|
|
这个函数调用:
stats = MyEnumKernelModule("\\??\\c:\\windows\\system32\\123.sys",&ModuleAddress,&ModuleSize);
实参是:\\??\\c:\\windows\\system32\\123.sys
我主要关心这个实参
但是在被调用函数里,这个参数好像没啥用,下面是被调用的函数:
NTSTATUS MyEnumKernelModule(IN CHAR* str,OUT ULONG *moduleadd,OUT ULONG *modulesie)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG n = 0;
ULONG i = 0;
PSYSTEM_MODULE_INFORMATION_ENTRY module = NULL;
PVOID pbuftmp = NULL;
ANSI_STRING ModuleName1,ModuleName2;
//利用11号功能枚举内核模块
status = ZwQuerySystemInformation(11, &n, 0, &n);
//申请内存
pbuftmp = ExAllocatePool(NonPagedPool, n);
//再次执行,将枚举结果放到指定的内存区域
status = ZwQuerySystemInformation(11, pbuftmp, n, NULL);
module = (PSYSTEM_MODULE_INFORMATION_ENTRY)((PULONG )pbuftmp + 1 );
//初始化字符串
RtlInitAnsiString(&ModuleName1,str);
//
n = *((PULONG)pbuftmp );
for ( i = 0; i < n; i++ )
{
RtlInitAnsiString(&ModuleName2,&module[i].ImageName);
//DbgPrint("%d\t0x%08X 0x%08X %s\n",module[i].LoadOrderIndex,module[i].Base,module[i].Size,module[i].ImageName);
if (RtlCompareString(&ModuleName1,&ModuleName2,TRUE) == 0)
{
DbgPrint("MyEnumKernelModule:%s:%0X \n",ModuleName2.Buffer,module[i].Base);
*moduleadd = module[i].Base;
*modulesie = module[i].Size;
tlgstst = TRUE;
break;
}
}
ExFreePool(pbuftmp);
return status;
}
|
|
发表于 2011-3-26 17:26:45
发表于 2011-3-27 18:31:10
