티스토리 툴바

Daum
Tistory
로그인
예전 글 모음2010/10/27 05:49

ZwQuerySystemInformation 을 사용한 System Module List 구하기

// ---	Get System Module List with ZwQuerySystemInformation
//	---	* 2010/10/27 * 

//	---	마플 
//	---	http://kese111.tistory.com 
//   ---   http://simples.kr/?mid=ITTalk&page=2&document_srl=19838#include 



#include 


#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define MAKELONG(a, b) ((ULONG) (((USHORT) (a)) | ((ULONG) ((USHORT) (b))) << 16))

typedef short WORD;
typedef char BYTE;
typedef long int DWORD;

typedef enum _SYSTEM_INFORMATION_CLASS 
{
    SystemBasicInformation,
	SystemProcessorInformation, 
    SystemPerformanceInformation, 
    SystemTimeOfDayInformation, 
    SystemPathInformation, 
    SystemProcessInformation, 
    SystemCallCountInformation, 
    SystemDeviceInformation, 
    SystemProcessorPerformanceInformation, 
    SystemFlagsInformation, 
    SystemCallTimeInformation, 
    SystemModuleInformation, 
    SystemLocksInformation, 
    SystemStackTraceInformation, 
    SystemPagedPoolInformation, 
    SystemNonPagedPoolInformation, 
    SystemHandleInformation, 
    SystemObjectInformation, 
    SystemPageFileInformation, 
    SystemVdmInstemulInformation, 
    SystemVdmBopInformation, 
    SystemFileCacheInformation, 
    SystemPoolTagInformation, 
    SystemInterruptInformation, 
    SystemDpcBehaviorInformation, 
    SystemFullMemoryInformation, 
    SystemLoadGdiDriverInformation, 
    SystemUnloadGdiDriverInformation, 
    SystemTimeAdjustmentInformation, 
    SystemSummaryMemoryInformation, 
    SystemNextEventIdInformation, 
    SystemEventIdsInformation, 
    SystemCrashDumpInformation, 
    SystemExceptionInformation, 
    SystemCrashDumpStateInformation, 
    SystemKernelDebuggerInformation, 
    SystemContextSwitchInformation, 
    SystemRegistryQuotaInformation, 
    SystemExtendServiceTableInformation, 
    SystemPrioritySeperation, 
    SystemPlugPlayBusInformation,
    SystemDockInformation, 
    SystemPowerInformationRedefine, // 이름이 중복되어서 변경하였습니다.
    SystemProcessorSpeedInformation, 
    SystemCurrentTimeZoneInformation, 
    SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
    HANDLE Section;
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    CHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;



typedef struct _DEVICE_EXTENSION
{
	PDEVICE_OBJECT  DeviceObject;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;


/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
///////////////声明Native API///////////////////////////////////////
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( 
    IN ULONG SystemInformationClass, 
    IN PVOID SystemInformation, 
    IN ULONG SystemInformationLength, 
    OUT PULONG ReturnLength);


typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
          IN ULONG SystemInformationClass, 
          IN PVOID SystemInformation, 
          IN ULONG SystemInformationLength, 
          OUT PULONG ReturnLength);


#pragma pack(1)
typedef struct ServiceDescriptorEntry {
        unsigned int *ServiceTableBase;
        unsigned int *ServiceCounterTableBase; //Used only in checked build
        unsigned int NumberOfServices;
        unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;

__declspec(dllimport)  ServiceDescriptorTableEntry_t KeServiceDescriptorTable;

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
VOID PrintSystemModuleList();

PDEVICE_EXTENSION	 deviceExtension;
ULONG				bE0 = FALSE;

ZWQUERYSYSTEMINFORMATION   _ZwQuerySystemInformation;


NTSTATUS NTAPI DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
	PDEVICE_OBJECT	pDeviceObject;
	UNICODE_STRING	uniDeviceName;
	NTSTATUS				ntStatus;
	
	DbgPrint("Driver Load!! \n");

	DriverObject->DriverUnload = DriverUnload;

	// -- Device 생성
	RtlInitUnicodeString(&uniDeviceName, L"\\Device\\IDT_KeyHook");
	ntStatus = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION), &uniDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
	if (!NT_SUCCESS(ntStatus)) {
		DbgPrint("IoCreateDevice Error \n");
		return ntStatus;
	}

	RtlZeroMemory(pDeviceObject->DeviceExtension, sizeof(DEVICE_EXTENSION));
	deviceExtension = (PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;
	deviceExtension->DeviceObject = pDeviceObject;


	_asm{

          mov     ecx, dword ptr [ZwQuerySystemInformation];
          mov     edx, [ecx+1];
          mov     eax, dword ptr [KeServiceDescriptorTable];
          mov     esi, [eax];
          mov     edx, [esi+edx*4];
          mov     dword ptr [_ZwQuerySystemInformation], edx
	}

	PrintSystemModuleList();
	return STATUS_SUCCESS;
}


VOID PrintSystemModuleList()
{
    NTSTATUS Status;
    PRTL_PROCESS_MODULES ModuleInfo;
    PRTL_PROCESS_MODULE_INFORMATION ModuleEntry;
    ULONG ReturnedLength;
    ULONG i;

	   
    Status = _ZwQuerySystemInformation(SystemModuleInformation,
                                      0,
                                      0,
                                      &ReturnedLength);

    if (Status != STATUS_INFO_LENGTH_MISMATCH) 
    {
        return FALSE;
    }

    ModuleInfo = (PRTL_PROCESS_MODULES)ExAllocatePool(NonPagedPool, ReturnedLength);
    Status = _ZwQuerySystemInformation(SystemModuleInformation,
                                      ModuleInfo,
                                      ReturnedLength,
                                      &ReturnedLength);
    if (!NT_SUCCESS(Status)) 
    {
        ExFreePool(ModuleInfo);
        return NULL;
    }

    for (i = 0; i < ModuleInfo->NumberOfModules; i++)
    {
        ModuleEntry = &ModuleInfo->Modules[i];        
        DbgPrint("%s\n", ModuleEntry->FullPathName);
    }
    ExFreePool(ModuleInfo);
    return TRUE;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
	IoDeleteDevice(DriverObject->DeviceObject);
	DbgPrint("Driver Unload! \n");
}

//	---	참고자료
//	---	http://simples.kr/?mid=ITTalk&page=2&document_srl=19838

 

참고자료
http://simples.kr/?mid=ITTalk&page=2&document_srl=19838

저작자 표시 비영리
크리에이티브 커먼즈 라이선스
Creative Commons License
이 저작물은 크리에이티브 커먼즈 코리아 저작자표시 2.0 대한민국 라이선스에 따라 이용하실 수 있습니다.

'예전 글 모음' 카테고리의 다른 글

Windows 의 Spinlock 구현  (0) 2010/11/06
MULTIPLE-PROCESSOR (MP) INITIALIZATION 번역  (0) 2010/11/04
ZwQuerySystemInformation 을 사용한 System Module List 구하기  (0) 2010/10/27
nt!KiDispatchInterrupt Reverse Engineering  (0) 2010/10/16
Windows Thread Scheduling 정리 - 발로 그린 Windows Scheduling  (0) 2010/10/12
Bypassing Klister 0.4 With No Hooks or Running a Controlled Thread Scheduler 일부 번역  (0) 2010/10/11
Posted by 화박 화박
TAG ,
Trackback 0 Comment 0