结构体如下:
代码语言:javascript复制typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;//注意不要写成ULONG_PTR,不然64位下就会取8个字节!
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
在X64下,被解释成:
代码语言:javascript复制kd> dt _RTL_PROCESS_MODULES
LoadKernel!_RTL_PROCESS_MODULES
0x000 NumberOfModules : Uint4B
0x008 Modules : [1] _RTL_PROCESS_MODULE_INFORMATION
kd> dt _RTL_PROCESS_MODULE_INFORMATION 0xfffffa80`0e5dd008
可以看出虽然NumberOfModules是4位的,但在X64下会按8位对齐,当然在X86下是4位对齐:
代码语言:javascript复制kd> dt _RTL_PROCESS_MODULE_INFORMATION
LoadKernel!_RTL_PROCESS_MODULE_INFORMATION
0x000 Section : Ptr64 Void
0x008 MappedBase : Ptr64 Void
0x010 ImageBase : Ptr64 Void
0x018 ImageSize : Uint4B
0x01c Flags : Uint4B
0x020 LoadOrderIndex : Uint2B
0x022 InitOrderIndex : Uint2B
0x024 LoadCount : Uint2B
0x026 OffsetToFileName : Uint2B
0x028 FullPathName : [256] UChar
可以看出,PVOID,HANDLE在X64下被解释成Ptr64 void(8位)
所以32位和64位可共用一套代码:
代码语言:javascript复制NTSTATUS GetNtosModuleInfo()
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
PRTL_PROCESS_MODULES psmi = NULL;
ULONG ulSize = 0; //分配大小(初始值)
ULONG ulIndex = 0;
__try
{
do
{
ntStatus = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &ulSize);
if (STATUS_INFO_LENGTH_MISMATCH != ntStatus)
{
break;
}
psmi = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, ulSize, '0YGH');
if (NULL == psmi)
{
break;
}
ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
psmi, ulSize, &ulSize);
if (STATUS_SUCCESS != ntStatus)
{
break;
}
//遍历打印:
for (ulIndex = 0; ulIndex<psmi->NumberOfModules; ulIndex )
{
KdPrint(("[ModInfo]-nIndex:%u--base:%p--size:%p--name:%sn", ulIndex, psmi->Modules[ulIndex].ImageBase, psmi->Modules[ulIndex].ImageSize, psmi->Modules[ulIndex].FullPathName));
}
} while (FALSE);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
if (NULL != psmi)
{
ExFreePool(psmi);
psmi = NULL;
}
return ntStatus;
}
结果如下: