LDR_DATA_TABLE_ENTRY 结构使用,枚举驱动
- #include "ntddk.h"
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- typedef struct _LDR_DATA_TABLE_ENTRY {
- LIST_ENTRY InLoadOrderLinks;
- LIST_ENTRY InMemoryOrderLinks;
- LIST_ENTRY InInitializationOrderLinks;
- PVOID DllBase;
- PVOID EntryPoint;
- ULONG SizeOfImage;
- UNICODE_STRING FullDllName;
- UNICODE_STRING BaseDllName;
- ULONG Flags;
- USHORT LoadCount;
- USHORT TlsIndex;
- union {
- LIST_ENTRY HashLinks;
- struct {
- PVOID SectionPointer;
- ULONG CheckSum;
- };
- };
- union {
- struct {
- ULONG TimeDateStamp;
- };
- struct {
- PVOID LoadedImports;
- };
- };
- } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
- #pragma PAGEDCODE
- VOID EnumDriver(PDRIVER_OBJECT pDriverObject)
- {
- PLDR_DATA_TABLE_ENTRY pDataTableEntry, pTempDataTableEntry;
- PLIST_ENTRY pList;
- pDataTableEntry = (PLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;
- if (!pDataTableEntry)
- {
- return;
- }
- pList = pDataTableEntry->InLoadOrderLinks.Flink;
- while(pList != &pDataTableEntry->InLoadOrderLinks)
- {
- pTempDataTableEntry = (PLDR_DATA_TABLE_ENTRY)pList;
- KdPrint(("\n%wZ\n", &pTempDataTableEntry->BaseDllName));
- pList = pList->Flink;
- }
- }
- #pragma PAGEDCODE
- VOID MyDriverUnload(IN PDRIVER_OBJECT pDriverObject)
- {
- KdPrint(("DriverEntry unLoading...\n"));
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- EnumDriver(pDriverObject);
- pDriverObject->DriverUnload = MyDriverUnload;
- return status;
- }
复制代码 |