获取系统模块信息

来源：互联网发布：mac外接光驱编辑：程序博客网时间：2024/05/20 19:28
//系统信息类typedef enum _SYSTEM_INFORMATION_CLASS {SystemBasicInformation = 0,//系统的基本信息SystemProcessorInformation,             // obsolete...deleteSystemPerformanceInformation,SystemTimeOfDayInformation,SystemPathInformation,SystemProcessInformation,//系统进程信息SystemCallCountInformation,SystemDeviceInformation,SystemProcessorPerformanceInformation,SystemFlagsInformation,SystemCallTimeInformation,SystemModuleInformation,//系统模块信息SystemLocksInformation,SystemStackTraceInformation,SystemPagedPoolInformation,SystemNonPagedPoolInformation,SystemHandleInformation,SystemObjectInformation,SystemPageFileInformation,SystemVdmInstemulInformation,SystemVdmBopInformation,SystemFileCacheInformation,SystemPoolTagInformation,SystemInterruptInformation,SystemDpcBehaviorInformation,SystemFullMemoryInformation,SystemLoadGdiDriverInformation,SystemUnloadGdiDriverInformation,SystemTimeAdjustmentInformation,SystemSummaryMemoryInformation,SystemMirrorMemoryInformation,SystemPerformanceTraceInformation,SystemObsolete0,SystemExceptionInformation,SystemCrashDumpStateInformation,SystemKernelDebuggerInformation,SystemContextSwitchInformation,SystemRegistryQuotaInformation,SystemExtendServiceTableInformation,SystemPrioritySeperation,SystemVerifierAddDriverInformation,SystemVerifierRemoveDriverInformation,SystemProcessorIdleInformation,SystemLegacyDriverInformation,SystemCurrentTimeZoneInformation,SystemLookasideInformation,SystemTimeSlipNotification,SystemSessionCreate,SystemSessionDetach,SystemSessionInformation,SystemRangeStartInformation,SystemVerifierInformation,SystemVerifierThunkExtend,SystemSessionProcessInformation,SystemLoadGdiDriverInSystemSpace,SystemNumaProcessorMap,SystemPrefetcherInformation,SystemExtendedProcessInformation,SystemRecommendedSharedDataAlignment,SystemComPlusPackage,SystemNumaAvailableMemory,SystemProcessorPowerInformation,SystemEmulationBasicInformation,SystemEmulationProcessorInformation,SystemExtendedHandleInformation,SystemLostDelayedWriteInformation,SystemBigPoolInformation,SystemSessionPoolTagInformation,SystemSessionMappedViewInformation,SystemHotpatchInformation,SystemObjectSecurityMode,SystemWatchdogTimerHandler,SystemWatchdogTimerInformation,SystemLogicalProcessorInformation,SystemWow64SharedInformation,SystemRegisterFirmwareTableInformationHandler,SystemFirmwareTableInformation,SystemModuleInformationEx,SystemVerifierTriageInformation,SystemSuperfetchInformation,SystemMemoryListInformation,SystemFileCacheInformationEx,MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum} SYSTEM_INFORMATION_CLASS;typedef struct _RTL_PROCESS_MODULE_INFORMATION {HANDLE Section;                 // Not filled inPVOID MappedBase;PVOID ImageBase;ULONG ImageSize;ULONG Flags;USHORT LoadOrderIndex;USHORT InitOrderIndex;USHORT LoadCount;USHORT OffsetToFileName;UCHAR  FullPathName[256];} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;typedef struct _RTL_PROCESS_MODULES {ULONG NumberOfModules;RTL_PROCESS_MODULE_INFORMATION Modules[1];} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;//检索系统信息NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(__inSYSTEM_INFORMATION_CLASS SystemInformationClass, __inoutPVOID SystemInformation, __inULONG SystemInformationLength, __out_optPULONG ReturnLength);// 获取模块基址PVOID GetModuleBase(CHAR *ModuleName){//参数效验if (ModuleName == NULL)return NULL;//定义变量ULONG i = 0;RTL_PROCESS_MODULES *ProcessModules = NULL;PVOID ImageBase = NULL;ULONG ReturnLength = 0;RTL_PROCESS_MODULE_INFORMATION *ModuleInformation = NULL;ZwQuerySystemInformation(SystemModuleInformation, &ProcessModules, 4, &ReturnLength);if (ReturnLength){ProcessModules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag((POOL_TYPE)SystemModuleInformation, 2 * ReturnLength, ' kdD');if (ProcessModules){if (NT_SUCCESS(ZwQuerySystemInformation(SystemModuleInformation, ProcessModules, 2 * ReturnLength, NULL))){ModuleInformation = (RTL_PROCESS_MODULE_INFORMATION *)(ProcessModules->Modules);for (i = 0; i < ProcessModules->NumberOfModules; i++){//KdPrint(("%s\n", (CHAR*)&ModuleInformation[i].FullPathName[ModuleInformation[i].OffsetToFileName]));if (!_stricmp(ModuleName, (CHAR*)&ModuleInformation[i].FullPathName[ModuleInformation[i].OffsetToFileName])){ImageBase = ModuleInformation[i].ImageBase;break;}KdPrint(("%s\t %0x\t %0x\t %s  \n",&ModuleInformation[i].FullPathName[ModuleInformation[i].OffsetToFileName], ModuleInformation[i].ImageBase,ModuleInformation[i].ImageSize,ModuleInformation[i].FullPathName));}}ExFreePoolWithTag(ProcessModules, 0);}}return ImageBase;}/*ntkrnlpa.exe 804d8000 1f8480 \WINDOWS\system32\ntkrnlpa.exehal.dll 806d1000 20300 \WINDOWS\system32\hal.dllKDCOM.DLL f8b9a000 2000 \WINDOWS\system32\KDCOM.DLLBOOTVID.dll f8aaa000 3000 \WINDOWS\system32\BOOTVID.dllACPI.sys f856b000 2e000 ACPI.sysWMILIB.SYS f8b9c000 2000 \WINDOWS\system32\DRIVERS\WMILIB.SYSpci.sys f855a000 11000 pci.sysisapnp.sys f869a000 9000 isapnp.syscompbatt.sys f8aae000 3000 compbatt.sysBATTC.SYS f8ab2000 4000 \WINDOWS\system32\DRIVERS\BATTC.SYSintelide.sys f8b9e000 2000 intelide.sysPCIIDEX.SYS f891a000 7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYSMountMgr.sys f86aa000 b000 MountMgr.sysftdisk.sys f853b000 1f000 ftdisk.sysdmload.sys f8ba0000 2000 dmload.sysdmio.sys f8515000 26000 dmio.sysPartMgr.sys f8922000 5000 PartMgr.sysvmci.sys f86ba000 10000 vmci.sysVolSnap.sys f86ca000 c000 VolSnap.sysvsock.sys f8502000 13000 vsock.sysatapi.sys f84ea000 18000 atapi.sysvmscsi.sys f8ba2000 2000 vmscsi.sysSCSIPORT.SYS f84d2000 18000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYSdisk.sys f86da000 9000 disk.sysCLASSPNP.SYS f86ea000 d000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYSfltMgr.sys f84b2000 20000 fltMgr.syssr.sys f84a0000 12000 sr.sysKSecDD.sys f8489000 17000 KSecDD.sysNtfs.sys f83fc000 8d000 Ntfs.sysNDIS.sys f83cf000 2d000 NDIS.sysMup.sys f83b5000 1a000 Mup.sysagp440.sys f86fa000 b000 agp440.sysi8042prt.sys f872a000 c000 \SystemRoot\system32\DRIVERS\i8042prt.syskbdclass.sys f894a000 6000 \SystemRoot\system32\DRIVERS\kbdclass.sysvmmouse.sys f8ba4000 2000 \SystemRoot\system32\DRIVERS\vmmouse.sysmouclass.sys f895a000 6000 \SystemRoot\system32\DRIVERS\mouclass.sysvmx_svga.sys f873a000 10000 \SystemRoot\system32\DRIVERS\vmx_svga.sysVIDEOPRT.SYS f8348000 14000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYSvmxnet.sys f896a000 6000 \SystemRoot\system32\DRIVERS\vmxnet.sysCmBatt.sys f8b4a000 4000 \SystemRoot\system32\DRIVERS\CmBatt.sysintelppm.sys f874a000 a000 \SystemRoot\system32\DRIVERS\intelppm.sysfsvga.sys f8b52000 3000 \SystemRoot\system32\DRIVERS\fsvga.sysaudstub.sys f8d5b000 1000 \SystemRoot\system32\DRIVERS\audstub.sysrasl2tp.sys f875a000 d000 \SystemRoot\system32\DRIVERS\rasl2tp.sysndistapi.sys f8b5a000 3000 \SystemRoot\system32\DRIVERS\ndistapi.sysndiswan.sys f8331000 17000 \SystemRoot\system32\DRIVERS\ndiswan.sysraspppoe.sys f876a000 b000 \SystemRoot\system32\DRIVERS\raspppoe.sysraspptp.sys f877a000 c000 \SystemRoot\system32\DRIVERS\raspptp.sysTDI.SYS f898a000 5000 \SystemRoot\system32\DRIVERS\TDI.SYSpsched.sys f82f8000 11000 \SystemRoot\system32\DRIVERS\psched.sysmsgpc.sys f878a000 9000 \SystemRoot\system32\DRIVERS\msgpc.sysptilink.sys f899a000 5000 \SystemRoot\system32\DRIVERS\ptilink.sysraspti.sys f89aa000 5000 \SystemRoot\system32\DRIVERS\raspti.sysrdpdr.sys f82c8000 30000 \SystemRoot\system32\DRIVERS\rdpdr.systermdd.sys f879a000 a000 \SystemRoot\system32\DRIVERS\termdd.sysswenum.sys f8bae000 2000 \SystemRoot\system32\DRIVERS\swenum.sysks.sys f82a5000 23000 \SystemRoot\system32\DRIVERS\ks.sysupdate.sys f8247000 5e000 \SystemRoot\system32\DRIVERS\update.sysmssmbios.sys f8b82000 4000 \SystemRoot\system32\DRIVERS\mssmbios.sysNDProxy.SYS f87aa000 a000 \SystemRoot\System32\Drivers\NDProxy.SYSFs_Rec.SYS f8bb4000 2000 \SystemRoot\System32\Drivers\Fs_Rec.SYSNull.SYS f8da5000 1000 \SystemRoot\System32\Drivers\Null.SYSBeep.SYS f8bb8000 2000 \SystemRoot\System32\Drivers\Beep.SYSvga.sys f89da000 6000 \SystemRoot\System32\drivers\vga.sysmnmdd.SYS f8bbc000 2000 \SystemRoot\System32\Drivers\mnmdd.SYSRDPCDD.sys f8bc0000 2000 \SystemRoot\System32\DRIVERS\RDPCDD.sysMsfs.SYS f89ea000 5000 \SystemRoot\System32\Drivers\Msfs.SYSNpfs.SYS f89fa000 8000 \SystemRoot\System32\Drivers\Npfs.SYSrasacd.sys f8360000 3000 \SystemRoot\system32\DRIVERS\rasacd.sysipsec.sys b2fcd000 13000 \SystemRoot\system32\DRIVERS\ipsec.systcpip.sys b2f74000 59000 \SystemRoot\system32\DRIVERS\tcpip.sysnetbt.sys b2f4c000 28000 \SystemRoot\system32\DRIVERS\netbt.sysipnat.sys b2f26000 26000 \SystemRoot\system32\DRIVERS\ipnat.sysws2ifsl.sys f8b3a000 3000 \SystemRoot\System32\drivers\ws2ifsl.sysafd.sys b2f04000 22000 \SystemRoot\System32\drivers\afd.syswanarp.sys f87ca000 9000 \SystemRoot\system32\DRIVERS\wanarp.sysnetbios.sys f87da000 9000 \SystemRoot\system32\DRIVERS\netbios.sysvmhgfs.sys b2edd000 27000 \SystemRoot\system32\drivers\vmhgfs.sysrdbss.sys b2e12000 2b000 \SystemRoot\system32\DRIVERS\rdbss.sysmrxsmb.sys b2da2000 70000 \SystemRoot\system32\DRIVERS\mrxsmb.sysFips.SYS f881a000 b000 \SystemRoot\System32\Drivers\Fips.SYSwin32k.sys bf800000 1c3000 \SystemRoot\System32\win32k.sysDxapi.sys f8b7e000 3000 \SystemRoot\System32\drivers\Dxapi.syswatchdog.sys f8a42000 5000 \SystemRoot\System32\watchdog.sysdxg.sys bf9c3000 12000 \SystemRoot\System32\drivers\dxg.sysdxgthk.sys f8cf7000 1000 \SystemRoot\System32\drivers\dxgthk.sysvmx_fb.dll bf9d5000 1cc000 \SystemRoot\System32\vmx_fb.dllndisuio.sys b2d1a000 4000 \SystemRoot\system32\DRIVERS\ndisuio.sysvmmemctl.sys b2af2000 3000 \??\C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.syssrv.sys b28a0000 52000 \SystemRoot\system32\DRIVERS\srv.sysHTTP.sys b2747000 41000 \SystemRoot\System32\Drivers\HTTP.sysHelloWorld.sys b25c7000 9000 \??\C:\Documents and Settings\Administrator\桌面\HelloWorld.sysntdll.dll 7c920000 93000 \WINDOWS\system32\ntdll.dll*/
0 0