如何在windows os中通过C语言在内存上找到加载的特定驱动程序的地址
谢谢
内存上加载驱动程序的地址
逆向工程
视窗
调试
C
司机
2021-07-04 13:16:40
1个回答
/**
\todo Get system info in loop. If the list grows between the first & 2nd call the allocd ammount may be too low
*/
BOOL GetKernelInformation(PSYSTEM_MODULE_INFORMATION* pModuleList)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG neededSize = 0;
NtQuerySystemInformation(
SystemModuleInformation,
&neededSize,
0,
&neededSize
);
*pModuleList = (PSYSTEM_MODULE_INFORMATION)malloc(neededSize);
if(*pModuleList == NULL)
{
return FALSE;
}
status = NtQuerySystemInformation(SystemModuleInformation,
*pModuleList,
neededSize,
0
);
return NT_SUCCESS(status);
}
int main()
{
PSYSTEM_MODULE_INFORMATION pModuleList = NULL;
if(!GetKernelInformation(&pModuleList))
goto CLEANUP;
for(ULONG i = 0; i < pModuleList->uCount; i++)
{
PSYSTEM_MODULE mod = &pModuleList->aSM[i];
printf("%s @ %p\n", mod->ImageName, mod->Base);
}
CLEANUP:
if(pModuleList)
free(pModuleList);
return EXIT_SUCCESS;
}