win10 C++ 内核中遍历内核模块源码
win10 C++ 内核中遍历内核模块源码
下面直接放相关代码:
#include <ntifs.h>
LONGLONG mGetModuleBaseByName(PDRIVER_OBJECT pDriver, UNICODE_STRING moduleName)
{
UNREFERENCED_PARAMETER(moduleName);
PLDR_DATA_TABLE_ENTRY pLdr = NULL;
PLIST_ENTRY pListEntry = NULL;
PLIST_ENTRY pCurrentListEntry = NULL;
PLDR_DATA_TABLE_ENTRY pCurrentModule = NULL;
pLdr = (PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
pListEntry = pLdr->InLoadOrderLinks.Flink;
pCurrentListEntry = pListEntry->Flink;
while (pCurrentListEntry != pListEntry)
{
//获取PLDR_DATA_TABLE_ENTRY结构
pCurrentModule = CONTAINING_RECORD(pCurrentListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (pCurrentModule->BaseDllName.Buffer != nullptr)
{
DbgPrintEx(0, 77, "ModuleName:%wZ", pCurrentModule->BaseDllName);
//比较模块名
if (RtlCompareUnicodeString(&pCurrentModule->BaseDllName, &moduleName, true) == 0)
{
return (LONGLONG)pCurrentModule->DllBase;
}
}
pCurrentListEntry = pCurrentListEntry->Flink;
}
return 0;
}
void UnDriverLoad(DRIVER_OBJECT* pDriver)
{
UNREFERENCED_PARAMETER(pDriver);
}
extern "C" NTSTATUS DriverEntry(DRIVER_OBJECT * pDriver, UNICODE_STRING * pRegistryPath)
{
UNREFERENCED_PARAMETER(pRegistryPath);
pDriver->DriverUnload = UnDriverLoad;
UNICODE_STRING mName= RTL_CONSTANT_STRING(L"");
mGetModuleBaseByName(pDriver, mName);
return STATUS_SUCCESS;
} 学习了。
页:
[1]