免費論壇 繁體 | 簡體
Sclub交友聊天~加入聊天室當版主
分享
返回列表 发帖

通过 ZwQuerySystemInformation 枚举内核模块和基地址

Driver.h
  1. #ifdef __cplusplus
  2. extern "C"
  3. {
  4. #endif
  5. #include <ntddk.h>
  6. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);

  7. #ifdef __cplusplus
  8. }
  9. #endif

  10. #define PAGEDCODE code_seg("PAGE")
  11. #define LOCKEDCODE code_seg()
  12. #define INITCODE code_seg("INIT")

  13. #define PAGEDDATA data_seg("PAGE")
  14. #define LOCKEDDATA data_seg()
  15. #define INITDATA data_seg("INIT")

  16. #define arraysize(p) (sizeof(p)/sizeof((p)[0]))

  17. VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);

  18. typedef enum _SYSTEM_INFORMATION_CLASS {
  19.         SystemBasicInformation,
  20.         SystemProcessorInformation,             // obsolete...delete
  21.         SystemPerformanceInformation,
  22.         SystemTimeOfDayInformation,
  23.         SystemPathInformation,
  24.         SystemProcessInformation,
  25.         SystemCallCountInformation,
  26.         SystemDeviceInformation,
  27.         SystemProcessorPerformanceInformation,
  28.         SystemFlagsInformation,
  29.         SystemCallTimeInformation,
  30.         SystemModuleInformation,
  31.         SystemLocksInformation,
  32.         SystemStackTraceInformation,
  33.         SystemPagedPoolInformation,
  34.         SystemNonPagedPoolInformation,
  35.         SystemHandleInformation,
  36.         SystemObjectInformation,
  37.         SystemPageFileInformation,
  38.         SystemVdmInstemulInformation,
  39.         SystemVdmBopInformation,
  40.         SystemFileCacheInformation,
  41.         SystemPoolTagInformation,
  42.         SystemInterruptInformation,
  43.         SystemDpcBehaviorInformation,
  44.         SystemFullMemoryInformation,
  45.         SystemLoadGdiDriverInformation,
  46.         SystemUnloadGdiDriverInformation,
  47.         SystemTimeAdjustmentInformation,
  48.         SystemSummaryMemoryInformation,
  49.         SystemMirrorMemoryInformation,
  50.         SystemPerformanceTraceInformation,
  51.         SystemObsolete0,
  52.         SystemExceptionInformation,
  53.         SystemCrashDumpStateInformation,
  54.         SystemKernelDebuggerInformation,
  55.         SystemContextSwitchInformation,
  56.         SystemRegistryQuotaInformation,
  57.         SystemExtendServiceTableInformation,
  58.         SystemPrioritySeperation,
  59.         SystemVerifierAddDriverInformation,
  60.         SystemVerifierRemoveDriverInformation,
  61.         SystemProcessorIdleInformation,
  62.         SystemLegacyDriverInformation,
  63.         SystemCurrentTimeZoneInformation,
  64.         SystemLookasideInformation,
  65.         SystemTimeSlipNotification,
  66.         SystemSessionCreate,
  67.         SystemSessionDetach,
  68.         SystemSessionInformation,
  69.         SystemRangeStartInformation,
  70.         SystemVerifierInformation,
  71.         SystemVerifierThunkExtend,
  72.         SystemSessionProcessInformation,
  73.         SystemLoadGdiDriverInSystemSpace,
  74.         SystemNumaProcessorMap,
  75.         SystemPrefetcherInformation,
  76.         SystemExtendedProcessInformation,
  77.         SystemRecommendedSharedDataAlignment,
  78.         SystemComPlusPackage,
  79.         SystemNumaAvailableMemory,
  80.         SystemProcessorPowerInformation,
  81.         SystemEmulationBasicInformation,
  82.         SystemEmulationProcessorInformation,
  83.         SystemExtendedHandleInformation,
  84.         SystemLostDelayedWriteInformation,
  85.         SystemBigPoolInformation,
  86.         SystemSessionPoolTagInformation,
  87.         SystemSessionMappedViewInformation,
  88.         SystemHotpatchInformation,
  89.         SystemObjectSecurityMode,
  90.         SystemWatchdogTimerHandler,
  91.         SystemWatchdogTimerInformation,
  92.         SystemLogicalProcessorInformation,
  93.         SystemWow64SharedInformation,
  94.         SystemRegisterFirmwareTableInformationHandler,
  95.         SystemFirmwareTableInformation,
  96.         SystemModuleInformationEx,
  97.         SystemVerifierTriageInformation,
  98.         SystemSuperfetchInformation,
  99.         SystemMemoryListInformation,
  100.         SystemFileCacheInformationEx,
  101.         MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum
  102. } SYSTEM_INFORMATION_CLASS;


  103. EXTERN_C NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation (
  104.                                                   __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
  105.                                                   __out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
  106.                                                   __in ULONG SystemInformationLength,
  107.                                                   __out_opt PULONG ReturnLength
  108.                                                   );


  109. typedef struct _RTL_PROCESS_MODULE_INFORMATION {
  110.         HANDLE Section;                 // Not filled in
  111.         PVOID MappedBase;
  112.         PVOID ImageBase;
  113.         ULONG ImageSize;
  114.         ULONG Flags;
  115.         USHORT LoadOrderIndex;
  116.         USHORT InitOrderIndex;
  117.         USHORT LoadCount;
  118.         USHORT OffsetToFileName;
  119.         UCHAR  FullPathName[256];
  120. } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

  121. typedef struct _RTL_PROCESS_MODULES {
  122.         ULONG NumberOfModules;
  123.         RTL_PROCESS_MODULE_INFORMATION Modules[1];
  124. } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
复制代码
Driver.cpp
  1. #include "Driver.h"


  2. VOID EnumSysImageBase()
  3. {
  4.         ULONG uSize = 0x10000;
  5.         PVOID pMoudleInfo = ExAllocatePool(NonPagedPool, uSize);
  6.         if (pMoudleInfo == NULL)
  7.         {
  8.                 return;
  9.         }

  10.         NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, pMoudleInfo, uSize, NULL);

  11.         if (!NT_SUCCESS(status))
  12.         {
  13.                 ExFreePool(pMoudleInfo);
  14.                 return;
  15.         }

  16.         ULONG uNumberOfModules = *(PULONG)pMoudleInfo;
  17.         if (uNumberOfModules == 0)
  18.         {
  19.                 ExFreePool(pMoudleInfo);
  20.                 return;
  21.         }

  22.         PRTL_PROCESS_MODULE_INFORMATION pStart = (PRTL_PROCESS_MODULE_INFORMATION)((ULONG)pMoudleInfo + sizeof(ULONG));

  23.         for (ULONG i = 0; i < uNumberOfModules; i++)
  24.         {
  25.                 PUCHAR pszFullName = pStart->FullPathName;
  26.                 ULONG uOffsetName = pStart->OffsetToFileName;
  27.                 PUCHAR pszSysName = pszFullName + uOffsetName;

  28.                 ULONG uImageBase = (ULONG)pStart->ImageBase;

  29.                 KdPrint(("pszSysName:%s---uImageBase:%X\n", pszSysName, uImageBase));

  30.                 pStart++;
  31.         }

  32.         if (pMoudleInfo != NULL)
  33.         {
  34.                 ExFreePool(pMoudleInfo);
  35.         }

  36.         return;
  37. }


  38. ULONG GetSysImageBase(PCHAR pszSysName)
  39. {
  40.         ULONG uImageBase = 0;

  41.         ULONG uSize = 0x10000;
  42.         PVOID pMoudleInfo = ExAllocatePool(NonPagedPool, uSize);
  43.         if (pMoudleInfo == NULL)
  44.         {
  45.                 return 0;
  46.         }

  47.         NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, pMoudleInfo, uSize, NULL);

  48.         if (!NT_SUCCESS(status))
  49.         {
  50.                 ExFreePool(pMoudleInfo);
  51.                 return 0;
  52.         }

  53.         ULONG uNumberOfModules = *(PULONG)pMoudleInfo;
  54.         if (uNumberOfModules == 0)
  55.         {
  56.                 ExFreePool(pMoudleInfo);
  57.                 return 0;
  58.         }

  59.         PRTL_PROCESS_MODULE_INFORMATION pStart = (PRTL_PROCESS_MODULE_INFORMATION)((ULONG)pMoudleInfo + sizeof(ULONG));

  60.         for (ULONG i = 0; i < uNumberOfModules; i++)
  61.         {
  62.                 PUCHAR pszFullName = pStart->FullPathName;
  63.                 ULONG uOffsetName = pStart->OffsetToFileName;
  64.                 PUCHAR pszFileName = pszFullName + uOffsetName;

  65.                 if (_stricmp((const char *)pszFileName, (const char *)pszSysName) == 0)
  66.                 {
  67.                         uImageBase = (ULONG)pStart->ImageBase;
  68.                         break;
  69.                 }

  70.                 pStart++;
  71.         }

  72.         if (pMoudleInfo != NULL)
  73.         {
  74.                 ExFreePool(pMoudleInfo);
  75.         }

  76.         return uImageBase;
  77. }

  78. #pragma INITCODE
  79. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
  80. {
  81.     NTSTATUS status = STATUS_SUCCESS;

  82.         EnumSysImageBase();

  83.         ULONG uImageBase = GetSysImageBase("ntoskrnl.exe");
  84.         KdPrint(("ntoskrnl.exe:%X\n", uImageBase));

  85.     DriverObject->DriverUnload = DriverUnload;
  86.     return status;
  87. }

  88. #pragma PAGEDCODE
  89. VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
  90. {
  91.   
  92.     KdPrint(("DriverEntry unLoading...\n"));
  93.   
  94. }
复制代码

返回列表