Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- typedef enum _SYSTEM_INFORMATION_CLASS {
- SystemBasicInformation,
- SystemProcessorInformation, // obsolete...delete
- SystemPerformanceInformation,
- SystemTimeOfDayInformation,
- SystemPathInformation,
- SystemProcessInformation,
- SystemCallCountInformation,
- SystemDeviceInformation,
- SystemProcessorPerformanceInformation,
- SystemFlagsInformation,
- SystemCallTimeInformation,
- SystemModuleInformation,
- SystemLocksInformation,
- SystemStackTraceInformation,
- SystemPagedPoolInformation,
- SystemNonPagedPoolInformation,
- SystemHandleInformation,
- SystemObjectInformation,
- SystemPageFileInformation,
- SystemVdmInstemulInformation,
- SystemVdmBopInformation,
- SystemFileCacheInformation,
- SystemPoolTagInformation,
- SystemInterruptInformation,
- SystemDpcBehaviorInformation,
- SystemFullMemoryInformation,
- SystemLoadGdiDriverInformation,
- SystemUnloadGdiDriverInformation,
- SystemTimeAdjustmentInformation,
- SystemSummaryMemoryInformation,
- SystemMirrorMemoryInformation,
- SystemPerformanceTraceInformation,
- SystemObsolete0,
- SystemExceptionInformation,
- SystemCrashDumpStateInformation,
- SystemKernelDebuggerInformation,
- SystemContextSwitchInformation,
- SystemRegistryQuotaInformation,
- SystemExtendServiceTableInformation,
- SystemPrioritySeperation,
- SystemVerifierAddDriverInformation,
- SystemVerifierRemoveDriverInformation,
- SystemProcessorIdleInformation,
- SystemLegacyDriverInformation,
- SystemCurrentTimeZoneInformation,
- SystemLookasideInformation,
- SystemTimeSlipNotification,
- SystemSessionCreate,
- SystemSessionDetach,
- SystemSessionInformation,
- SystemRangeStartInformation,
- SystemVerifierInformation,
- SystemVerifierThunkExtend,
- SystemSessionProcessInformation,
- SystemLoadGdiDriverInSystemSpace,
- SystemNumaProcessorMap,
- SystemPrefetcherInformation,
- SystemExtendedProcessInformation,
- SystemRecommendedSharedDataAlignment,
- SystemComPlusPackage,
- SystemNumaAvailableMemory,
- SystemProcessorPowerInformation,
- SystemEmulationBasicInformation,
- SystemEmulationProcessorInformation,
- SystemExtendedHandleInformation,
- SystemLostDelayedWriteInformation,
- SystemBigPoolInformation,
- SystemSessionPoolTagInformation,
- SystemSessionMappedViewInformation,
- SystemHotpatchInformation,
- SystemObjectSecurityMode,
- SystemWatchdogTimerHandler,
- SystemWatchdogTimerInformation,
- SystemLogicalProcessorInformation,
- SystemWow64SharedInformation,
- SystemRegisterFirmwareTableInformationHandler,
- SystemFirmwareTableInformation,
- SystemModuleInformationEx,
- SystemVerifierTriageInformation,
- SystemSuperfetchInformation,
- SystemMemoryListInformation,
- SystemFileCacheInformationEx,
- MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
- } SYSTEM_INFORMATION_CLASS;
- EXTERN_C NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation (
- __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
- __out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
- __in ULONG SystemInformationLength,
- __out_opt PULONG ReturnLength
- );
- typedef struct _RTL_PROCESS_MODULE_INFORMATION {
- HANDLE Section; // Not filled in
- PVOID MappedBase;
- PVOID ImageBase;
- ULONG ImageSize;
- ULONG Flags;
- USHORT LoadOrderIndex;
- USHORT InitOrderIndex;
- USHORT LoadCount;
- USHORT OffsetToFileName;
- UCHAR FullPathName[256];
- } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
- typedef struct _RTL_PROCESS_MODULES {
- ULONG NumberOfModules;
- RTL_PROCESS_MODULE_INFORMATION Modules[1];
- } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
复制代码 Driver.cpp- #include "Driver.h"
- VOID EnumSysImageBase()
- {
- ULONG uSize = 0x10000;
- PVOID pMoudleInfo = ExAllocatePool(NonPagedPool, uSize);
- if (pMoudleInfo == NULL)
- {
- return;
- }
- NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, pMoudleInfo, uSize, NULL);
- if (!NT_SUCCESS(status))
- {
- ExFreePool(pMoudleInfo);
- return;
- }
- ULONG uNumberOfModules = *(PULONG)pMoudleInfo;
- if (uNumberOfModules == 0)
- {
- ExFreePool(pMoudleInfo);
- return;
- }
- PRTL_PROCESS_MODULE_INFORMATION pStart = (PRTL_PROCESS_MODULE_INFORMATION)((ULONG)pMoudleInfo + sizeof(ULONG));
- for (ULONG i = 0; i < uNumberOfModules; i++)
- {
- PUCHAR pszFullName = pStart->FullPathName;
- ULONG uOffsetName = pStart->OffsetToFileName;
- PUCHAR pszSysName = pszFullName + uOffsetName;
- ULONG uImageBase = (ULONG)pStart->ImageBase;
- KdPrint(("pszSysName:%s---uImageBase:%X\n", pszSysName, uImageBase));
- pStart++;
- }
- if (pMoudleInfo != NULL)
- {
- ExFreePool(pMoudleInfo);
- }
- return;
- }
- ULONG GetSysImageBase(PCHAR pszSysName)
- {
- ULONG uImageBase = 0;
- ULONG uSize = 0x10000;
- PVOID pMoudleInfo = ExAllocatePool(NonPagedPool, uSize);
- if (pMoudleInfo == NULL)
- {
- return 0;
- }
- NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, pMoudleInfo, uSize, NULL);
- if (!NT_SUCCESS(status))
- {
- ExFreePool(pMoudleInfo);
- return 0;
- }
- ULONG uNumberOfModules = *(PULONG)pMoudleInfo;
- if (uNumberOfModules == 0)
- {
- ExFreePool(pMoudleInfo);
- return 0;
- }
- PRTL_PROCESS_MODULE_INFORMATION pStart = (PRTL_PROCESS_MODULE_INFORMATION)((ULONG)pMoudleInfo + sizeof(ULONG));
- for (ULONG i = 0; i < uNumberOfModules; i++)
- {
- PUCHAR pszFullName = pStart->FullPathName;
- ULONG uOffsetName = pStart->OffsetToFileName;
- PUCHAR pszFileName = pszFullName + uOffsetName;
- if (_stricmp((const char *)pszFileName, (const char *)pszSysName) == 0)
- {
- uImageBase = (ULONG)pStart->ImageBase;
- break;
- }
- pStart++;
- }
- if (pMoudleInfo != NULL)
- {
- ExFreePool(pMoudleInfo);
- }
- return uImageBase;
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- EnumSysImageBase();
- ULONG uImageBase = GetSysImageBase("ntoskrnl.exe");
- KdPrint(("ntoskrnl.exe:%X\n", uImageBase));
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |