/*
ZwQuerySystemInformation这个函数在应用层也可以使用,功能十分强大,以前是未公开的,现在是半公开的,因为内核中没有这个函数的声明.
本文修改自kmdkit的第六篇教程.以前把c/c++改为asm,现在是把asm改为c/c++.
看似简单的一个事情,费了我一天的时间.
win 7 32测试通过.
made at 2012.06.23
*/
#include <ntddk.h>
//下面的结构摘自:http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/SYSTEM_INFORMATION_CLASS.html
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemNextEventIdInformation,
SystemEventIdsInformation,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemPlugPlayBusInformation,
SystemDockInformation,
SystemPowerInformation1,//提示重复定义,后面加一个1.
SystemProcessorSpeedInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
//摘自微软:http://msdn.microsoft.com/en-us/library/windows/desktop/ms725506(v=vs.85).aspx
//NTSTATUS NTAPI ZwQuerySystemInformation( //WINAPI改为NTAPI或者去掉编译没有问题.
// __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
// __inout PVOID SystemInformation,
// __in ULONG SystemInformationLength,
// __out_opt PULONG ReturnLength
// );
//下面的摘自:http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/NtQuerySystemInformation.html
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(//把Nt修改为Zw.
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
//未公开的结构,搜索自网络:http://alter.org.ua/docs/nt_kernel/procaddr/#samples, kmdkit也有.
//与http://undocumented.ntinternals.net/UserMode/Structures/SYSTEM_MODULE_INFORMATION.html的不同.
//typedef struct _SYSTEM_MODULE_INFORMATION {
// ULONG ModulesCount;
// SYSTEM_MODULE Modules[0];
//} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
VOID Unload(PDRIVER_OBJECT DriverObject){}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING pRegistryPath)
{
ULONG cb = 0;
PSYSTEM_MODULE_INFORMATION p;
PVOID p0;
int dwNumModules;
int i;
LPSTR name;
_asm int 3
DriverObject->DriverUnload = Unload; //写在前面是确保顺利卸载.
ZwQuerySystemInformation(11,& p, 0, & cb);//#define SystemModuleInformation 11
if (cb == 0) return 0;
p = (PSYSTEM_MODULE_INFORMATION)ExAllocatePool( PagedPool, cb);
if (p == 0) return 0;
p0 = (PVOID)p;//这两个变量定义的别扭,但可以使用.
if (ZwQuerySystemInformation(11, p, cb, & cb) != 0)
{
ExFreePool( p);
return 0;
}
dwNumModules = *(int *) p;
(int *) p += 1;//指针加4个字节.
for (i = 0;i<dwNumModules;i++)
{
name = (LPSTR)(p->ImageName + p->ModuleNameOffset);
if (_strnicmp(name,"ntoskrnl.exe",strlen("ntoskrnl.exe")) == 0)
{//If your system has PAE - "ntkrnlpa.exe"
DbgPrint("%s base: %08X size: %08X\n",name,p->Base,p->Size);
}
if (_strnicmp(name,"ntkrnlpa.exe",strlen("ntkrnlpa.exe")) == 0)
{//; If you have multiprocessor system use "ntkrnlmp.exe".
DbgPrint("%s base: %08X size: %08X\n",name,p->Base,p->Size);
}
if (_strnicmp(name,"ntkrpamp.exe",strlen("ntkrpamp.exe")) == 0)
{//Multiprocessor + PAE - "ntkrpamp.exe"
DbgPrint("%s base: %08X size: %08X\n",name,p->Base,p->Size);
}
//ntice.sys,不知道啥玩意,不显示了.
DbgPrint("%s base: %08X size: %08X\n",name,p->Base,p->Size);//我要看看全部的是啥玩意.
(unsigned char *)p += sizeof (SYSTEM_MODULE_INFORMATION);
}
ExFreePool( p0);
return STATUS_SUCCESS;
//返回STATUS_DEVICE_CONFIGURATION_ERROR,也加载成功,也不需要卸载函数了,也能再次加载.
}
//made by correy
没有评论:
发表评论