-
-
[分享]一种获取内核模块信息的方式
-
发表于:
2021-9-28 11:18
4873
-
BOOL GetNtInformation(
ULONG_PTR* ntBase,
ULONG_PTR* ntSize
)
{
if (!ntBase || !ntSize) return false;
LARGE_INTEGER ntTemp = { 0 };
PIMAGE_NT_HEADERS pNt = nullptr;
PIMAGE_DOS_HEADER pDos = nullptr;
auto pFind0 = (ULONG_PTR)MmGetSystemRoutineAddress;
auto pFind = (PUCHAR)pFind0;
for (unsigned int i = 0; i < 0x30; i++)
{
if (pFind[i] == 0x48 && pFind[i + 1] == 0x8B && pFind[i + 2] == 0x0D) {
ntTemp.QuadPart = (ULONG_PTR)&pFind[i + 7];
ntTemp.LowPart += *(LONG*)&pFind[i + 3];
break;
}
}
if (!ntTemp.QuadPart) return false;
pDos = (PIMAGE_DOS_HEADER)(*(ULONG_PTR*)ntTemp.QuadPart);
if (!pDos) return false;
pNt = (PIMAGE_NT_HEADERS)((ULONG_PTR)pDos + pDos->e_lfanew);
if (!pNt || pNt->Signature != IMAGE_NT_SIGNATURE)
return false;
__try {
*ntBase = (ULONG_PTR)pDos;
*ntSize = pNt->OptionalHeader.SizeOfImage;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return false;
}
return true;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
