experiment : use Aux Library on R0

Aux Libray

Aux Libray 是MS提供的内核库, 可以用来查询模块信息,  比如内核模块基址和模块Size.

wdk7600 自带 aux Library, 也可以从MS站点下载.

可以完成和未文档化API ZwQuerySystemInformation 相同的功能.

因为是文档化的API接口,  所以比 ZwQuerySystemInformation 靠谱.

编程环境

win7X64Sp1 + wdk7600 + vs2010 

试验环境

vmware9 + winxpSp3

工程下载

srcUseAuxGetKernelModuleInfo.rar

试验截图

R0中的代码片段 - 使用aux库取内核模块信息

NTSTATUSGetKernelModuleInfo(    PROCESS_COMMUNICATION_DATA * pCommData);

NTSTATUS GetKernelModuleInfo(PROCESS_COMMUNICATION_DATA * pCommData){    NTSTATUS                        status = STATUS_SUCCESS;    DWORD                           dwIndex = 0;    DWORD                           dwServiceCntMax = 0;    /// KMI means KenelModuleInfo    PKERNEL_MODULE_INFO             pCommDataKMI = NULL;    UCHAR *                         pMoudleInfo = NULL;    AUX_MODULE_EXTENDED_INFO *      pAuxModuleExInfo = NULL;    DWORD                           dwLenMoudleInfo = 0;    DWORD                           dwMoudleCnt = 0;    size_t                          nSize = 0;    UNICODE_STRING                  strPathNameW;    ANSI_STRING                     strPathNameA;    __try    {        /// 初始化数据        strPathNameW.MaximumLength = 0;        strPathNameW.Length = 0;        strPathNameW.Buffer = NULL;                /// 取内核模块信息            /// 可以考虑放在 DriverEntry 中        status = AuxKlibInitialize();        if (STATUS_SUCCESS != status)            __leave;            status = AuxKlibQueryModuleInformation(                &dwLenMoudleInfo,                 sizeof(AUX_MODULE_EXTENDED_INFO),                NULL);        if (STATUS_SUCCESS != status)            __leave;            dwMoudleCnt =   dwLenMoudleInfo                         / sizeof(AUX_MODULE_EXTENDED_INFO);            /// 这里在DeviceIoControl处理例程中, 可以为分页内存         pMoudleInfo = ExAllocatePoolWithTag(PagedPool,                                             dwLenMoudleInfo,                                             'aux');                                                    status = AuxKlibQueryModuleInformation(                    &dwLenMoudleInfo,                     sizeof(AUX_MODULE_EXTENDED_INFO),                    pMoudleInfo);                            if (STATUS_SUCCESS != status)            __leave;            /// 回答R3            /// pMoudleInfo 第一个模块内容是内核ntos*        pAuxModuleExInfo = (AUX_MODULE_EXTENDED_INFO *)pMoudleInfo;        pCommDataKMI = &(pCommData->CmdDataKernelMoudleInfo);            pCommData->sRc = status;        pCommData->qa.dwAnswer = pCommData->qa.dwQestion + 1;        pCommDataKMI->dwImgBase =             (DWORD)pAuxModuleExInfo->BasicInfo.ImageBase;            pCommDataKMI->dwImgSize = pAuxModuleExInfo->ImageSize;        RtlInitAnsiString(&strPathNameA,             pAuxModuleExInfo->FullPathName);            RtlAnsiStringToUnicodeString(&strPathNameW,                                      &strPathNameA,                                     TRUE);            nSize = sizeof(pCommDataKMI->szModuleName) / sizeof(wchar_t);                    RtlStringCchCopyW(            pCommDataKMI->szModuleName,            nSize,            strPathNameW.Buffer);    }    __finally    {        if (NULL != pMoudleInfo)            ExFreePoolWithTag(pMoudleInfo, 'aux');            /// strPathNameW 需要释放        if (NULL != strPathNameW.Buffer)            RtlFreeUnicodeString(&strPathNameW);    }    return status;}

参考资料

* pediy上kssd中有一篇用Aux Libray 查询模块信息的文章

   http://www.pediy.com/kssd/pediy10/74504.html

* MSDN 中 Aux Libray help url 

   http://msdn.microsoft.com/en-us/library/gg547635(v=vs.85).aspx