能力值:
( LV4,RANK:50 )
|
-
-
2 楼
你结构定义错了,你结构里面的Unknow3才是基址
网上别人的定义是这样子的
//模块详细信息结构如下:
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
|
能力值:
( LV4,RANK:50 )
|
-
-
3 楼
#include <ntddk.h>
#include <ntimage.h>
#define MEMTAG 'MODE'
typedef unsigned char BYTE;
typedef unsigned short WORD;
// NtQuerySystemInformation 使用的参数
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemProcessorInformation = 1, // obsolete...delete
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemPathInformation,
SystemProcessInformation = 5,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation = 8,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation = 11,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation = 16,
SystemObjectInformation,
SystemPageFileInformation = 18,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation = 21,
SystemPoolTagInformation,
SystemInterruptInformation = 23,
SystemDpcBehaviorInformation = 24,
SystemFullMemoryInformation = 25,
SystemNotImplemented6 = 25,
SystemLoadGdiDriverInformation = 26,
SystemLoadImage = 26,
SystemUnloadGdiDriverInformation = 27,
SystemUnloadImage = 27,
SystemTimeAdjustmentInformation = 28,
SystemTimeAdjustment = 28,
SystemSummaryMemoryInformation = 29,
SystemNotImplemented7 = 29,
SystemNextEventIdInformation = 30,
SystemMirrorMemoryInformation = 30,
SystemPerformanceTraceInformation = 31,
SystemEventIdsInformation = 31,
SystemObsolete0 = 32,
SystemCrashDumpInformation = 32,
SystemExceptionInformation = 33,
SystemCrashDumpStateInformation = 34,
SystemKernelDebuggerInformation = 35,
SystemContextSwitchInformation = 36,
SystemRegistryQuotaInformation = 37,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation = 44,
SystemTimeZoneInformation = 44,
SystemLookasideInformation = 45,
SystemSetTimeSlipEvent = 46,
SystemTimeSlipNotification = 46,
SystemSessionCreate = 47,
SystemSessionDetach = 48,
SystemSessionInformation = 49,
SystemInvalidInfoClass4 = 49,
SystemRangeStartInformation = 50,
SystemVerifierInformation = 51,
SystemVerifierThunkExtend = 52,
SystemAddVerifier = 52,
SystemSessionProcessInformation = 53,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
// 模块链结构
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
#ifdef __cplusplus
extern "C"
#endif
NTSTATUS ZwQuerySystemInformation(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UNREFERENCED_PARAMETER(DriverObject);
KdPrint(("卸载完成!\n"));
}
BOOLEAN GetKernelModuleInfo(ULONG *ulSysModuleBase, ULONG *ulSize)
{
NTSTATUS status;
ULONG NeededSize;
PSYSTEM_MODULE_INFORMATION pModuleList = NULL;
BOOLEAN bRet = FALSE;
KdPrint(("进入GetKernelModuleInfo函数\n"));
__try
{
status = ZwQuerySystemInformation(
SystemModuleInformation, //这个值指明了ZwQuerySystemInformation返回的信息类型
NULL, //返回的缓冲区地址,这是由调用者分配的
0, //分配的缓冲区的字节数
&NeededSize); //函数调用完成后返回的字节数
//正确情况下返回的值为0Xc0000004共32为也就是4个字节,NeededSize的值为4
KdPrint(("显示ZwQuerySystemInformation函数返回的值%x\n", status));
KdPrint(("返回的模块信息字节数%x\n", NeededSize));
if (status != STATUS_INFO_LENGTH_MISMATCH)
{
return bRet;
}
NeededSize += 2*sizeof(SYSTEM_MODULE_INFORMATION_ENTRY); // 多加点内存,以防运行的时候又有驱动加载到内核中
pModuleList = (PSYSTEM_MODULE_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, NeededSize, MEMTAG); // ExAllocatePool内存堆栈分配函数,第一个参数为分配的内存类型,第二个为字节数,分配成功返回地址
//分配不成功返回NULL
KdPrint(("基本堆栈分配是否成功%p\n", pModuleList));
if (pModuleList)
{
status = ZwQuerySystemInformation(
SystemModuleInformation,
pModuleList,
NeededSize,
&NeededSize);
if (NT_SUCCESS(status))
{
ULONG ModuleCount;
ULONG i;
__try
{
KdPrint(("二次调用ZwQuerySystemInformation返回的缓冲区字节数%x\n", NeededSize));
KdPrint(("模块数量%d\n", pModuleList->Count));
KdPrint(("名字和路径%s\n", pModuleList->Module[0].ImageName));
ModuleCount = pModuleList->Count;
//ntoskrnl.exe总是第一个加载 //64位系统加载的是ntkrnlmp.exe在这个前边还有一个""的模块
*ulSysModuleBase = (ULONG)pModuleList->Module[0].Base;
KdPrint(("基地址%p\n", pModuleList->Module[0].Base));
*ulSize = pModuleList->Module[0].Size;
KdPrint(("大小%x\n", pModuleList->Module[0].Size));
bRet = TRUE;
KdPrint(("pModuleList对应的地址%p\n", pModuleList));
for (i = 0; i < ModuleCount; i++)
{
KdPrint(("%s\n", pModuleList->Module[i].ImageName));
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
}
ExFreePoolWithTag(pModuleList, MEMTAG);
pModuleList = NULL;
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("%08x\r\n", GetExceptionCode()));
}
if (pModuleList)
ExFreePoolWithTag(pModuleList, MEMTAG);
return bRet;
}
BOOLEAN EunmEATTable(PVOID ulModuleBase)
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
ULONG* arrayOfFunctionAddresses;
ULONG* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
ULONG functionOrdinal;
ULONG Base, x, functionAddress;
IMAGE_EXPORT_DIRECTORY *pExportTable;
char *functionName;
KdPrint(("ulModuleBase的值%p\n", ulModuleBase));
__try
{
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
KdPrint(("pDosHeader的地址%p\n", &pDosHeader));
KdPrint(("pDosHeader->e_magic的值%x\n", pDosHeader->e_magic));
KdPrint(("pDosHeader->e_magic的地址%p\n", &(pDosHeader->e_magic)));
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
KdPrint(("IMAGE_DOS_SIGNATURE failed\r\n"));
return FALSE;
}
NtDllHeader = (PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader + pDosHeader->e_lfanew);
KdPrint(("NtDllHeader的值%p\n", NtDllHeader));
if (NtDllHeader->Signature != IMAGE_NT_SIGNATURE)
{
KdPrint(("IMAGE_NT_SIGNATURE failed\r\n"));
return FALSE;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable = (IMAGE_EXPORT_DIRECTORY*)((ULONG)ulModuleBase + opthdr.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); //得到导出表
arrayOfFunctionAddresses = (ULONG*)((ULONG)ulModuleBase + pExportTable->AddressOfFunctions); //地址表
arrayOfFunctionNames = (ULONG*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //函数名表
arrayOfFunctionOrdinals = (WORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
for (x = 0; x < pExportTable->NumberOfFunctions; x++) //在整个导出表里扫描
{
functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddress = (ULONG)((BYTE*)ulModuleBase + arrayOfFunctionAddresses[functionOrdinal]);
KdPrint(("%s : 0x%08X\r\n", functionName, functionAddress));
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
return FALSE;
}
#ifdef __cplusplus
extern "C"
#endif
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
ULONG ulong_kernel_base;
ULONG ulong_kernel_size;
UNREFERENCED_PARAMETER(RegistryPath);
DriverObject->DriverUnload = DriverUnload;
if (GetKernelModuleInfo(&ulong_kernel_base, &ulong_kernel_size))
{
KdPrint(("GetKernelModuleInfo返回值为真\n"));
EunmEATTable((PVOID)ulong_kernel_base);
}
return STATUS_SUCCESS;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
显示ZwQuerySystemInformation函数返回的值c0000004
返回的模块信息字节数8bf0
基本堆栈分配是否成功FFFFFA800361C000
二次调用ZwQuerySystemInformation返回的缓冲区字节数8bf0
模块数量121
名字和路径\SystemRoot\system32\ntoskrnl.exe
[I]基地址FFFFF80004A0F000[/I] //这是读出来的ntoskrnl.exe基地址
大小5e5000
pModuleList对应的地址FFFFFA800361C000
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\vmci.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\nvraid.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\vsock.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\lsi_sas.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\amdsata.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\amd_xata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iaStorF.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\Program Files\VMware\VMware Tools\vmrawdsk.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\drivers\vmhgfs.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\vmmouse.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\vm3dmp.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\E1G6032E.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\pnpmem.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\EATTable.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\advapi32.dll
\Windows\System32\wininet.dll
GetKernelModuleInfo返回值为真
[I]ulModuleBase的值0000000004A0F000[/I] //高位不见了
[I]pDosHeader的地址FFFFF880045B9F68[/I] //偏了好远,不知是个什么值
错误依然如此,不过你用这个32位的结构体竟然能打印正确信息,俺要学习一下,不对错误更严重了,传递至把64位地址的高位给丢了!直接连PE标志位的什么信息都没有读出来
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
这行后面参与计算的 arrayOfFunctionOrdinals[x] 和 Base 至少有一个参数前面要加强制声名 (PVOID) 或者 (ULONGLONG) 或 (size_t) 都可以
像这样改试试:
(PVOID) functionOrdinal = arrayOfFunctionOrdinals[x] + (PVOID) Base - 1;
这样编译器生成的指令才会是64位的, 否则默认生成对应的的32位汇编指令 导致高位丢失
还有:
functionName = (char *)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
// 可能也要强制声名一下 不知道你怎么声名的
上面说的我用的是 GCC 编译器.... 至于 VC 是不是这样的我就不清楚了
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
[QUOTE=h辉;1357766]functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
这行后面参与计算的 arrayOfFunctionOrdinals[x] 和 Base 至少有一个参数前面要加强制声名 (PVOID) 或者 (ULONGLONG) 或 (size_t)...[/QUOTE]
感谢你的回复我尝试一下,同样的代码在应用层执行是没有问题的!但是到了内核层就不对了!那个地址高位不知道怎么了!
|
哥们你还停留在32位时代,你说的那个代码64位什么都读不出来!
