-
-
[原创]大家快来看一下
-
发表于:
2009-12-27 18:27
3543
-
#ifdef __cplusplus
extern "C" {
#endif
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN long SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
#pragma pack(push,1)
typedef struct _SYSTEM_MODULE_INFORMATION // Information Class 11
{
ULONG Reserved[2]; // +0
PVOID Base; // +08h
ULONG Size; // +0ch
ULONG Flags; // +10h
USHORT Index; // +14h
USHORT Unknown; // +16h
USHORT LoadCount; // +18h
USHORT ModuleNameOffset; //+1Ah
CHAR ImageName[256]; //+1Ch
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
#pragma pack(pop)
NTSTATUS NtQuerySystemInformation(ULONG SystemInformationClass, PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
NTSTATUS DriverEntry(
IN OUT PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG NeedSize = 0;
PCHAR Temp[10];
PSYSTEM_MODULE_INFORMATION SystemModuleInfo = NULL;
status = NtQuerySystemInformation( 11, (PVOID)Temp, 10, &NeedSize );
if (status==STATUS_INFO_LENGTH_MISMATCH)
{
DebugPrint("first query failed\n");
}
SystemModuleInfo=(PSYSTEM_MODULE_INFORMATION)ExAllocatePoolWithTag(NonPagedPool,NeedSize,1234);
if (NULL==SystemModuleInfo)
{
DebugPrint("allocatepool error\n");
}
status=NtQuerySystemInformation(11,SystemModuleInfo,NeedSize,&NeedSize);
if (status!=STATUS_SUCCESS)
{
DebugPrint("second query failed\n");
}
else
{
DebugPrint("nameoffset=%X",SystemModuleInfo[2].ModuleNameOffset);
}
ExFreePoolWithTag(SystemModuleInfo,1234);
return STATUS_DEVICE_CONFIGURATION_ERROR;
}
#ifdef __cplusplus
}; // extern "C"
#endif
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
结果nameoffset等于0
