Windows内核两种方法遍历所有内核模块
测试环境:Windows10 X64(本机) + Windows X64(测试机) + Windows XP(测试机)下面是具体代码与实现:
```
#include "ntifs.h"
#ifdef _M_X32
//0xa8 bytes (sizeof)
typedef struct _LDR_DATA_TABLE_ENTRY {
struct _LIST_ENTRY InLoadOrderLinks; //0x0
struct _LIST_ENTRY InMemoryOrderLinks; //0x8
struct _LIST_ENTRY InInitializationOrderLinks; //0x10
VOID* DllBase; //0x18
VOID* EntryPoint; //0x1c
ULONG SizeOfImage; //0x20
struct _UNICODE_STRING FullDllName; //0x24
struct _UNICODE_STRING BaseDllName; //0x2c
union {
UCHAR FlagGroup; //0x34
ULONG Flags; //0x34
struct {
ULONG PackagedBinary : 1; //0x34
ULONG MarkedForRemoval : 1; //0x34
ULONG ImageDll : 1; //0x34
ULONG LoadNotificationsSent : 1; //0x34
ULONG TelemetryEntryProcessed : 1; //0x34
ULONG ProcessStaticImport : 1; //0x34
ULONG InLegacyLists : 1; //0x34
ULONG InIndexes : 1; //0x34
ULONG ShimDll : 1; //0x34
ULONG InExceptionTable : 1; //0x34
ULONG ReservedFlags1 : 2; //0x34
ULONG LoadInProgress : 1; //0x34
ULONG LoadConfigProcessed : 1; //0x34
ULONG EntryProcessed : 1; //0x34
ULONG ProtectDelayLoad : 1; //0x34
ULONG ReservedFlags3 : 2; //0x34
ULONG DontCallForThreads : 1; //0x34
ULONG ProcessAttachCalled : 1; //0x34
ULONG ProcessAttachFailed : 1; //0x34
ULONG CorDeferredValidate : 1; //0x34
ULONG CorImage : 1; //0x34
ULONG DontRelocate : 1; //0x34
ULONG CorILOnly : 1; //0x34
ULONG ChpeImage : 1; //0x34
ULONG ReservedFlags5 : 2; //0x34
ULONG Redirected : 1; //0x34
ULONG ReservedFlags6 : 2; //0x34
ULONG CompatDatabaseProcessed : 1; //0x34
};
};
USHORT ObsoleteLoadCount; //0x38
USHORT TlsIndex; //0x3a
struct _LIST_ENTRY HashLinks; //0x3c
ULONG TimeDateStamp; //0x44
struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x48
VOID* Lock; //0x4c
struct _LDR_DDAG_NODE* DdagNode; //0x50
struct _LIST_ENTRY NodeModuleLink; //0x54
struct _LDRP_LOAD_CONTEXT* LoadContext; //0x5c
VOID* ParentDllBase; //0x60
VOID* SwitchBackContext; //0x64
struct _RTL_BALANCED_NODE BaseAddressIndexNode; //0x68
struct _RTL_BALANCED_NODE MappingInfoIndexNode; //0x74
ULONG OriginalBase; //0x80
union _LARGE_INTEGER LoadTime; //0x88
ULONG BaseNameHashValue; //0x90
enum _LDR_DLL_LOAD_REASON LoadReason; //0x94
ULONG ImplicitPathOptions; //0x98
ULONG ReferenceCount; //0x9c
ULONG DependentLoadFlags; //0xa0
UCHAR SigningLevel; //0xa4
}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;
#else
//0x138 bytes (sizeof)
typedef struct _LDR_DATA_TABLE_ENTRY {
struct _LIST_ENTRY InLoadOrderLinks; //0x0
struct _LIST_ENTRY InMemoryOrderLinks; //0x10
struct _LIST_ENTRY InInitializationOrderLinks; //0x20
VOID* DllBase; //0x30
VOID* EntryPoint; //0x38
ULONG SizeOfImage; //0x40
struct _UNICODE_STRING FullDllName; //0x48
struct _UNICODE_STRING BaseDllName; //0x58
union {
UCHAR FlagGroup; //0x68
ULONG Flags; //0x68
struct {
ULONG PackagedBinary : 1; //0x68
ULONG MarkedForRemoval : 1; //0x68
ULONG ImageDll : 1; //0x68
ULONG LoadNotificationsSent : 1; //0x68
ULONG TelemetryEntryProcessed : 1; //0x68
ULONG ProcessStaticImport : 1; //0x68
ULONG InLegacyLists : 1; //0x68
ULONG InIndexes : 1; //0x68
ULONG ShimDll : 1; //0x68
ULONG InExceptionTable : 1; //0x68
ULONG ReservedFlags1 : 2; //0x68
ULONG LoadInProgress : 1; //0x68
ULONG LoadConfigProcessed : 1; //0x68
ULONG EntryProcessed : 1; //0x68
ULONG ProtectDelayLoad : 1; //0x68
ULONG ReservedFlags3 : 2; //0x68
ULONG DontCallForThreads : 1; //0x68
ULONG ProcessAttachCalled : 1; //0x68
ULONG ProcessAttachFailed : 1; //0x68
ULONG CorDeferredValidate : 1; //0x68
ULONG CorImage : 1; //0x68
ULONG DontRelocate : 1; //0x68
ULONG CorILOnly : 1; //0x68
ULONG ChpeImage : 1; //0x68
ULONG ChpeEmulatorImage : 1; //0x68
ULONG ReservedFlags5 : 1; //0x68
ULONG Redirected : 1; //0x68
ULONG ReservedFlags6 : 2; //0x68
ULONG CompatDatabaseProcessed : 1; //0x68
};
};
USHORT ObsoleteLoadCount; //0x6c
USHORT TlsIndex; //0x6e
struct _LIST_ENTRY HashLinks; //0x70
ULONG TimeDateStamp; //0x80
struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x88
VOID* Lock; //0x90
struct _LDR_DDAG_NODE* DdagNode; //0x98
struct _LIST_ENTRY NodeModuleLink; //0xa0
struct _LDRP_LOAD_CONTEXT* LoadContext; //0xb0
VOID* ParentDllBase; //0xb8
VOID* SwitchBackContext; //0xc0
struct _RTL_BALANCED_NODE BaseAddressIndexNode; //0xc8
struct _RTL_BALANCED_NODE MappingInfoIndexNode; //0xe0
ULONGLONG OriginalBase; //0xf8
union _LARGE_INTEGER LoadTime; //0x100
ULONG BaseNameHashValue; //0x108
enum _LDR_DLL_LOAD_REASON LoadReason; //0x10c
ULONG ImplicitPathOptions; //0x110
ULONG ReferenceCount; //0x114
ULONG DependentLoadFlags; //0x118
UCHAR SigningLevel; //0x11c
ULONG CheckSum; //0x120
VOID* ActivePatchImageBase; //0x128
enum _LDR_HOT_PATCH_STATE HotPatchState; //0x130
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
#endif
typedef __kernel_entry NTSTATUS funNtQuerySystemInformation(
char SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONGReturnLength
);
#define WORD unsigned short
#define BYTE unsigned char
typedef struct _SYSTEM_MODULE {
ULONG Reserved1;
ULONG Reserved2;
PVOID ImageBaseAddress;
size_t ImageSize;
size_t Flags;
WORD Id;
WORD Rank;
WORD w018;
WORD NameOffset;
BYTE Name;
} SYSTEM_MODULE, * PSYSTEM_MODULE;
typedef struct _SYSTEM_MODULE_INFORMATION {
size_t ModulesCount;
SYSTEM_MODULE Modules;
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
void PrintAllMoudleBySection(PDRIVER_OBJECT driver) {
LDR_DATA_TABLE_ENTRY* ldr = driver->DriverSection;
LIST_ENTRY* Var_Ldr = ldr;
do {
DbgPrint("%wZ %x\n", &ldr->BaseDllName, ldr->DllBase);
ldr = ldr->InLoadOrderLinks.Flink;
} while (Var_Ldr != ldr);
}
void PrintAllMoudleByNtQuerySystemInformation() {
UNICODE_STRING DstUnicodeString;
RtlInitUnicodeString(&DstUnicodeString, L"NtQuerySystemInformation");
funNtQuerySystemInformation* NtQuerySystemInformation = MmGetSystemRoutineAddress(&DstUnicodeString);
if (NtQuerySystemInformation == NULL) {
DbgPrint("获取地址失败\n");
return STATUS_UNSUCCESSFUL;
}
SYSTEM_MODULE_INFORMATION* SystemInformation;
unsigned int SystemInfoSize = 0x1000;
unsigned int ReturnLength = 0;
do {
SystemInformation = ExAllocatePoolWithTag(PagedPool, SystemInfoSize, " kdD");
if (SystemInformation == NULL) {
DbgPrint("分配内存失败\n");
return STATUS_UNSUCCESSFUL;
}
NTSTATUS Status = NtQuerySystemInformation(0xB, SystemInformation, SystemInfoSize, &ReturnLength);
if (NT_SUCCESS(Status)) {
break;
} else if (Status != STATUS_INFO_LENGTH_MISMATCH) {
return STATUS_INFO_LENGTH_MISMATCH;
} else {
ExFreePoolWithTag(SystemInformation, " kdD");
SystemInfoSize <<= 1;
}
} while (1);
DbgPrint("\n\n****************************************************************\n\n\n");
for (size_t i = 0; i < SystemInformation->ModulesCount; i++) {
unsigned char* Name = SystemInformation->Modules.NameOffset + SystemInformation->Modules.Name;
DbgPrint("%s %x\n", Name, SystemInformation->Modules.ImageBaseAddress);
}
ExFreePoolWithTag(SystemInformation, " kdD");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path) {
driver->Flags |= 0x20;
driver->DriverUnload = DriverUnload;
PrintAllMoudleBySection(driver);
PrintAllMoudleByNtQuerySystemInformation();
DbgPrint("Hello Wolrd!\n");
return STATUS_SUCCESS;
}
```
页:
[1]