-
附另两种方法链接:
Windows驱动开发学习记录-遍历内核已加载模块之一(使用DriverSection)
Windows驱动开发学习记录-遍历内核已加载模块之三(使用 AuxKlib)
1.原型
NTSTATUS ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
- SystemInformationClass 查询的系统信息类型,之后给出。遍历模块为 SystemModuleInformation,值11
- SystemInformation 返回结果的缓冲区
- SystemInformationLength 第二个参数缓冲区的大小
- ReturnLength 实际返回的大小
使用时调用两次该函数,第一次SystemInformationLength传0,返回的ReturnLength为结果大小,再根据此大小分配内存空间,再次调用。
2.SYSTEM_INFORMATION_CLASS类型
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0
SystemProcessorInformation, // 1
SystemPerformanceInformation, // 2
SystemTimeOfDayInformation, // 3
SystemPathInformation, // 4
SystemProcessInformation, //5
SystemCallCountInformation, // 6
SystemDeviceInformation, // 7
SystemProcessorPerformanceInformation, // 8
SystemFlagsInformation, // 9
SystemCallTimeInformation, // 10
SystemModuleInformation, // 11
SystemLocksInformation, // 12
SystemStackTraceInformation, // 13
SystemPagedPoolInformation, // 14
SystemNonPagedPoolInformation, // 15
SystemHandleInformation, // 16
SystemObjectInformation, // 17
SystemPageFileInformation, // 18
SystemVdmInstemulInformation, // 19
SystemVdmBopInformation, // 20
SystemFileCacheInformation, // 21
SystemPoolTagInformation, // 22
SystemInterruptInformation, // 23
SystemDpcBehaviorInformation, // 24
SystemFullMemoryInformation, // 25
SystemLoadGdiDriverInformation, // 26
SystemUnloadGdiDriverInformation, // 27
SystemTimeAdjustmentInformation, // 28
SystemSummaryMemoryInformation, // 29
SystemMirrorMemoryInformation, // 30
SystemPerformanceTraceInformation, // 31
SystemObsolete0, // 32
SystemExceptionInformation, // 33
SystemCrashDumpStateInformation, // 34
SystemKernelDebuggerInformation, // 35
SystemContextSwitchInformation, // 36
SystemRegistryQuotaInformation, // 37
SystemExtendServiceTableInformation, // 38
SystemPrioritySeperation, // 39
SystemVerifierAddDriverInformation, // 40
SystemVerifierRemoveDriverInformation, // 41
SystemProcessorIdleInformation, // 42
SystemLegacyDriverInformation, // 43
SystemCurrentTimeZoneInformation, // 44
SystemLookasideInformation, // 45
SystemTimeSlipNotification, // 46
SystemSessionCreate, // 47
SystemSessionDetach, // 48
SystemSessionInformation, // 49
SystemRangeStartInformation, // 50
SystemVerifierInformation, // 51
SystemVerifierThunkExtend, // 52
SystemSessionProcessInformation, // 53
SystemLoadGdiDriverInSystemSpace, // 54
SystemNumaProcessorMap, // 55
SystemPrefetcherInformation, // 56
SystemExtendedProcessInformation, // 57
SystemRecommendedSharedDataAlignment, // 58
SystemComPlusPackage, // 59
SystemNumaAvailableMemory, // 60
SystemProcessorPowerInformation, // 61
SystemEmulationBasicInformation, // 62
SystemEmulationProcessorInformation, // 63
SystemExtendedHandleInformation, // 64
SystemLostDelayedWriteInformation, // 65
SystemBigPoolInformation, // 66
SystemSessionPoolTagInformation, // 67
SystemSessionMappedViewInformation, // 68
SystemHotpatchInformation, // 69
SystemObjectSecurityMode, // 70
SystemWatchdogTimerHandler, // 71
SystemWatchdogTimerInformation, // 72
SystemLogicalProcessorInformation, // 73
SystemWow64SharedInformation, // 74
SystemRegisterFirmwareTableInformationHandler, // 75
SystemFirmwareTableInformation, // 76
SystemModuleInformationEx, // 77
SystemVerifierTriageInformation, // 78
SystemSuperfetchInformation, // 79
SystemMemoryListInformation, // 80
SystemFileCacheInformationEx, // 81
MaxSystemInfoClass //82
} SYSTEM_INFORMATION_CLASS;我们使用的是第11号功能SystemModuleInformation。
3.返回数据类型 _SYSTEM_MODULE_INFORMATION
64位环境下和32位环境下结构体不一样。
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY64 {
ULONG Reserved[4];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY64, *PSYSTEM_MODULE_INFORMATION_ENTRY64;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY32 {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY32, * PSYSTEM_MODULE_INFORMATION_ENTRY32;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
#ifdef _AMD64_
SYSTEM_MODULE_INFORMATION_ENTRY64 Module[1];
#else
SYSTEM_MODULE_INFORMATION_ENTRY32 Module[1];
#endif
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;4.实现
- .h文件
typedef enum
{
MmTagTypeZQSI = 'ISQZ', //ZwQuerySystemInformation
}MmTagType;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemModuleInformation = 11
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY64 {
ULONG Reserved[4];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY64, *PSYSTEM_MODULE_INFORMATION_ENTRY64;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY32 {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY32, * PSYSTEM_MODULE_INFORMATION_ENTRY32;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
#ifdef _AMD64_
SYSTEM_MODULE_INFORMATION_ENTRY64 Module[1];
#else
SYSTEM_MODULE_INFORMATION_ENTRY32 Module[1];
#endif
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
- .C文件
NTSTATUS PrintAllLoadedMoudleByZwQuerySystemInformation()
{
ULONG ulInfoLength = 0;
PVOID pBuffer = NULL;
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
KDPRINT("【PrintLoadedModule】::【PrintAllLoadedMoudleByZwQuerySystemInformation】Enter.....\r\n");
do
{
ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
NULL,
NULL,
&ulInfoLength);
if ((ntStatus == STATUS_INFO_LENGTH_MISMATCH))
{
pBuffer = ExAllocatePoolWithTag(PagedPool, ulInfoLength, MmTagTypeZQSI);
if (pBuffer == NULL)
{
KDPRINT("【PrintLoadedModule】::【PrintAllLoadedMoudleByZwQuerySystemInformation】Allocate Memory Failed\r\n");
break;
}
ntStatus = ZwQuerySystemInformation(SystemModuleInformation,
pBuffer,
ulInfoLength,
&ulInfoLength);
if (!NT_SUCCESS(ntStatus))
{
KDPRINT("【PrintLoadedModule】::【PrintAllLoadedMoudleByZwQuerySystemInformation】ZwQuerySystemInformation Failed\r\n");
break;
}
PSYSTEM_MODULE_INFORMATION pModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer;
if(pModuleInformation)
{
for (ULONG i = 0; i < pModuleInformation->Count; i++)
{
KDPRINT("【PrintLoadedModule】::【PrintAllLoadedMoudleByZwQuerySystemInformation】Image:%-50s\t\tBase:0x%p\r\n",
pModuleInformation->Module[i].ImageName, pModuleInformation->Module[i].Base);
}
KDPRINT("【PrintLoadedModule】::【PrintAllLoadedMoudleByZwQuerySystemInformation】共计%d个内核模块!\r\n", pModuleInformation->Count);
}
ntStatus = STATUS_SUCCESS;
}
} while (false);
if (pBuffer)
{
ExFreePoolWithTag(pBuffer, MmTagTypeZQSI);
}
return ntStatus;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,
PUNICODE_STRING pRegistryPath)
{
UNREFERENCED_PARAMETER(pDriverObject);
UNREFERENCED_PARAMETER(pRegistryPath);
PrintAllLoadedMoudleByZwQuerySystemInformation();
return STATUS_SUCCESS;
}5.运行结果
XP 32位:
Win7 64位:
791
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
