program Project1;

uses
  windows,
  sysutils,
  NcxNtTeb,
  codesitelogging;

type
 _PROCESSINFOCLASS = (
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers, // Note: this is kernel mode only
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information, // = 26
    ProcessImageFileName, // added after W2K
    ProcessLUIDDeviceMapsEnabled,
    ProcessBreakOnTermination, // used by RtlSetProcessIsCritical()
    ProcessDebugObjectHandle,
    ProcessDebugFlags,
    ProcessHandleTracing,
    MaxProcessInfoClass);
  PROCESSINFOCLASS = _PROCESSINFOCLASS;
  PROCESS_INFORMATION_CLASS = PROCESSINFOCLASS;
  TProcessInfoClass = PROCESSINFOCLASS;

  PROCESS_BASIC_INFORMATION = record
    ExitStatus: Cardinal;
    PebBaseAddress: PVOID;
    AffinityMask: Cardinal;
    BasePriority: Cardinal;
    UniqueProcessId: Cardinal;
    InheritedFromUniqueProcessId: Cardinal;
  end;
  TProcessBasicInformation = PROCESS_BASIC_INFORMATION;
  PProcessBasicInformation = ^TProcessBasicInformation;

function NtQueryInformationProcess (ProcessHandle: THANDLE; ProcessInformationClass: PROCESSINFOCLASS; ProcessInformation: PVOID; ProcessInformationLength: ULONG; ReturnLength: PULONG): Longint; stdcall; external 'ntdll.dll' name 'NtQueryInformationProcess';


Procedure PebCheck(ph : THandle);
var
  pbi           : PROCESS_BASIC_INFORMATION;
  PEB           : TPeb32;
  LdrData       : TPebLdrData32;
  dwread,i      : dword;
  LdrModule     : TLdrDataTableEntry32;
  Head,Current  : DWord;
  BaseDllName,FullDllName : array[0..MAX_PATH] of AnsiChar;
begin

  {Get PROCESS_BASIC_INFORMATION}
  if NtQueryInformationProcess(ph,ProcessBasicInformation,@pbi,SizeOf(pbi),@dwread) <> 0 then begin
    codesite.SendWinError('NtQueryInformationProcess PROCESS_BASIC_INFORMATION',Getlasterror);
    exit;
  end;

  {Reading PEB}
  codesite.Send(csmnote,'PebBaseAddress',inttohex(DWord(pbi.PebBaseAddress),8));
  if not ReadProcessMemory(ph,pbi.PebBaseAddress,@PEB,sizeof(PEB),dwread) then begin
    codesite.SendWinError('ReadProcessMemory PEB',Getlasterror);
    exit;
  end;

  codesite.Send(csmnote,'PEB-InheritedAddressSpace',PEB.InheritedAddressSpace);
  codesite.Send(csmnote,'PEB-ReadImageFileExecOptions',PEB.ReadImageFileExecOptions);
  codesite.Send(csmnote,'PEB-BeingDebugged',PEB.BeingDebugged);
  codesite.Send(csmnote,'PEB-ImageBaseAddress',inttohex(DWord(PEB.ImageBaseAddress),8));
  codesite.Send(csmnote,'PEB-Ldr',inttohex(DWord(PEB.Ldr),8));

  {Reading LoaderData}
  if not ReadProcessMemory(ph,PEB.Ldr,@LdrData,sizeof(LdrData),dwread) then begin
    codesite.SendWinError('ReadProcessMemory LdrData',Getlasterror);
    exit;
  end;

  codesite.Send(csmnote,'LdrData-Length',LdrData.Length);
  codesite.Send(csmnote,'LdrData-Initialized',LdrData.Initialized);
  codesite.Send(csmnote,'LdrData-SsHandle',inttohex(DWord(LdrData.SsHandle),8));
  codesite.Send(csmnote,'LdrData-InLoadOrderModuleList [%s : %s]',[inttohex(DWord(LdrData.InLoadOrderModuleList.Flink),8),inttohex(DWord(LdrData.InLoadOrderModuleList.Blink),8)]);
  codesite.Send(csmnote,'LdrData-InMemoryOrderModuleList [%s : %s]',[inttohex(DWord(LdrData.InMemoryOrderModuleList.Flink),8),inttohex(DWord(LdrData.InMemoryOrderModuleList.Blink),8)]);
  codesite.Send(csmnote,'LdrData-InInitializationOrderModuleList [%s : %s]',[inttohex(DWord(LdrData.InInitializationOrderModuleList.Flink),8),inttohex(DWord(LdrData.InInitializationOrderModuleList.Blink),8)]);

  {init for enum the linked list}
  i := 0;
  Head := 0;
  Current := DWord(LdrData.InLoadOrderModuleList.Flink);

  repeat

    {Reading Current Module}
    if not ReadProcessMemory(ph,Ptr(Current),@LdrModule,sizeof(LdrModule),dwread) then begin
      codesite.SendWinError('ReadProcessMemory LdrModule',Getlasterror);
      break;
    end;

    codesite.Send(csmnote,'LdrModule-InLoadOrderLinks [%s : %s]',[inttohex(DWord(LdrModule.InLoadOrderLinks.Flink),8),inttohex(DWord(LdrModule.InLoadOrderLinks.Blink),8)]);
    codesite.Send(csmnote,'LdrModule-InMemoryOrderLinks [%s : %s]',[inttohex(DWord(LdrModule.InMemoryOrderLinks.Flink),8),inttohex(DWord(LdrModule.InMemoryOrderLinks.Blink),8)]);
    codesite.Send(csmnote,'LdrModule-InInitializationOrderLinks [%s : %s]',[inttohex(DWord(LdrModule.InInitializationOrderLinks.Flink),8),inttohex(DWord(LdrModule.InInitializationOrderLinks.Blink),8)]);
    codesite.Send(csmnote,'LdrModule-BaseAddress',inttohex(DWord(LdrModule.DllBase),8));
    codesite.Send(csmnote,'LdrModule-EntryPoint',inttohex(DWord(LdrModule.EntryPoint),8));
    codesite.Send(csmnote,'LdrModule-SizeOfImage',inttohex(DWord(LdrModule.SizeOfImage),8));

    Fillchar(FullDllName,sizeof(FullDllName),0);
    Fillchar(BaseDllName,sizeof(BaseDllName),0);

    {Reading FullDllName}
    if not ReadProcessMemory(ph,LdrModule.FullDllName.Buffer,@FullDllName,LdrModule.FullDllName.Length,dwread) then begin
      codesite.SendWinError('ReadProcessMemory FullDllName',Getlasterror);
    end;

    {Reading BaseDllName}
    if not ReadProcessMemory(ph,LdrModule.BaseDllName.Buffer,@FullDllName,LdrModule.BaseDllName.Length,dwread) then begin
      codesite.SendWinError('ReadProcessMemory BaseDllName',Getlasterror);
    end;

    codesite.Send(csmnote,'LdrModule-FullDllName',LdrModule.FullDllName.Buffer);
    codesite.Send(csmnote,'LdrModule-BaseDllName',LdrModule.BaseDllName.Buffer);
    codesite.Send(csmnote,'LdrModule-Flags',inttohex(DWord(LdrModule.Flags),8));
    codesite.Send(csmnote,'LdrModule-LoadCount',inttohex(DWord(LdrModule.LoadCount),8));
    codesite.Send(csmnote,'LdrModule-TlsIndex',inttohex(DWord(LdrModule.TlsIndex),8));
    codesite.Send(csmnote,'LdrModule-HashLinks',inttohex(DWord(LdrModule.HashLinks.Flink),8));


    {Next Module}
    if i=0 then Head := Dword(LdrModule.InLoadOrderLinks.Blink);
    Current := Dword(LdrModule.InLoadOrderLinks.Flink);
    inc(i);
  until Current = Head;

end;

begin
  PebCheck(Thandle(-1));
end.

const
//target process id, for own process u can just call it like EnumModulesPEB(Thandle(-1));
ProcessId = 3052;

var
ph : THandle;
begin
  ph := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, false,  ProcessId);
  if (ph <> INVALID_HANDLE_VALUE) and (ph<>0) then begin
    EnumModulesPEB(ph);
    closehandle(ph);
  end;
end.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课