使用NtQuerySystemInformation来检索加载的模块,从加载模块里面搜索出ntoskrnl.exe模块
NTSTATUS Status;
PUCHAR BaseAddress = NULL;
NTSTATUS ntStatus;
PMODULES pModules;
ULONG NeededSize;
pModules = (PMODULES)&pModules;
ntStatus = NtQuerySystemInformation(SystemModuleInformation, pModules, 4, &NeededSize);
if(ntStatus == STATUS_INFO_LENGTH_MISMATCH)
{
pModules = (PMODULES)ExAllocatePool(PagedPool, NeededSize);
if(!pModules)
return STATUS_INSUFFICIENT_RESOURCES;
ntStatus = NtQuerySystemInformation(SystemModuleInformation, pModules, NeededSize, NULL);
if(!NT_SUCCESS(ntStatus))
{
ExFreePool(pModules);
return ntStatus;
}
}
if(!NT_SUCCESS(ntStatus))
{
return ntStatus;
}
BaseAddress = (PUCHAR)pModules->smi.Module[0].MappedBase;