• 获得内核模块 通过DriverSection

    /***************************************************************************************
* AUTHOR : yifi
* DATE   : 2016-1-20
* MODULE : EnumKernelModules.H
*
* IOCTRL Sample Driver
*
* Description:
*        Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 yifi.
****************************************************************************************/

#ifndef CXX_ENUMKERNELMODULES_H
#define CXX_ENUMKERNELMODULES_H 


#include <ntifs.h>



typedef struct _LDR_DATA_TABLE_ENTRY64
{
    LIST_ENTRY64    InLoadOrderLinks;
    LIST_ENTRY64    InMemoryOrderLinks;
    LIST_ENTRY64    InInitializationOrderLinks;
    PVOID            DllBase;
    PVOID            EntryPoint;
    ULONG            SizeOfImage;
    UNICODE_STRING    FullDllName;
    UNICODE_STRING     BaseDllName;
    ULONG            Flags;
    USHORT            LoadCount;
    USHORT            TlsIndex;
    PVOID            SectionPointer;
    ULONG            CheckSum;
    PVOID            LoadedImports;
    PVOID            EntryPointActivationContext;
    PVOID            PatchInformation;
    LIST_ENTRY64    ForwarderLinks;
    LIST_ENTRY64    ServiceTagLinks;
    LIST_ENTRY64    StaticLinks;
    PVOID            ContextInformation;
    ULONG64            OriginalBase;
    LARGE_INTEGER    LoadTime;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;



typedef struct _LDR_DATA_TABLE_ENTRY32
{
    LIST_ENTRY32 InLoadOrderLinks;
    LIST_ENTRY32 InMemoryOrderLinks;
    LIST_ENTRY32 InInitializationOrderLinks;
    ULONG DllBase;
    ULONG EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING32 FullDllName;
    UNICODE_STRING32 BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT TlsIndex;
    union {
        LIST_ENTRY32 HashLinks;
        struct {
            ULONG SectionPointer;
            ULONG  CheckSum;
        };
    };
    union {
        struct {
            ULONG  TimeDateStamp;
        };
        struct {
            ULONG LoadedImports;
        };
    };
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;


#ifdef _WIN64
#define LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY64
#define PLDR_DATA_TABLE_ENTRY PLDR_DATA_TABLE_ENTRY64
#else
#define LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY32
#define PLDR_DATA_TABLE_ENTRY PLDR_DATA_TABLE_ENTRY32
#endif

VOID UnloadDirver(PDRIVER_OBJECT DriverObject);
BOOLEAN GetKernelModuleInformationByKernelModuleName(PDRIVER_OBJECT CurrentDriverObject);


#endif












 /***************************************************************************************
* AUTHOR : yifi
* DATE   : 2016-1-20
* MODULE : EnumKernelModules.C
* 
* Command: 
*    Source of IOCTRL Sample Driver
*
* Description:
*        Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 yifi.
****************************************************************************************/

//#######################################################################################
//# I N C L U D E S
//#######################################################################################
/***************************************************************************************
* AUTHOR : yifi
* DATE   : 2016-9-8
* MODULE : KernelMode.C
* 
* Command: 
*    Source of IOCTRL Sample Driver
*
* Description:
*        Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 yifi.
****************************************************************************************/

//#######################################################################################
//# I N C L U D E S
//#######################################################################################

#ifndef CXX_KERNELMODE_H
#    include "KernelMode.h"
#endif

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegisterPath)
{
    GetKernelModuleInformationByKernelModuleName(DriverObject);

    return STATUS_SUCCESS;
}



BOOLEAN GetKernelModuleInformationByKernelModuleName(PDRIVER_OBJECT CurrentDriverObject)
{

    BOOLEAN bOk = FALSE;
    if (CurrentDriverObject)
    {
        PLDR_DATA_TABLE_ENTRY ListHead = NULL, ListFlink = NULL;



        ListHead = (PLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection;  //dt _DriverObject
        DbgPrint("%S
", ListHead->BaseDllName.Buffer);
        if (ListHead->BaseDllName.Buffer)    //wcsstr(ListHead->BaseDllName.Buffer, wzKernelModuleName) != NULL)
        {


            //*KernelModuleBase = (PVOID)ListHead->DllBase;
            //*ulKernelModuleSize = ListHead->SizeOfImage;

            bOk = TRUE;
        }

        ListFlink = (PLDR_DATA_TABLE_ENTRY)ListHead->InLoadOrderLinks.Flink;

        while ((PLDR_DATA_TABLE_ENTRY)ListFlink != ListHead)
        {
            DbgPrint("%S
", ListFlink->BaseDllName.Buffer);
            if (ListFlink->BaseDllName.Buffer)//&&wcsstr(ListFlink->BaseDllName.Buffer, wzKernelModuleName) != NULL)
            {


                //*KernelModuleBase = (PVOID)ListFlink->DllBase;
                //*ulKernelModuleSize = ListFlink->SizeOfImage;

                bOk = TRUE;
            }

            ListFlink = (PLDR_DATA_TABLE_ENTRY)ListFlink->InLoadOrderLinks.Flink;
        }
    }

    return bOk;
}

//BOOLEAN GetKernelModuleInformationByKernelModuleName(WCHAR* wzKernelModuleName,PVOID* KernelModuleBase,ULONG32* ulKernelModuleSize)
//{
//
//    BOOLEAN bOk = FALSE;
//    if (CurrentDriverObject)
//    {
//        PLDR_DATA_TABLE_ENTRY ListHead = NULL, ListFlink = NULL;
//
//
//
//        ListHead    = (PLDR_DATA_TABLE_ENTRY)CurrentDriverObject->DriverSection;  //dt _DriverObject
//        DbgPrint("%S
",ListHead->BaseDllName.Buffer);
//        if (ListHead->BaseDllName.Buffer&&                                                         
//            wcsstr(ListHead->BaseDllName.Buffer,wzKernelModuleName)!=NULL)
//        {
//
//
//            *KernelModuleBase = (PVOID)ListHead->DllBase;
//            *ulKernelModuleSize = ListHead->SizeOfImage;
//
//            bOk = TRUE;
//        }
//
//        ListFlink   = (PLDR_DATA_TABLE_ENTRY)ListHead->InLoadOrderLinks.Flink;
//
//        while((PLDR_DATA_TABLE_ENTRY)ListFlink != ListHead)
//        {
//            DbgPrint("%S
",ListFlink->BaseDllName.Buffer);
//            if (ListFlink->BaseDllName.Buffer&&                                                         
//                wcsstr(ListFlink->BaseDllName.Buffer,wzKernelModuleName)!=NULL)
//            {
//
//
//                *KernelModuleBase = (PVOID)ListFlink->DllBase;
//                *ulKernelModuleSize = ListFlink->SizeOfImage;
//
//                bOk = TRUE;
//            }
//
//            ListFlink = (PLDR_DATA_TABLE_ENTRY)ListFlink->InLoadOrderLinks.Flink;
//        }
//    }
//
//    return bOk;
//}
  • 相关阅读:
    禁止ios默认拉动弹性行为
    javascript 网页图标音乐切换
    js常用 禁止F5 和右键
    弹窗插件
    手机时间选择插件 Jquery
    Jquery获取背景图片src路径
    Arduino 数字函数总结
    Arduino 开关控制小灯持续亮之具体思路
    C语言流控制命令的总结
    C++Primer 第四章 表达式
  • 原文地址:https://www.cnblogs.com/yifi/p/6527968.html
Copyright © 2020-2023  润新知