-
-
[求助]64位下使用ZwQuerySystemInformation的一点疑问。【祝大家春节快乐】
-
发表于: 2018-2-14 21:01
-
小菜一个,最近在学习windows内核开发,在此,祝看雪各位大大春节快乐。
我想做一个获取 ntoskrnl.exe 基址的函数代码如下
typedef enum _SYSTEM_INFORMATION_CLASS // Q S
{
SystemBasicInformation, // 00 Y N
SystemProcessorInformation, // 01 Y N
SystemPerformanceInformation, // 02 Y N
SystemTimeOfDayInformation, // 03 Y N
SystemNotImplemented1, // 04 Y N
SystemProcessesAndThreadsInformation, // 05 Y N
SystemCallCounts, // 06 Y N
SystemConfigurationInformation, // 07 Y N
SystemProcessorTimes, // 08 Y N
SystemGlobalFlag, // 09 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG64 ImageSize;
ULONG64 Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
NTKERNELAPI NTSTATUS ZwQuerySystemInformation(IN ULONG64 SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG64 SystemInformationLength, OUT PULONG64 ReturnLength OPTIONAL);
ULONG64 GetModuleBase(PCHAR szModuleName)
{
ULONG64 uSize = 0x10000;
PVOID pModuleInfo = ExAllocatePoolWithTag(NonPagedPool,
uSize,
'GetB');
if (pModuleInfo == NULL)
{
DbgPrint("ExAllocatePoolWithTag failed\n");
return 0;
}
RtlZeroMemory(pModuleInfo, uSize);
NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation,
pModuleInfo,
uSize,
NULL);
if (!NT_SUCCESS(status))
{
DbgPrint("FindModuleByAddress query failed\n");
DbgPrint("FindModuleByAddress status: 0x%x\n", status);
if (pModuleInfo != NULL)
{
ExFreePool(pModuleInfo);
pModuleInfo = NULL;
}
return 0;
}
DbgPrint("find success\n");
ULONG64 uNumberOfModules = *(PULONG64)pModuleInfo;
if (uNumberOfModules == 0)
{
return 0;
}
PRTL_PROCESS_MODULE_INFORMATION pStart =
(PRTL_PROCESS_MODULE_INFORMATION)((ULONG64)pModuleInfo + sizeof(ULONG64));
for (ULONG64 uCount = 0; uCount < uNumberOfModules; uCount++)
{
PUCHAR pszFullPathName = (PUCHAR)pStart->FullPathName;
ULONG uOffsetName = pStart->OffsetToFileName;
PUCHAR pszName = (PUCHAR)(pszFullPathName + uOffsetName);
ULONG64 based = (ULONG64)(pStart->ImageBase);
DbgPrint("%s,%x\n", pszName, based);
if (strcmp((PCHAR)pszName, szModuleName) == 0)
{
ULONG64 uImageBase = (ULONG64)pStart->ImageBase;
/*if (pModuleInfo != NULL)
{
ExFreePool(pModuleInfo);
pModuleInfo = NULL;
}*/
DbgPrint("the kernel mode %s,%x\n", pszName, uImageBase);
return uImageBase;
}
pStart++;
}
if (pModuleInfo != NULL)
{
ExFreePool(pModuleInfo);
pModuleInfo = NULL;
}
return 0;
}在32位下,没有什么问题
如图
如图
那么 是代码的哪里出了问题呢?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
不能使用%p打印 一打就蓝屏 |
|
|
|
|
|
 最后反复调试修改 发现了问题所在 我单纯的以为32位驱动移植到64位上 只要将相关指针 数据 *2就行了 例如ULONG变ULONG64 其实不是 在 SYSTEM_MODULE_INFORMATION_ENTRY结构体里 SIZE依旧是ULONG类型 windbg接上以后 看到的数据结构如下 +0x000 Section : Ptr64 Void +0x008 MappedBase : Ptr64 Void +0x010 ImageBase : Ptr64 Void +0x018 ImageSize : Uint4B +0x01c Flags : Uint4B +0x020 LoadOrderIndex : Uint2B +0x022 InitOrderIndex : Uint2B +0x024 LoadCount : Uint2B +0x026 OffsetToFileName : Uint2B +0x028 FullPathName : [256] UChar 然后在申请内存时 PVOID 改成PVOID64 就OK了 |
|
|
|
|
|
再A盾里面的结构体成员和你的不一样,看来A盾太多东西是老的一批的了
|
柒雪天尚
