遍历进程模块 获取进程DLL 基地址

#include"标头.h"
#define  POINTER ULONG
#define PEB_OFFSET_IN_EPROCESS   0x3f8
#define LDR_OFFSET_IN_PEB  0x18
#define InLoadOrderModuleList_OFFSET 0x010
typedef struct _LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY64    InLoadOrderLinks;
    LIST_ENTRY64    InMemoryOrderLinks;
    LIST_ENTRY64    InInitializationOrderLinks;
    PVOID            DllBase;
    PVOID            EntryPoint;
    ULONG            SizeOfImage;
    UNICODE_STRING    FullDllName;
    UNICODE_STRING     BaseDllName;
    ULONG            Flags;
    USHORT            LoadCount;
    USHORT            TlsIndex;
    PVOID            SectionPointer;
    ULONG            CheckSum;
    PVOID            LoadedImports;
    PVOID            EntryPointActivationContext;
    PVOID            PatchInformation;
    LIST_ENTRY64    ForwarderLinks;
    LIST_ENTRY64    ServiceTagLinks;
    LIST_ENTRY64    StaticLinks;
    PVOID            ContextInformation;
    ULONG64            OriginalBase;
    LARGE_INTEGER    LoadTime;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;



VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {
    DbgPrint("已卸载!\n");
}

typedef struct _KAPC_STATE_t
{
    LIST_ENTRY ApcListHead[2];
    PKPROCESS Process;
    UCHAR KernelApcInProgress;
    UCHAR KernelApcPending;
    UCHAR UserApcPending;
} KAPC_STATE_t, * PKAPC_STATE_t;

PEPROCESS LookupProcess(HANDLE hPid)
{
    PEPROCESS eproc = NULL;
    if (NT_SUCCESS(PsLookupProcessByProcessId(hPid, &eproc)))
    {
        return eproc;
    }
    return NULL;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) {

    DbgPrint("启动!\n");
    pDriverObject->DriverUnload = DriverUnload;
    KAPC_STATE_t  ks;
    UNICODE_STRING UnicodeString2;
    RtlInitUnicodeString(&UnicodeString2, L"ntdll.dll");
    PEPROCESS    Eprocess = LookupProcess((HANDLE)3212);
    if (Eprocess == NULL)
    {
        DbgPrint("Eprocess 获取失败");
        return STATUS_SUCCESS;
    }
    __try {
        ULONG64  peb = *(PULONG64)((ULONG64)Eprocess + PEB_OFFSET_IN_EPROCESS);
       KeStackAttachProcess(Eprocess, &ks);
       ULONG64 idr  = *(PULONG64)(peb + LDR_OFFSET_IN_PEB);
      PLIST_ENTRY  pListHead = (idr + InLoadOrderModuleList_OFFSET);
      PLIST_ENTRY pMod = pListHead->Flink;   //下一个链表
     while (pMod!=pListHead)
     {


         PCUNICODE_STRING name = &(((PLDR_DATA_TABLE_ENTRY)pMod)->BaseDllName);

         if (RtlEqualUnicodeString(name, &UnicodeString2, TRUE))
         {
             DbgPrint("name = %wZ\n  Base= %p", name, (PVOID)(((PLDR_DATA_TABLE_ENTRY)pMod)->DllBase));


         }

      pMod = pMod->Flink;
     }

    }
    __except(EXCEPTION_EXECUTE_HANDLER){

        DbgPrint("EXCEPTION_EXECUTE_HANDLER is occure...\n");

    }

    KeUnstackDetachProcess(&ks);


    return STATUS_SUCCESS;
}

 

遍历进程模块 获取进程DLL 基地址

上一篇:shell规范


下一篇:Linux常用别名设置