- 注册时间
- 2021-4-16
- 最后登录
- 2024-3-27
- 在线时间
- 3 小时
编程入门
- 龙马币
- 34
|
C++源码 NtQueryVirtualMemory枚举进程模块
- typedef enum _MEMORY_INFORMATION_CLASS
- {
- MemoryBasicInformation,
- MemoryWorkingSetList,
- MemorySectionName
- }MEMORY_INFORMATION_CLASS;
- typedef struct
- {
- UNICODE_STRING SectionFileName;
- WCHAR NameBuffer[MAX_PATH * 5];
- } MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;
- typedef struct _MEMORY_BASIC_INFORMATION {
- PVOID BaseAddress;
- PVOID AllocationBase;
- DWORD AllocationProtect;
- SIZE_T RegionSize;
- DWORD State;
- DWORD Protect;
- DWORD Type;
- } MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
- typedef
- NTSTATUS
- (__stdcall * PNtQueryVirtualMemory)(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
- OUT PVOID MemoryInformation,
- IN ULONG MemoryInformationLength,
- OUT PULONG ReturnLength OPTIONAL
- );
- typedef struct
- {
- KEVENT kEvent;
- HANDLE ProcessId;
- BOOLEAN isFind;
- }WORK_DATA, *PWORK_DATA;
- #define MEM_IMAGE 0x1000000
- NTSTATUS EnumDllByZwQueryVirtualMem(PVOID pData)
- {
- PWORK_DATA p = (PWORK_DATA)pData;
- NTSTATUS status=0;
- MEMORY_BASIC_INFORMATION mem_info = {0};
- MEMORY_SECTION_NAME mem_secName = {0};
- HANDLE hProcess = NULL;
- OBJECT_ATTRIBUTES obj;
- CLIENT_ID cid;
- PEPROCESS pEproc;
- int retLen;
- ULONG index=0;
- PRKAPC_STATE pApcStatus;
- UNICODE_STRING ustrNTDLL;
- RtlInitUnicodeString(&ustrNTDLL, L"\\??\\C:\\WINDOWS\\system32\\ntdll.dll");
- PNtQueryVirtualMemory NtQueryVirtualMemory = NULL;
- PSYSTEM_DESCRIPTOR_TABLE KeServiceDescriptorTable = (PSYSTEM_DESCRIPTOR_TABLE)dns_get_systemrountine_address(L"KeServiceDescriptorTable");
- ULONG uIndex = SYSCALL_INDEX(dns_get_dllfunction_address("NtQueryVirtualMemory", &ustrNTDLL));
- NtQueryVirtualMemory = (PNtQueryVirtualMemory)KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[uIndex];
- cid.UniqueProcess = (HANDLE)p->ProcessId;
- cid.UniqueThread = NULL;
- InitializeObjectAttributes(&obj, NULL, 0, NULL, NULL);
- status = PsLookupProcessByProcessId( (HANDLE)p->ProcessId, &pEproc);
- if ( !NT_SUCCESS(status) )
- {
- KdPrint(("cannot get process eprocess, ERROR CODE = %08X\n", status));
- status = STATUS_UNSUCCESSFUL;
- return status;
- }
- // pApcStatus = (PRKAPC_STATE)ExAllocatePoolWithTag(NonPagedPool, sizeof(KAPC_STATE), 'pApc');
- // if (pApcStatus)
- // {
- // KeStackAttachProcess(pEproc, pApcStatus);
- // KdPrint(("已切换到目标进程上下文\n"));
- // }
- KAPC_STATE k_apc;
- KeStackAttachProcess(pEproc, &k_apc);
- //获取进程句柄
- status = ZwOpenProcess(&hProcess, PAGE_READWRITE, &obj, &cid);
- if ( !NT_SUCCESS(status) )
- {
- KdPrint(("cannot get process handle, ERROR CODE = %08X\n", status));
- status = STATUS_UNSUCCESSFUL;
- return status;
- }
- KdPrint(("hProcess= %X\n", hProcess));
- do
- {
- //查询内存 ;这里为何返回状态为访问违法呢???
- status=NtQueryVirtualMemory( hProcess,
- (PULONG)index,
- MemoryBasicInformation,
- &mem_info,
- sizeof(mem_info),
- NULL );
- if ( !NT_SUCCESS(status) )
- {
- DbgPrint("cannot query memory, ERROR CODE = %08X\n", status);
- status = STATUS_SUCCESS;
- p->isFind = FALSE;
- break;
- }
- if ( status >= 0 )
- {
- //KdPrint(("ZwQueryVirtualMemory 成功!\n"));
- //判断"内存节.类型"是否是 "映像/模块"类型
- if (mem_info.Type == MEM_IMAGE)
- {
- //判断模块所占内存范围
- if ( (DWORD)mem_info.AllocationBase == index )
- {
- //查询内存节名
- status=NtQueryVirtualMemory( hProcess,
- (PULONG)index,
- MemorySectionName,
- &mem_secName,
- sizeof(mem_secName),
- NULL );
- if ( status >= 0 )
- {
- UNICODE_STRING ustrMyDll;
- RtlInitUnicodeString(&ustrMyDll, L"Locker.dll");
- KdPrint(("Address:%08X \t ModuleName:%ws\n", index, mem_secName.SectionFileName.Buffer));
- if ( TRUE == SpyFindSubString(&mem_secName.SectionFileName, &ustrMyDll) )
- {
- p->isFind = TRUE;
- break;
- }
- }
- }
- }
- }
- index += 0x10000;
- } while (index < 0x80000000);
- _done:
- KeUnstackDetachProcess(&k_apc);
- if (hProcess)
- ZwClose(hProcess);
- status = STATUS_SUCCESS;
- return status;
- }
|
|
ldnhhy