XueTr当中用的方法。。没有完全还原。。根据它的思路写了下
-
- #include <ntifs.h>
- typedef BOOLEAN BOOL;
- typedef unsigned long DWORD;
- typedef DWORD * LPDWORD;
- typedef DWORD * PDWORD;
- typedef unsigned long ULONG;
- typedef unsigned short WORD;
- typedef unsigned char BYTE;
- typedef unsigned int UINT;
- typedef struct _LDR_DATA_TABLE_ENTRY {
- LIST_ENTRY InLoadOrderLinks;
- LIST_ENTRY InMemoryOrderLinks;
- LIST_ENTRY InInitializationOrderLinks;
- PVOID DllBase;
- PVOID EntryPoint;
- ULONG SizeOfImage;
- UNICODE_STRING FullDllName;
- UNICODE_STRING BaseDllName;
- ULONG Flags;
- USHORT LoadCount;
- USHORT TlsIndex;
- union {
- LIST_ENTRY HashLinks;
- struct {
- PVOID SectionPointer;
- ULONG CheckSum;
- };
- };
- union {
- struct {
- ULONG TimeDateStamp;
- };
- struct {
- PVOID LoadedImports;
- };
- };
- PVOID EntryPointActivationContext;
- PVOID PatchInformation;
- } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
- BOOL GetSystemKernelModuleInfo(PDRIVER_OBJECT DriverObject,DWORD DriverEntryRetAddress,WCHAR **SystemKernelModulePath,PDWORD SystemKernelModuleBase)
- {
- PLDR_DATA_TABLE_ENTRY DriverSection,LdrEntry;
- int FullDllNameLength;
- int Index;
- WCHAR *FullDllNameBuffer;
- int Len=0;
- DriverSection=DriverObject->DriverSection;
- LdrEntry=(PLDR_DATA_TABLE_ENTRY)DriverSection->InLoadOrderLinks.Flink;
- while (LdrEntry&&DriverSection!=LdrEntry)
- {
-
- if ((DWORD)LdrEntry->DllBase>=*(DWORD*)MmSystemRangeStart&&
- DriverEntryRetAddress>=(DWORD)LdrEntry->DllBase&&
- DriverEntryRetAddress<((DWORD)LdrEntry->DllBase+LdrEntry->SizeOfImage)&&
- (DWORD)LdrEntry->DllBase<0x90000000&&
- LdrEntry->FullDllName.Length>4&&
- LdrEntry->FullDllName.Buffer!=NULL)
- {
- if (MmIsAddressValid(&(LdrEntry->FullDllName.Buffer[LdrEntry->FullDllName.Length/2-1])))
- {
- break;
- }
- }
- LdrEntry=(PLDR_DATA_TABLE_ENTRY)LdrEntry->InLoadOrderLinks.Flink;
- }
- if (LdrEntry==NULL||LdrEntry==DriverSection)
- {
- *SystemKernelModulePath=NULL;
- *SystemKernelModuleBase=0;
- return FALSE;
- }
- FullDllNameBuffer=LdrEntry->FullDllName.Buffer;
- FullDllNameLength=LdrEntry->FullDllName.Length/2;
- *SystemKernelModulePath=ExAllocatePool(NonPagedPool,260*2);
- if (*SystemKernelModulePath==NULL)
- {
- *SystemKernelModuleBase=0;
- return FALSE;
- }
- RtlZeroMemory(*SystemKernelModulePath,260*2);
- wcscpy(*SystemKernelModulePath,L"\\SystemRoot\\system32\");
- Len=wcslen(*SystemKernelModulePath);
- for (Index=FullDllNameLength-1;Index>0;Index--)
- {
- if (FullDllNameBuffer[Index]==0x005C)
- {
- RtlCopyMemory(&(*SystemKernelModulePath)[Len],&FullDllNameBuffer[Index+1],(FullDllNameLength-Index-1)*2);
- *SystemKernelModuleBase=(DWORD)LdrEntry->DllBase;
- return TRUE;
- }
- }
- RtlCopyMemory(&(*SystemKernelModulePath)[Len],FullDllNameBuffer,FullDllNameLength);
- *SystemKernelModuleBase=(DWORD)LdrEntry->DllBase;
- return TRUE;
- }
- VOID DriverUnload(
- IN PDRIVER_OBJECT DriverObject
- )
- {
- KdPrint(("Driver Unload Called\n"));
- }
- NTSTATUS DriverEntry(
- IN OUT PDRIVER_OBJECT DriverObject,
- IN PUNICODE_STRING RegistryPath
- )
- {
- DWORD ModuelBase;
- WCHAR *ModuleBaseFullName;
- DWORD RetAddress;
- DriverObject->DriverUnload = DriverUnload;
- RetAddress=*(DWORD*)((DWORD)&DriverObject-4);
- if(!GetSystemKernelModuleInfo(DriverObject,RetAddress,&ModuleBaseFullName,&ModuelBase))
- {
- return STATUS_SUCCESS;
- }
- KdPrint(("%S,%X\n",ModuleBaseFullName,ModuelBase));
- return STATUS_SUCCESS;
- }
|
