|
发表于 2015-5-21 00:52:10
|
显示全部楼层
输出驱动全链表的方法:
- //这里字节对齐要采用默认,不要按1对齐,这样才符合32位和64位结构体
- typedef struct _LDR_DATA_TABLE_ENTRY
- {
- LIST_ENTRY InLoadOrderLinks;
- LIST_ENTRY InMemoryOrderLinks;
- LIST_ENTRY InInitializationOrderLinks;
- PVOID DllBase;
- PVOID EntryPoint;
- ULONG SizeOfImage;
- UNICODE_STRING FullDllName;
- UNICODE_STRING BaseDllName;
- ULONG Flags;
- USHORT LoadCount;
- USHORT TlsIndex;
- union
- {
- LIST_ENTRY HashLinks;
- struct
- {
- PVOID SectionPointer;
- ULONG CheckSum;
- };
- };
- union
- {
- struct
- {
- ULONG TimeDateStamp;
- };
- struct
- {
- PVOID LoadedImports;
- };
- };
- struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
- PVOID PatchInformation;
- } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
- extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
- {
- PLDR_DATA_TABLE_ENTRY Begin = (PLDR_DATA_TABLE_ENTRY)pDriverObj->DriverSection;
- PLIST_ENTRY Head = (PLIST_ENTRY)Begin->InLoadOrderLinks.Flink;
- PLIST_ENTRY Next = Head->Flink;
- do
- {
- PLDR_DATA_TABLE_ENTRY Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
- Next = Next->Flink;
- KdPrint(("%wZ\n",&Entry->FullDllName));
- } while (Next != Head->Flink);
- return STATUS_SUCCESS;
- }
复制代码
按照微软的写法,自己实现了一次,在xp 32位 64位 和win7 32下测试通过
|
评分
-
查看全部评分
|