如何列出系统的所有模块(不是我自己进程的模块)?

问题描述 投票:0回答:1

我想列出系统的所有模块。有一个代码仅列出我自己的进程中加载的所有模块。那么,如何更改以下代码才能枚举系统的所有模块(包括ntoskrnl.exewin32k.sys)?谢谢你。

====================

====================

====================

====================

#include <stdio.h>
#include <conio.h>
#include <Windows.h>
#include <winternl.h>

#pragma comment(lib,"ntdll.lib")

typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
    HANDLE Section;
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES
{
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

int main()
{
    NTSTATUS status;
    ULONG i;

    PRTL_PROCESS_MODULES ModuleInfo;

    ModuleInfo=(PRTL_PROCESS_MODULES)VirtualAlloc(NULL,1024*1024,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate memory for the module list

    if(!ModuleInfo)
    {
        printf("\nUnable to allocate memory for module list (%d)\n",GetLastError());
        return -1;
    }

    if(!NT_SUCCESS(status=NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,ModuleInfo,1024*1024,NULL))) // 11 = SystemModuleInformation
    {
        printf("\nError: Unable to query module list (%#x)\n",status);

        VirtualFree(ModuleInfo,0,MEM_RELEASE);
        return -1;
    }

    for(i=0;i<ModuleInfo->NumberOfModules;i++)
    {
        printf("\n*****************************************************\n");
        printf("\nImage base: %#x\n",ModuleInfo->Modules[i].ImageBase);
        printf("\nImage name: %s\n",ModuleInfo->Modules[i].FullPathName+ModuleInfo->Modules[i].OffsetToFileName);
        printf("\nImage full path: %s\n",ModuleInfo->Modules[i].FullPathName);
        printf("\nImage size: %d\n",ModuleInfo->Modules[i].ImageSize);
        printf("\n*****************************************************\n");
    }

    VirtualFree(ModuleInfo,0,MEM_RELEASE);

    getch();
    return 0;
}
c++ winapi enumeration kernel-module
1个回答
0
投票

可行的代码。库 https://github.com/winsiderss/systeminformer

#define PHNT_VERSION PHNT_WIN11_23H2
#define WINDOWS_IGNORE_PACKING_MISMATCH
#include <phnt_windows.h>
#include <phnt.h>
#include <string>
#include "ntmmapi.h"


int main()
{
    NTSTATUS             Status = 0;
    PRTL_PROCESS_MODULES ModulesInfo;
    ULONG                SysModuleInfoBufferSize = 0;
    std::string               SearchModuleString;
    //
    // Get required size of "RTL_PROCESS_MODULES" buffer
    //
    Status = NtQuerySystemInformation(SystemModuleInformation, NULL, NULL, &SysModuleInfoBufferSize);
    ModulesInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(
        NULL,
        SysModuleInfoBufferSize,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_READWRITE);

    if (!ModulesInfo)
    {
        printf("err, unable to allocate memory for module list (%x)\n",
            GetLastError());
        return FALSE;
    }

    Status = NtQuerySystemInformation(SystemModuleInformation,
        ModulesInfo,
        SysModuleInfoBufferSize,
        NULL);
    if (!NT_SUCCESS(Status))
    {
        printf("err, unable to query module list (%x)\n", Status);

        VirtualFree(ModulesInfo, 0, MEM_RELEASE);
        return FALSE;
    }

    printf("kernel mode\n");
    printf("start\t\t\tsize\tname\t\t\t\tpath\n\n");

    for (ULONG i = 0; i < ModulesInfo->NumberOfModules; i++)
    {
        RTL_PROCESS_MODULE_INFORMATION* CurrentModule = &ModulesInfo->Modules[i];
        /* TODO: List of all sections of modules
        // Open the section object for the module
        HANDLE hSection = CurrentModule->Section;
        OBJECT_ATTRIBUTES objAttr;
        InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL);
        NTSTATUS status = NtOpenSection(&hSection, SECTION_QUERY, &objAttr);
        if (NT_SUCCESS(status))
        {
            // Query the section object information
            SECTION_BASIC_INFORMATION sectionInfo;
            status = NtQuerySection(hSection, SectionBasicInformation, &sectionInfo, sizeof(sectionInfo), NULL);
            if (NT_SUCCESS(status))
            {
                // Print the section's address
                printf("Section address: %p\n", sectionInfo.BaseAddress); 
            }

            // Close the section object
            NtClose(hSection);
        }*/

        printf("%p\t", CurrentModule->ImageBase);
        printf("%x\t", CurrentModule->ImageSize);

        auto   PathName = CurrentModule->FullPathName + CurrentModule->OffsetToFileName;
        UINT32 PathNameLen = strlen((const char*)PathName);

        printf("%s\t", PathName);

        if (PathNameLen >= 24)
        {
        }
        else if (PathNameLen >= 16)
        {
            printf("\t");
        }
        else if (PathNameLen >= 8)
        {
            printf("\t\t");
        }
        else
        {
            printf("\t\t\t");
        }

        printf("%s\n", CurrentModule->FullPathName);
    }

    VirtualFree(ModulesInfo, 0, MEM_RELEASE);

    return TRUE;
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.