[转换][非原创]驱动里枚举内核模块
本帖最后由 Tesla.Angela 于 2010-7-9 13:12 编辑拿网上Ring 3的代码转成Ring 0的,没什么价值,发这里当是灌水了。
#include <ntddk.h>
NTKERNELAPI NTSTATUS ObOpenObjectByPointer( IN PVOIDObject,IN ULONGHandleAttributes,IN PACCESS_STATE PassedAccessState,IN ACCESS_MASK DesiredAccess,IN POBJECT_TYPE ObjectType,IN KPROCESSOR_MODEAccessMode,OUT HANDLE Handle );
NTKERNELAPI NTSTATUS ZwQuerySystemInformation(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
NTKERNELAPI NTSTATUS ZwAllocateVirtualMemory(HANDLE ProcessHandle,PVOID *BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);
NTKERNELAPI NTSTATUS ZwFreeVirtualMemory(HANDLE ProcessHandle,PVOID *BaseAddress,PSIZE_T RegionSize,ULONG FreeType);
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Reserved;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORTIndex;
USHORTUnknown;
USHORTLoadCount;
USHORTModuleNameOffset;
CHAR ImageName;
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
HANDLE GetCurrentProcess()
{
HANDLE hprocess;
ObOpenObjectByPointer(PsGetCurrentProcess(),0,0,0,0,0,&hprocess) ;
return hprocess;
}
int EnumKernelDlls()
{
NTSTATUS status = STATUS_SUCCESS;
ULONG moduleNum,len,retLen;
PSYSTEM_MODULE_INFORMATION module = NULL;
HANDLE CurProc = GetCurrentProcess();
PVOID buf=0;
int ii=0;
ZwQuerySystemInformation(11,NULL,0,&len);//DbgPrint("len= %d\n",len);
status=ZwAllocateVirtualMemory(CurProc,&buf,0,&len,MEM_COMMIT,PAGE_READWRITE);
if (!NT_SUCCESS(status))
{
DbgPrint("allocate failed !\n");
return 0;
}
status=ZwQuerySystemInformation(11,buf,len,&retLen);
if (!NT_SUCCESS(status))
{
DbgPrint("query failed!\n");
return 0;
}
module=(PSYSTEM_MODULE_INFORMATION)((PULONG)buf+1);
moduleNum=*((PULONG)buf);
DbgPrint("\n--------------------------------------------------------------------\n");
for (ii=0;ii<moduleNum;ii++)
{
DbgPrint("ID:%3d\tBaseAddress:0x%08X\tModuleName:%12s\tsize:%7d\n",
ii+1,
module->Base,
module->ImageName + module->ModuleNameOffset,
module->Size);
module++;
}
DbgPrint("--------------------------------------------------------------------\n");
ZwFreeVirtualMemory(CurProc,&buf,&len,MEM_RELEASE);
return 0;
}
顺便赞一下老罗的代码高亮软件,真好用。 转载:通过PsLoadedModuleList枚举驱动
/*
By VirusWizard
2009.7.18
一种相对来说比较古老的方法,NtQuerySystemInformation内部也是使用这种方法。
对付此方法相当简单,从双向链表里摘除即可。
这个LDR_DATA_TABLE_ENTRY结构算是比较完整的了,从WRK抠出来的。
LDR_DATA_TABLE_ENTRY也可以用于枚举PEB中的模块,隐藏模块的方法也是一样的。
*/
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
NTSTATUS EnumDriver(
PDRIVER_OBJECT pDrvObj
);
//////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(
PDRIVER_OBJECT pDriverObj,
PUNICODE_STRING pRegistryString
)
{
pDriverObj->DriverUnload = DriverUnload;
EnumDriver(pDriverObj);
dprintf(" Loaded \n");
return STATUS_SUCCESS;
}
VOID DriverUnload(
PDRIVER_OBJECT pDriverObj
)
{
dprintf(" Unloaded\n");
}
NTSTATUS EnumDriver(
PDRIVER_OBJECT pDrvObj
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
PLIST_ENTRY pList = NULL;
PLDR_DATA_TABLE_ENTRY Ldr = NULL;
int nCount = 0;
pList = ( (PLIST_ENTRY)pDrvObj->DriverSection )->Flink;
do
{
Ldr = CONTAINING_RECORD(
pList,
LDR_DATA_TABLE_ENTRY,
InLoadOrderLinks);
if ( Ldr->EntryPoint &&
Ldr->FullDllName.Buffer )
{
dprintf("DriveName : %S\n",Ldr->FullDllName.Buffer);
dprintf("ImageBase : 0x%08X.\n",Ldr->DllBase);
dprintf("ImageSize : 0x%08X.\n",Ldr->SizeOfImage);
dprintf("EntryPoint : 0x%08X.\n",Ldr->EntryPoint);
dprintf("-------------------------------\n");
nCount++;
}
pList = pList->Flink;
} while ( pList != ((LIST_ENTRY*)pDrvObj->DriverSection)->Flink );
dprintf("NumOfDriver : %d.\n",nCount);
return STATUS_SUCCESS;
}a
页:
[1]