VOID EnumModule(PEPROCESS Process, UNICODE_STRING name, unsigned __int64* ret)
{
//VMProtectBegin("ENUM");
ULONG64 Peb = 0;
ULONG64 Ldr = 0;
PLIST_ENTRY ModListHead = 0;
PLIST_ENTRY Module = 0;
ANSI_STRING AnsiString;
KAPC_STATE ks;
if (!MmIsAddressValid(Process))
return;
Peb = PsGetProcessPeb(Process);
if (!Peb)
return;
KAPC_STATE ApcState;
ULONG64 pDTB = 0, OldCr3 = 0, vAddr = 0;
pDTB = Get64bitValue((UCHAR*)Process + DIRECTORY_TABLE_BASE);
if (pDTB == 0)
{
//DbgPrint("[x64Drv] Can not get PDT");
return;
}
_disable();
OldCr3 = __readcr3();
__writecr3(pDTB);
_enable();
Ldr = Peb + (ULONG64)LdrInPebOffset;
if (!MmIsAddressValid((PULONG64)Ldr + ModListInPebOffset)) goto skip;
ModListHead = (PLIST_ENTRY)(*(PULONG64)Ldr + ModListInPebOffset);
Module = ModListHead->Flink;
while (ModListHead != Module)
{
DbgPrint("[x64Drv] %wZ\n", &(((PLDR_DATA_TABLE_ENTRY)Module)->BaseDllName));
if (RtlCompareUnicodeString(&name, &(((PLDR_DATA_TABLE_ENTRY)Module)->BaseDllName), TRUE) == 0) {
*(ret) = (PVOID)(((PLDR_DATA_TABLE_ENTRY)Module)->DllBase);
break;
}
Module = Module->Flink;
if (!MmIsAddressValid(Module)) goto skip;
}
skip:;
_disable();
__writecr3(OldCr3);
_enable();
//VMProtectEnd();
}
