_NODE* DdagNode;                                        //0x98
        struct _LIST_ENTRY NodeModuleLink;                                      //0xa0
        struct _LDRP_LOAD_CONTEXT* LoadContext;                                 //0xb0
        VOID* ParentDllBase;                                                    //0xb8
        VOID* SwitchBackContext;                                                //0xc0
        struct _RTL_BALANCED_NODE BaseAddressIndexNode;                         //0xc8
        struct _RTL_BALANCED_NODE MappingInfoIndexNode;                         //0xe0
        ULONGLONG OriginalBase;                                                 //0xf8
        union _LARGE_INTEGER LoadTime;                                          //0x100
        ULONG BaseNameHashValue;                                                //0x108
        enum _LDR_DLL_LOAD_REASON LoadReason;                                   //0x10c
        ULONG ImplicitPathOptions;                                              //0x110
        ULONG ReferenceCount;                                                   //0x114
        ULONG DependentLoadFlags;                                               //0x118
        UCHAR SigningLevel;                                                     //0x11c
        ULONG CheckSum;                                                         //0x120
        VOID* ActivePatchImageBase;                                             //0x128
        enum _LDR_HOT_PATCH_STATE HotPatchState;                                //0x130
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
#endif

typedef __kernel_entry NTSTATUS funNtQuerySystemInformation(
        char    SystemInformationClass,
        PVOID   SystemInformation,
        ULONG   SystemInformationLength,
        PULONG  ReturnLength
);

#define WORD unsigned short
#define BYTE unsigned char
typedef struct _SYSTEM_MODULE {
        ULONG                Reserved1;
        ULONG                Reserved2;
        PVOID                ImageBaseAddress;
        size_t                ImageSize;
        size_t                Flags;
        WORD                 Id;
        WORD                 Rank;
        WORD                 w018;
        WORD                 NameOffset;
        BYTE                 Name[MAXIMUM_FILENAME_LENGTH];
} SYSTEM_MODULE, * PSYSTEM_MODULE;

typedef struct _SYSTEM_MODULE_INFORMATION {
        size_t                ModulesCount;
        SYSTEM_MODULE        Modules[0];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;

void PrintAllMoudleBySection(PDRIVER_OBJECT driver) {
        LDR_DATA_TABLE_ENTRY* ldr = driver->DriverSection;
        LIST_ENTRY* Var_Ldr = ldr;
        do {
                DbgPrint("%wZ %x\n", &ldr->BaseDllName, ldr->DllBase);
                ldr = ldr->InLoadOrderLinks.Flink;
        } while (Var_Ldr != ldr);
}

void PrintAllMoudleByNtQuerySystemInformation() {
        UNICODE_STRING DstUnicodeString;
        RtlInitUnicodeString(&DstUnicodeString, L"NtQuerySystemInformation");

        funNtQuerySystemInformation* NtQuerySystemInformation = MmGetSystemRoutineAddress(&DstUnicodeString);
        if (NtQuerySystemInformation == NULL) {
                DbgPrint("获取地址失败\n");
                return STATUS_UNSUCCESSFUL;
        }

        SYSTEM_MODULE_INFORMATION* SystemInformation;
        unsigned int SystemInfoSize = 0x1000;
        unsigned int ReturnLength = 0;
        do {
                SystemInformation = ExAllocatePoolWithTag(PagedPool, SystemInfoSize, " kdD");
                if (SystemInformation == NULL) {
                        DbgPrint("分配内存失败\n");
                        return STATUS_UNSUCCESSFUL;
                }

                NTSTATUS Status = NtQuerySystemInformation(0xB, SystemInformation, SystemInfoSize, &ReturnLength);
                if (NT_SUCCESS(Status)) {
                        break;
                } else if (Status != STATUS_INFO_LENGTH_MISMATCH) {
                        return STATUS_INFO_LENGTH_MISMATCH;
                } else {
                        ExFreePoolWithTag(SystemInformation, " kdD");
                        SystemInfoSize <<= 1;
                }
        } while (1);

        DbgPrint("\n\n****************************************************************\n\n\n");
        for (size_t i = 0; i < SystemInformation->ModulesCount; i++) {
                unsigned char* Name = SystemInformation->Modules[i].NameOffset + SystemInformation->Modules[i].Name;
                DbgPrint("%s %x\n", Name, SystemInformation->Modules[i].ImageBaseAddress);
        }
        ExFreePoolWithTag(SystemInformation, " kdD");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path) {
        driver->Flags |= 0x20;
        driver->DriverUnload = DriverUnload;

        PrintAllMoudleBySection(driver);
        PrintAllMoudleByNtQuerySystemInformation();

        DbgPrint("Hello Wolrd!\n");

        return STATUS_SUCCESS;
}
上一篇：火绒剑独立版v2021.06.01
下一篇：360加速球+U盘悬浮窗 v13.0.0.1141独立版
猜你还喜欢

搜一下它不香吗
最新发布
热门推荐
随机推荐
Windows两种遍历所有内核模块的方法

测试环境

猜你还喜欢

最新发布

热门推荐

随机推荐
