#include"标头.h" #define POINTER ULONG #define PEB_OFFSET_IN_EPROCESS 0x3f8 #define LDR_OFFSET_IN_PEB 0x18 #define InLoadOrderModuleList_OFFSET 0x010 typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY64 InLoadOrderLinks; LIST_ENTRY64 InMemoryOrderLinks; LIST_ENTRY64 InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; PVOID SectionPointer; ULONG CheckSum; PVOID LoadedImports; PVOID EntryPointActivationContext; PVOID PatchInformation; LIST_ENTRY64 ForwarderLinks; LIST_ENTRY64 ServiceTagLinks; LIST_ENTRY64 StaticLinks; PVOID ContextInformation; ULONG64 OriginalBase; LARGE_INTEGER LoadTime; } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; VOID DriverUnload(PDRIVER_OBJECT pDriverObject) { DbgPrint("已卸载!\n"); } typedef struct _KAPC_STATE_t { LIST_ENTRY ApcListHead[2]; PKPROCESS Process; UCHAR KernelApcInProgress; UCHAR KernelApcPending; UCHAR UserApcPending; } KAPC_STATE_t, * PKAPC_STATE_t; PEPROCESS LookupProcess(HANDLE hPid) { PEPROCESS eproc = NULL; if (NT_SUCCESS(PsLookupProcessByProcessId(hPid, &eproc))) { return eproc; } return NULL; } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { DbgPrint("启动!\n"); pDriverObject->DriverUnload = DriverUnload; KAPC_STATE_t ks; UNICODE_STRING UnicodeString2; RtlInitUnicodeString(&UnicodeString2, L"ntdll.dll"); PEPROCESS Eprocess = LookupProcess((HANDLE)3212); if (Eprocess == NULL) { DbgPrint("Eprocess 获取失败"); return STATUS_SUCCESS; } __try { ULONG64 peb = *(PULONG64)((ULONG64)Eprocess + PEB_OFFSET_IN_EPROCESS); KeStackAttachProcess(Eprocess, &ks); ULONG64 idr = *(PULONG64)(peb + LDR_OFFSET_IN_PEB); PLIST_ENTRY pListHead = (idr + InLoadOrderModuleList_OFFSET); PLIST_ENTRY pMod = pListHead->Flink; //下一个链表 while (pMod!=pListHead) { PCUNICODE_STRING name = &(((PLDR_DATA_TABLE_ENTRY)pMod)->BaseDllName); if (RtlEqualUnicodeString(name, &UnicodeString2, TRUE)) { DbgPrint("name = %wZ\n Base= %p", name, (PVOID)(((PLDR_DATA_TABLE_ENTRY)pMod)->DllBase)); } pMod = pMod->Flink; } } __except(EXCEPTION_EXECUTE_HANDLER){ DbgPrint("EXCEPTION_EXECUTE_HANDLER is occure...\n"); } KeUnstackDetachProcess(&ks); return STATUS_SUCCESS; }