Windows Kernel-X64X86(遍历模块示例)

2020-05-10 13:34:33 浏览数 (2)

结构体如下:

代码语言:javascript复制
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
	HANDLE Section;				 // Not filled in
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
 
typedef struct _RTL_PROCESS_MODULES {
	ULONG NumberOfModules;//注意不要写成ULONG_PTR,不然64位下就会取8个字节!
	RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

在X64下,被解释成:

代码语言:javascript复制
kd> dt _RTL_PROCESS_MODULES
LoadKernel!_RTL_PROCESS_MODULES
    0x000 NumberOfModules  : Uint4B
    0x008 Modules		  : [1] _RTL_PROCESS_MODULE_INFORMATION
kd> dt _RTL_PROCESS_MODULE_INFORMATION 0xfffffa80`0e5dd008

可以看出虽然NumberOfModules是4位的,但在X64下会按8位对齐,当然在X86下是4位对齐:

代码语言:javascript复制
kd> dt _RTL_PROCESS_MODULE_INFORMATION
LoadKernel!_RTL_PROCESS_MODULE_INFORMATION
    0x000 Section		  : Ptr64 Void
    0x008 MappedBase	   : Ptr64 Void
    0x010 ImageBase		: Ptr64 Void
    0x018 ImageSize		: Uint4B
    0x01c Flags			: Uint4B
    0x020 LoadOrderIndex   : Uint2B
    0x022 InitOrderIndex   : Uint2B
    0x024 LoadCount		: Uint2B
    0x026 OffsetToFileName : Uint2B
    0x028 FullPathName	 : [256] UChar

可以看出,PVOID,HANDLE在X64下被解释成Ptr64 void(8位)

所以32位和64位可共用一套代码:

代码语言:javascript复制
NTSTATUS GetNtosModuleInfo()
{
	NTSTATUS						ntStatus = STATUS_UNSUCCESSFUL;
	PRTL_PROCESS_MODULES   			psmi = NULL;
	ULONG							ulSize = 0;				   //分配大小(初始值)
	ULONG						   ulIndex = 0;
 
	__try
	{
		do
		{
			ntStatus = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &ulSize);
			if (STATUS_INFO_LENGTH_MISMATCH != ntStatus)
			{
				break;
			}
 
			psmi = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, ulSize, '0YGH');
			if (NULL == psmi)
			{
				break;
			}
 
			ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
				psmi, ulSize, &ulSize);
			if (STATUS_SUCCESS != ntStatus)
			{
				break;
			}
 
			//遍历打印:
			for (ulIndex = 0; ulIndex<psmi->NumberOfModules; ulIndex  )
			{
				KdPrint(("[ModInfo]-nIndex:%u--base:%p--size:%p--name:%sn", ulIndex, psmi->Modules[ulIndex].ImageBase, psmi->Modules[ulIndex].ImageSize, psmi->Modules[ulIndex].FullPathName));
			}
 
		} while (FALSE);
 
	}
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
 
	}
 
	if (NULL != psmi)
	{
		ExFreePool(psmi);
		psmi = NULL;
	}
 
	return ntStatus;
}

结果如下:

0 人点赞